A Conversation on Cybersecurity with NSA’s Rob Joyce

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

uh thanks to everyone who came to csis thanks to the audience online for coming to listen to Rob Joyce we're lucky to get Rob thank you for making the time to come here uh it's coming from a bigger venue so this is a little more a little Cozier but we're going to talk about uh any number of things but I'm going to start by asking about nsa's uh sort of new posture when it comes to cyber security which I think is really interesting and we will have time for audience questions uh if you're online I think there's a button that you can submit a question on if you're in the room and you want to raise a question raise your hand and we'll give you a card we do filter the questions so um oh and I have a if you're doing it in the card please write legibly I can't read anymore so it's not clear I could ever read but uh if I mangle your question it's your fault but with that um Rob howling have you been at NSA so uh first Jim thanks for hosting us here um appreciate it um 34 years wow so I came straight out of college lifer yeah have been a lifer and um that's not unusual for NSA um you know the the mission is spectacular the ability to just work with really smart people and work on hard meaningful problems keeps people there so it's great did you um see an uptick in recruitment with the downturn in the tech sector I know there was some hope of that um we've gotten some uptick what I would say is we got some people of an experience level we didn't often see so we're seeing mid-career people looking to come to one the stability but two also the opportunity to come into the Intel Community well that's great so what one of the things they wanted to touch on was uh NSA really has a new approach to cyber security I was thinking about it this morning that it used to be called NSA stood for you know no such agency now you're so public what's changed yeah well it's a recognition um that we have intelligence capabilities that are vital to the defense of cyberspace industry owns and operates most of the digital landscape and if we can't figure out how to take the things we understand from that foreign intelligence Mission reaching into adversary space and pulling down threats tools trade craft and information about those operations and get them to the people who can do something about it we're not very effective right so it's it's no good if we know something if we don't do something about it so uh Asian Diplomat this morning uh asked me what did America mean when we say active defense when we say act defense what does it mean to you I gave him an incoherent answer so I hope you can do better so so it means a lot of things but the way I would describe active defense I'll I'll give you a soccer or football example you know if you give somebody unlimited balls and they get to sit at this you know outside um the the goal and just kick and kick and kick and the goalies got to stop kick after kick eventually they're going to score and the idea behind active defense is you're going to use tools and capabilities to make sure they don't get to do that unimpeded so you're going to play defense some of that is deterrence by denial you're going to work on your defense so that we do the things we know we're supposed to do the basics patching two-factor all of the things you know the new buzzword word of zero trust but but there's also an element of you've got to go forward at the enemy just like in the sports analogy you know some of that is taking it down the field and so for active defense one of the things is that public posture of NSA taking the tools and infrastructure from adversaries and Outing those with the help of Industry so that all of us work together to take away those capabilities so those are pieces there certainly is the element of cyber command may go in there and take active operations that remove infrastructure capability but they also go out and do hunt forwards where they at the invitation of other governments come in and look for malware and then take those things out helping to cleanse that network but also then expose the trade craft the infrastructure and the tools that they found in it how much of the activity we see is usually interdon through a western intermediary so you're in Russia you use a western cloud service he's a European server Farm what how much of that is going on [Music] it is almost non-existent that a hacker comes straight from one of the you know the big four nations Iran North Korea Russia China most companies will have the the filters and the firewalls to understand that that event is at worst suspicious or at best suspicious at worst you know malicious and you just need to stop it immediately but what we find is often adversaries are now renting servers often through fake identities to come in and emerge from a reasonable Cloud hosting VPS location or their hacking devices they're compromising things inside our wire inside the fence line so that you know they make a couple Hops and then they pop out with a usip address and they come to do the attack with what is reputationally better better indicators so um how much of this concerns supply chain trustworthiness where does that fit into your equation um I think we've got a number of examples you know you can think of solar winds and and examples like that where compromise of a of a trusted device will get you access to a number of things we saw what industry reported as the North Koreans in the 3cx IP phone compromise where they trojanized and went ahead and put malware into an update that an unsuspecting business would download in theory to make themselves more secure and open the back door so so that's got to be part of the threat model for organization and entities that's why you hear about the defense and depth Concepts that people are pushing out now so that when you assume you've lost trust in a device or a user or something along those lines it doesn't compromise the entire system and I should know my second to last question is about Tick Tock but I'll let all of them into a false sense of security before I ask it I thought the buzzword of the week was resilience and we don't I can't keep up DOD keeps adding a word in front of deterrence like integrated deterrence vegetarian deterrence whatever that resilience has taken the place of so resilience is certainly a word that you want to have um I I don't care if you're an individual a corporation or a government right if you can't be resilient to the threat a good example is you know people talk about fishing links and that that if you click on the link you've got to train your users not to click on suspicious links on the cyber security director at NSA right you could craft an email to me that would get me absolutely to click on that link right you just have to do a little bit of research and maybe come at me several different tries but eventually I'm going to click one of those links so that means you've got to design your architecture to assume the humans are human and that that that bad things will happen to build that resilience into your your model one of the concerns that has been expressed about things like chat GTP is they're going to do a lot better at designing fishing phishing messages I absolutely believe that so people have gone across the a scale of you know how worried should they be about chat GPT I will tell you the technology is impressive right it is really sophisticated is it going to in the next year automate all of the the attacks on organizations can you give it a piece of software and find tell it to find all the zero day exploits for it no but what it will do is it's going to optimize the workflow it's going to really improve the ability for malicious actors who use those tools to be better or faster and in the case of the malicious foreign actors it will craft very believable you know native language English text that could be part of your phishing campaign or your interaction with a person or your ability to build a backstory all the things that will allow you to do those activities or even line influence right that's going to be a problem so is it going to replace hackers and and be this super AI hacking certainly not in the near term but it will make the hackers that use AI much more effective and they will they will operate better than those who don't that's great I told you I was going to ask you about the cyber security collaboration Center which I think you had me onto it when it was brand new um how's it going what's the intent behind it it's going great so the intent is to operationalize the things we know with the people who could do something about it so we have we have a center that is mostly unclassified but still has a classified portion to it and and what it does is it lets us interact with with industry I mentioned earlier you know they run and operate the internet they run and operate the tools and capabilities that we all rely on so if we can take and understand a threat and get it to that ecosystem at an unclassified level and that's the key because if I give a company a secret at a classified level most of the time even if the person receiving it is able to receive it at that level the people who action it aren't and we can't have it in the ecosystem and execute on it but what we work hard at is getting those Secrets sanitized to the point they can be actioned and and we don't just throw it over the fence that's the lesson learned from a few years ago we used to take things we knew and pass it through intermediaries whether it's other government agencies or the industry Partners what we do now is we put two analysts together so that what we know out in foreign space is married with the expertise they know going on in their Network and those two will iterate and be able to do things neither is going to do alone so so so you know when I take Russian tradecraft injected into that discussion they may protect a billion endpoints against that Russian tradecraft right and so now critical infrastructure government even us as individuals are all protected against that tradecraft but the company also brings back to us other things associated with that that we never would have seen because it lives in their ecosystem they bring it back and that makes us more effective at going and researching the next threat that's kind of a different approach to intelligence it's not the old style signals intelligence right it's very different what we know is not nearly as as secret as how we know it and we never unbundled that in the past and that's really kind of the mindset change with the cyber security collaboration Center so I was going to ask what data has been most useful in these exchanges what what are the other people want to hear and what are you telling them um so for us when we talk classified to classified the most useful thing is context so there's so much bad stuff out there in the ecosystem that these companies often don't know what to focus on and so if we can point to something and explain in a classified exchange why it's a bad thing and why they need to care then all of us can work in the unclassified space about the things we know about infrastructure and IPS and domains and tradecraft and and malware examples and things like that so so that's one example the second Beyond classified context is just [Music] um the start point for something that's malicious and you know if we can give the tip of where the analytics need to focus and then we both continue to unwind that ball of string it gets to the outcomes that that then illuminate illuminate the bad activities one one thing we've found is we can work with one company one-on-one they can bring their unique understanding their intellectual property or their perspective to the problem and then they published the blog that then illuminates all of the activity they know about and then industry then dogpiles onto that and and continues to tear that threat up and that's really a beautiful cycle to watch where it starts from an Intel threat to a company that just grabs the adversary hard and then the whole Community piles on and pulls it apart so this is really an all an unclassified activity and that's really interesting um so NSA had something called uh I forgot what it was an enduring security framework I don't know Northern I care if you still have it we do we do yeah how's it going it was all it was like cios or CEOs it was pretty senior it's it's CEOs we get together in a public-private partnership it's it's um NSA and cisa and we pick an activity to focus on so um some of the work that's been going on in the last year there's a series about 5G Cloud security what people often don't recognize is when you want to do 5G security you're really talking about the concepts of securing a cloud because that's how the architecture is it is broken down and we took telecommunications companies high-tech um you know vendors brought them together with the government threat expertise and put out a series of how you architect 5G for security we're now working on openran as well and a few other topics so those are long-term joint government and Industry security efforts what's the difference between the collaboration Center and ESF ESF lives in the collaboration Center okay so so it is it is a piece of that the difference is it's usually when I think of the the work of the collaboration Center they're very focused on those threats the threat actors and how do we how do we give the threat actors a bad day so the national strategy The New National strategy had a fair amount about securing the cloud in it I mean what would you what would you suggest or what what needs to be done um and it gets a mixed review when you talk to people who are customers that some are secure some could maybe be better yeah um I think the current push for secure by Design um is something we've got to apply to the cloud right and it starts with I'd say secure by default for a number of years if you were going to spin up a cloud instance it was often optimized for ease of use rather than optimized for security and you had to be knowledgeable enough to lock down the components that made you actually more secure companies are getting better about the default being more secure but we're not all the way there um how does Oran change your business because it's going from I was at a briefing a few days ago where they said that telecom is the last industry to really move from Hardware to software but they are doing it so how does that change your business reluctantly I might add but yeah I'm kidding Iran is meant to for those of you that don't know Oran is the open radio Access Network so at the edge of your cellular networks on those Towers is the radio portion that's going to carry the signals from your cell phone to the Tower and often um you know the the big providers would deliver something that's integrated from the antenna all the way to the whole switching fabric of the network openran is intended to kind of decouple the radio from all of the other stuff with the intent to allow more competition in that back end to allow essentially you know cloud computing folks to participate in the cellular networks and and so the effort is to decouple those you know you saw us talk about the cloud security guidance so between those two pieces what we're trying to do is set the West up to be back and have options that are not Huawei options that are affordable supportable and economically viable for the West to choose there are good Solutions out there but when you go to a a foreign country and they're looking at the bids and there's a subsidized bid from Huawei against you know technology you can trust you've got a really hard dilemma what we're trying to do is offer technology they can trust at a level that competes more affordably sometimes when you talk to the big telcos they'll say that Oren isn't ready for prime time do you have a guess on what it might be and they say scalability reliability because they can't be like certain software companies and have blue screens of death yep because their customers will flee we've made it easy to move what's the timeline for you when you talk about Iran yeah there's Iran trials going on right now and I think those are the key to getting that reliability so the hope is the major companies investing in this and driving them to a security level they need a reliability that level they need and a capacity um will push that timeline right and all of them say they're going to use it it's not no one has said we'll go Rand isn't real but it's more a question of when does it get here what would you do to improve collaboration with industry both as a government and as an agency yeah so so we're on that path um our collaboration Center is that experiment we started with one company a little over two years ago we're at 300 that we interact with many of them on a daily basis in this analytic exchange 100 voluntary right they come because we deliver something that they find protects their customers their networks their brand their reputation some are there for altruistic reasons right they want to help make the internet more secure but in reality most of them are motivated because it helps their business so so that's that's one thing we've found is we're getting this willing set of you know folks that can make a difference so what we've got to do is we've got to continue getting faster at being able to take the things that are sensitive and get them into the operational space and today that's still a pretty manual process um and so that's where we're headed is how do we take some amount of that that second intelligence and and have it automatically flow at the speed of cyber because that's really where we've got to be yeah I and that's surprising because I um heard that one before uh one of the questions I was going to ask about the division of labor with cisa at the start back in the the Stone Age of cyber security when it was nppd tensions could exist between the two agencies but it seems to be gone pretty smoothly now what how does the work relationship with this uh yep um so so like anything it's it's never perfect but we are in a great space um you look at sisa I don't envy director easterly and the sisa team with the size of their mandate right they they have all of the federal civil civilian agencies but more importantly they have the critical infrastructure of the nation and even the forward-facing how do I think about making the ecosystem more secure so that's a massive remit um I have a smaller segment where we do that intelligence production against foreign threats we work National Security Systems so any system that carries classified information or is a war fighting system those are things that we work on the the security of in the case of encryption we we develop and certify all the encryption for the nation and then we have this defense industrial based Focus and that we leverage out into the ecosystem through the sharing those big companies that protect the defense department are the same ones that protect the banks and the the government and others so so I can be more narrow and more focused cisa has the big piece but our intelligence goes into cisa we partner you see one of the things we've done a lot of is advisories where there'll be cisa NSA FBI and increasingly third parties second and third parties in there where we talk about an ongoing threat an activity that we're trying to address and so that unified voice pushes us along in the protections we can offer and and that partnership is so much more aligned than it's ever been I'm going to depart from the script for a minute but because you brought up FBI so this is your chance to give a 702 blog fisa pug sure I think it's going to be tougher this time everyone does yep so um fisa section 702 is up for Renewal this year um and it is a vital source of intelligence it is an authority that lets us do collection against um a known foreign entity who chooses the U.S use U.S infrastructure and so it makes sure that we don't afford the same protections to those foreign malicious actors who are on our infrastructure as we do the Americans who live here and so I can't do cyber security at the scope and scale we do it today without that Authority and so we'll be working hard um you know with congress with the administration with our partners at FBI and others doj to figure out how we get 702 reauthorized it's really vital well I was going to ask you what you thought of the new National strategy but of course he has to say it's great it is do you have a favorite pillar um I am fond of the pillar that talks about getting taking it to the adversary right so part of the NSA you talked about NSA change one change is we created an organization called adversary defeat are you reading my notes I am not um so adversary defeat was intended to um have a set of people who get up in the morning go to bed at night thinking about how do I give the adversary a bad day and using what NSA has or knows we in actuality don't have a lot of authority to do stuff we have authority to know stuff and so we've got to have Partners like industry but also Partners like FBI cyber command cisa increasingly others like State Department Treasury and and the likes because we can bring pressure to the Cyber actors through many means and so our adversary defeat a function is figuring out how we operationalize the second we know how do we find the partner who can do something effectively that takes an actor out of the ecosystem or disrupts them from being able to have those free kicks on goal um what would you say are the big lessons the word that triggered this for me was proxies you didn't say proxies but I did proxies um we could ask about that when you think of adversaries how many of them are State how many of our proxies how many of them are purely private criminals I mean it's it's hard to tell with the Russians and some of the others but with the North Koreans it's easy but what's what's sort of the blend here I I can't give you a number there is this scale that goes from black to white and there's Shades of Gray all the way between I I can absolutely tell you that you know there are nation state hackers by day who use their tools and capabilities and knowledge to do bad criminal things by night there are patriotic hackers who have joined into the Ukraine Russia fight who are purely not aligned but there's also a bunch of Intel activity where Russian hackers who work for the government you know do their do their activity and shrouded in the cloak of patriotic hackers right and so that that mix gets exceptionally complex sometimes the foreign intelligence helps us sort those into piles sometimes it doesn't matter right bad things are bad things and whether it is nation state or criminal patriotic individuals you know you got to make it stop and that comes in the all elements of government power whether it's you know the the the the law enforcement if you can get and reach them uh rewards for justice to drag them out of that that space whether it's State Department doing diplomatic norms and engagements with their country all the way down to treasuries and the power of of sanctions and and of facts so it's it's a wide array of tools did we overestimate the Russians I think I probably did when you're looking back at Ukraine in the start um I think where the overestimation happened was the concept of combined arms so the Russians in the physical space and in the Cyber Arena haven't demonstrated the ability to do sophisticated use of complex things and in cyber um you know I think people have underestimated really how much game they brought whether it be the ViaSat hack to you know nine or ten different families of brand new unique wiper viruses that have been thrown in that ecosystem so the things that are hot and ongoing today are there's continued there's continued attacks on Ukrainian interests whether it's Financial government personal individual business just trying to be disruptive there's a lot of Intel collection you would expect that right in an ongoing kinetic war that they're going to collect intelligence um there's creative things going on like we're watching the Russian hackers log into public facing webcams to watch convoys and trains delivering Aiden but they're also hacking those webcams where there's zero days or end days where they can log in and instead of using the Town Square that's available to the internet they're looking out the coffee shop security camera and seeing the the road they need to see so so things like that are ongoing and then when you look to the US most of the pressure is at the defense industrial base and the logistical transport companies who are moving lethalate so they they are under daily pressure from the Russians again that looks a lot like intelligence right to understand what the West is delivering what the US is supporting what we're doing but so far they haven't tried much in the way of disruption no okay not over here right but very much so in the theater and the adjacents yeah there's some interesting lessons there about sovereignty and international law can we duplicate the Ukrainian approach do we need to duplicate the Ukrainian approach like for example the what is it the it Army I was thinking how would you even do that in the U.S um yeah I have never been a fan of you know empowering the hacktivists right the Cyber letters of Mark and reprisal that people have talked about um you know I really believe that nation state actions are the the sole responsibility of those Sovereign Nations right they have to be accountable for them and if you're going to be accountable you can't have somebody making up the rules I should remind people that if you have a question either hold up your hand we'll get you a card or if you're online there's a button you can click to submit a question and we'll we'll take care of that um what about some of the other things the ukrainians did like the the the they benefited from having a lot of outside advice is that but we were we were the people giving the advice in many cases um so there's a lot of lessons to learn from how the ukrainians protected themselves so they were back to that resiliency word they were very resilient how did they get that they got there because they've practiced for years right they were they were under the threat of not Petra and you know electric grid attacks and other things so so they've been improving their trade craft they've they've gotten to the point where you know the Ukrainian CIS admins knew they had to have backups and when they got a wiper virus they shrug their shoulder they clean the machine they reloaded from back up and they moved on but what they did at the time around the invasion was they got an uplift from U.S government providing resources but a lot of pro bono industry support to make them a much harder Target how'd they do that mostly by getting out of the data centers in Ukraine that we're going to have crappy power and crappy comms just from the kinetic fight that's going on and they got up into the Western cloud and then the benefit of being in the cloud was you now went from two people who were maintaining and operating those those servers to teams of hundreds or thousands who had the threat intelligence of this this server got actioned I need to defend the same thing over here you got the benefit of NSA working with those companies to take the Russian threats from foreign Intel and injecting that in right I wasn't going to find those two server admins in in Ukraine and be able to help them directly like that but that cloud environment gave them a much more resilient space where would you put the US government when it comes to Cloud9 there's some indications that some may civilian agencies were actually backing away from the cloud I mean do we need to do more to secure it what's what's the you know I I really believe the path in the future is in the cloud um so there is there's a wide array of people who are doing it right and people who are not doing it right and it's just like you know managing the server on-prem it takes effort and knowledge and attention and resources and I think we are now getting better at specifying the defaults the things that rigorously need to be tuned and configured and set but yeah there's still breaches and and issues with the way the US government's running cloud what would you do to change that I mean I'm not asking you to critique fedramp which um it was a four thousand Pages what would you do to change make it easier for people to use good Cloud well the the first thing I would do is you need to decide how sensitive the the application is because there's different there's different Integrity levels across of the offerings you can choose and you know if it has a high regret Factor it shouldn't be an il-1 Cloud instance it should be something much more protected and secure uh do questions let me get some questions of do we have online oh we do thank you um maybe turning before we get to the questions to China um what does the more aggressive China mean for cyber security it's hard to believe they could be more aggressive but I are they maxed out what what does China mean for it they're not maxed out um you know the the threat of China is capacity and resources and you know we're used to kind of a narrative of this unsophisticated loud threat and yes there is an enormous amount of unsophisticated Loud Chinese threat but there are also elite units that have tools and tradecraft that that is very sophisticated and you know one of the dangers are that knowledge and tradecraft propagating to the scale that they can bring and so that's that's the concern as they're able to scale and use that Elite set of concept and tools and a much bigger Pace um what would you say to companies when they look at Ukraine and then they look at Taiwan yeah so um we had a lot of companies who had to had to endure hard decisions and take rapid action at the time of the invasion and often they had people in Ukraine that were now going to be in a war zone and they had to think about getting them out they had Russian or Ukrainian CIS admins and they had to think about what privileges they wanted them to have they had Network segments in Russia or Ukraine and they had to think about whether they severed that or firewalled it they had to think about whether they just pulled all the way out of their Russian businesses and and what the implications were so what I would encourage anybody who went through that to sit and do a tabletop with your Executives maybe even have your board observe but think about if you scratched out Russia Ukraine and wrote China Taiwan how that changes and how much more intertwined and difficult that is because I think that's a really hard problem and you don't want to be starting that planning the week before an invasion when you're starting to see the White House saying it's coming right you want to be doing that now and buying down your risk and making those decisions in advance and it's really hard so tabletop it and and see where your pain points are I mean that's uh touches on something though that was I think one of the lessons of Ukraine is that the release of what would have been secret Intelligence on Russian intentions and motives turned out to be very successful politically so what what did you learn from that I know sometimes agencies are reluctant to really stuff but yeah I I think that's in line with you know our overall Journey here where you know the idea is intelligence has to serve the people who can make use of it and sometimes that sensitive intelligence is serving the president the war Fighters the diplomats the policy makers but other times you know it it serves the International Community businesses and others so I think you're always going to find um you know the policy makers now thinking about that that risk reward sources and methods versus the operational outcomes well as usual I asked for questions and I got them so we have we're going to be right up to the time limit here this is a good one though it's my favorite so far if you woke up tomorrow and you were the director of sisa and Jen easterly was the director of NSA would you have a different perspective on things like the joint collaborative environment yeah um no I don't think I would right I think the if you looked I talked about going back to some of the authorities and constituencies right the the jcdc and the system missions got to be broad it's massive and inclusive um and there are things where we can get the NSA secret sauce into that world but also you know directly into the people who can do something about it in the telcos the isps the major equipment manufacturers and the incident responders what do you like best about jce yeah jcdc yeah the jcdc um the best thing you look at log4j and it was a phenomenal response right there was a place that was the center of the universe for everybody who wanted to contribute to come bring their knowledge together share that and then get it back out to all the interested parties you know what what software was vulnerable what is the latest work around for some of the some of the mitigations people were proposing um you know it was just a definitive place to go on a very fast-moving process and um you know everybody brought their knowledge whether it was government or industry to that centralized place do you think that's scalable though I mean maybe you don't see it is it only for the big incidents or what um well that that's the big incident use case is one of the use cases right and so there's there's other use cases and I'll let sister talk to you know where they're headed with that but you know we're along and and embedded and part of that great um we're seeing a trend globally towards increasing increasingly robust data privacy laws which are often linked to cyber security standards requiring data localization it's a great question how do these affect our Global Collective defense in cyberspace yeah I'll go back to gdpr um you know there were second order effects that we didn't I won't say we didn't appreciate because there were people sounding the alarm they were not fully considered in the weight of that so for example the the internet registries where um you have to um you know have accountability of who owns a domain name instantly under gdpr the default was you couldn't know that thing and so cyber security researchers all over the world lost the ability to follow connectivity between bad domains so so we've got to think about second order Reflections there is a need for data privacy but we've got to have rational connectivity to the rule of law processes that still makes cyber security effective yeah I think if I was going to give handicap this I'd say that gdpr is becoming the global standard we just have to accept that that the data localization will be tough because there's a split within Europe on that but that in general my impression is that things are better we're in a much more Cooperative environment than we were say two or three years ago so I I guess things like CCC got some credit yeah and I think we're learning to work in it but it's still you know it can be improved right I can tell you that you know I I want the years of my life back click and cookie warnings because they are adding no value right so so we've got to think about the balance in that space there's rational security and there's some theater in it yeah cookies um uh post solar winds General nakasone said NSA had a blind spot where hackers use U.S cloud services as the new kyc know your customer executive order changed that um I don't know that that has changed it significantly it certainly has other benefits but not for us in in the intelligence world what has moved the needle is those relationships with the companies right so um the the blind spot of you know that domestic infrastructure the companies know what's going on in their networks and by them pursuing a threat I can tell them about now you don't have NSA feeling like we need to chase that data because it's covered by some really expert analysis and then they can bring the results back out and we can meet and continue to add that to the foreign threat this is a great we got a lot of great questions but this is a little off topic I should be doing them in sequence but where can we trust AI for NSA missions and where can we not that's a good question you know I I don't know how many of you played with you know several of the different name name your favorite um model out there um but they hallucinate and that's the technical term of art meaning they they will generate data that's not real I have to be able to generate real data to bring it to a company or the president or the the war Fighters um so so I have to get to the point where we're understanding the outputs are factually accurate in my world that's that's a high bar the idea that it will sort and and provide acceleration just like I talked about the advantage to the adversary um you know every single day our analysts are overwhelmed with you know what they have to focus on if it can raise things up and even if it's only 90 right on on the things it surfaces then the human can work in a much more enriched flow and at that point they've become more effective so I think that's the place is The Sweet Spot it's a tool yeah it's not going to replace our analysts if definitely yeah I do prepare for AI I watched uh Terminator 3 again but I didn't I didn't learn that much so I um another AI question it's the flavor du jour How concerned does Santa say about IP theft targeting usai leaders like open AI have you seen an uptick in that yeah so um I can't talk to any specific threats but I can talk with a historic lens right um all of our industrial advancements that are game changing have been targeted in the past right whether it's Materials Science or chemicals or Battery Technology I I don't care what it is if we've innovated it and have the state of the art um you know it's been under pressure from China and others to to pull that and and steal and bypass the Investments our companies are making to develop it um and so I see no reason that there's not a major focus on getting those models and and bypassing all the investment and you know the the capital it took to develop them where would you rank the Chinese on things like Quantum and AI Quantum I got to meet the guy who was the head of the mischiefs program and I thought he was the real deal yep if you read the the open China strategies and they're you know they're they're if nothing else they're strategic and try to align on a vision and a goal in the long term uh they're investing in in both areas heavily and you know again the the quantity of researchers applied they're going to get good at it but they're also going to use that Intel capability both in the human world and in the um and in the cyber world to try to jump start where we have leads this is what I've been wondering about myself and so it's a good question it's from people at MIT um can you tell us how the vulnerabilities Equity process is working these days I could not answer this question yep um so it is still a robust and viable process for those of you who don't know vulnerabilities Equity process was set up a number of years ago and refined four-ish years ago but it's the process where the government takes a vulnerability it knows about in in the Cyber Arena and considers whether it needs to be closed for the defense of greater good or reserved for the the intelligence or warfighting capabilities the default on this is overwhelmingly default to defense but the retention of some of those capabilities are necessary for the cyber security intelligence I produce for some of the activities to do the defend forward Mission so but it's still active of it involves the Intel Community but it also involves you can go out and see the charter it involves DHS cisa it involves folks in Commerce so there's there's a wide array of voices around the table yeah no it's good to hear it's still working it's not always visible uh this is what does and I'll just read it what does NSA do in the case of obstinacy of a private actor um especially if there's a vulnerability in a handset or one of the drivers from the handset and they refer to a particular company is and the companies uh on that the supplier is unwilling or unable to handle and the handset is used by a lot of people uh what Conan us they do about that yeah so so that we just talked about the vulnerability Equity process that's been one of my frustrations is when you have a vulnerability it's clear it needs to be fixed and you go to a company and either they've decided the product's end of life or that it's um you know it's a feature not a bug we've been told that before but you know the idea that it's not going to get fixed that's a hard problem right because we can't mandate the cyber security there we will often at that point do responsible disclosure good news is it doesn't happen much but the idea that you know it you've got to find a way to increase the pressure to get it fixed because you can't go directly public and make that vulnerability known if the company's has no intentions to fix it at that point you've just armed uh the the Bad actors with that knowledge as well so it's it's a tough problem but usually we use the levers of government to bring increasing pressure it may be related to that as 5G brings ubiquitous connectivity with big data and Ai and cyber um what can the U.S and its allies do to ensure that places like China don't establish Tech dominance I'd say it's a toss-up right now I we were we were doing better the Chinese have kind of regrouped and they're moving out faster than we might but what would you think we could do yeah I I think the thing we need to do is really shine a light on the values and the outcomes you can expect from the different the different governances right I think we've bought into cheap technology and that has fueled the growth of China you know whether you you look at Huawei or other technology we are starting to realize that we've got to turn and and make sure that in the west we can produce and deliver secure things chips Act you know the the open ran concept you're going to see more things to intentionally ensure that we have a secure supply chain that we can turn to and and make the choice to buy secure or use secure one of the things you got the last question will be about Tick Tock but I'll cheat and slip one in now one of the things you hear from people is well there's no evidence that they're doing bad things and I believe that could be true but what would you say back to that you don't like Risk yeah I'll give the the quotes I always use right which is this is not about show me The Smoking Gun this is the adversary has a loaded gun you know why would you stand in front of that right you've given them the platform and the capability to do harm and you know you've given the historical track record of how they operate with their businesses how they choose to exploit the West it's an untenable situation you know the idea that Tick Tock as a platform um you know do I think if if I loaded tick tock on my phone they're going to get to all the other sensitive things through that Tick Tock talk app tomorrow probably not right the the cost of exposing to talk in that way to exploit one or a small set of users probably isn't worth it but all the data the metadata that they do collect that goes back to Big servers accessible to China that's a problem the idea that they own the algorithms that promote or suppress the content that's a huge problem when you have millions upon millions of eyes consuming the content and they can dial up something that is divisive or they can dial down something that that is threatening to the PRC that's the advantage right that is you know the the analogy I used is we're bringing that Trojan Horse inside the castle right why would you knowing what it is bring it into the castle a couple more questions and this one's still the China theme with China's Quantum Leap in January do you think nsa's plans to move to post quantum encryption by 2035 still makes sense does that development so so I'm unclear what they mean China's Quantum Leap there was a discredited claim out there and it was not valid that there was a there was a shortcut I think that's what they mean to Quantum yeah so it wasn't a Quantum Leap so we we're still comfortable with our timelines and uh you know it's um Quantum uh the quantum threat is not here yet but you can see it on the horizon so you need to be doing prudent things to get ready and that's you know the nist competition to give us the um the the the crowd-sourced solutions for Quantum resistant algorithms many eyes and vetted and tested to include NSA the commercial entities who are now operationally testing those things to understand what it does to the infrastructure and the requirements to host those new types of algorithms and optimize for them and then you know thinking about what's your inventory this is a Y2K like problem where do you use public key cryptography in your infrastructure and what's your plan to kind of wash it out on those same orders right you ought to look at where the government's heading and say I need to be there in the same time frames yeah I will say that the the timeline for Quantum is one of the few places where I think you could get technological surprise because if they did have the cable they wouldn't have advertised it but you don't want to wake up and find out that they've they've got it and it's a real part and you also one of our colleagues from the early days of cyber security is now talking about why to keep y2q so um stay tuned for that one uh okay I think it's the next to final or the final question um what can NSA sisa and FBI do to protect small companies I told you where NSA is right our our strategy that gets to scale is to get to The Bigs in the ecosystem that can then push that security into the ecosystem right even in the dod the the numbers are staggering so I mentioned we've got about 300 companies that we're interacting with there is something like 30 000 clear defense contractors those are people that have access to classified material doing work and development for the defense department so 300 to 30 000 that's that's a big gap but there's three hundred thousand defense contractors now they make all sorts of widgets but they're in the supply chain and disruption of that supply chain would be a heinous thing so we are not scaling to get to thirty thousand let alone three hundred thousand we're using that strategy to get to the big companies in the ecosystem and and do those things like you know the the defend forward strategies and others to disrupt the threats and by doing that it not only protects the the thirty thousand the three hundred thousand but it gets into the critical infrastructure the business our foreign partners and the ecosystem so if if for those of you who have a doctorate this is a lot with your PhD oral exam is like you have a bunch of grumpy professors who get to throw any question they want in a general area at them and what would you would you give Rob a passing Mark I think I think yes so so an a they say that's impressive thank you um uh any final questions if not uh Rob thank you for taking the time thanks Jim I appreciate you hosting yeah thanks see you soon [Music]

Info

Channel: Center for Strategic & International Studies

Views: 6,847

Rating: undefined out of 5

Keywords: Center for Strategic and International Studies, CSIS, bipartisan, policy, foreign relations, national security, think tank, politics, global food security, food loss, food waste, sustainability, food tech, biotech

Id: MMNHNjKp4Gs

Channel Id: undefined

Length: 57min 56sec (3476 seconds)

Published: Tue Apr 11 2023