It’s been 18 months since the SolarWinds cyber breach was detected. Since then, there’s been new players, new policies, and new attacks. If there’s one thing that’s clear, it’s that businesses must transform in order to meet the cyber threats of tomorrow. Listen as leaders in cybersecurity from CISA, Mandiant and SolarWinds discuss lessons learned, private-public partnership and how to build trust.
>> ANNOUNCER: Please welcome panel moderator Niloo Razi Howe.
>> NILOO RAZI HOWE: Welcome, everyone. I'm thrilled to be moderating this panel that actually needs no introduction. So, just thank you, Director Easterly, Sudhakar, Kevin, for engaging in this conversation.
Just a quick piece of housekeeping for everyone in the audience. We will be doing Q&A, but we’re not going to be passing a mic. So, if you have questions, please tweet them. There should be a Twitter handle going up. Yes. Please tweet your questions to my Twitter handle. Keep them short, or I will ignore them. And I will be going through my Twitter. I'm not multitasking to see if there's questions coming in. We'll try and roll them in as we have the conversation.
So, I'm super excited to have this conversation. I just wanted to start by setting a little bit of context before we dive into the meat of the conversation. Over the past 18 months, it at least feels to me that we've been seeing an escalating sophistication of cyberattacks, cybersecurity breaches, and there’s a couple that have stood out to me just because of what their implications are. Clearly, there’s been a lot of cyberattacks, but the first is the NSO iPhone exploit, the zero click exploit, where just by receiving an iMessage on your phone, it could be completely taken over.
What was interesting to me about that exploit, there were two things that were really interesting, one is it showed the inherent vulnerability of all of our devices. And the second piece was that private organizations now have sophistication that we assumed only belonged to the most sophisticated nation states. The second one, of course, is Log4j, and that has come up in a lot of conversations this week, I'm sure. Simple open-source logging module, scrutinized by thousands of experts over a number of years without anyone detecting that it could be used exactly as it was designed and provide a Java‑based remote code execution to take over a server. And that opened our eyes to the reality that open-source software that we rely on ubiquitously, especially for certain utility functions, has inherent vulnerabilities that exposes all of us, including our applications and our systems.
And we've seen sort of repeated examples of authentication being bypassed even with the most sophisticated vendors, Cisco DUO in Microsoft. And as we look at that, as we look at our hyperconnected ecosystem, we’re expecting to have somewhere between 30 billion and 40 billion devices over the next few years. That hyperconnected ecosystem feels inherently fragile, more fragile with every device that we connect to it, with every application that we add to it, with every technology that we bring into it.
So, Kevin, I want to start with you.
>> JEN EASTERLY: So, unfair.
>> KEVIN MANDIA: I win.
>> NILOO RAZI HOWE: Thank you for that. Is my hypothesis right? Are we seeing increasing sophistication of breaches and exploits and hacks?
>> KEVIN MANDIA: Niloo, I'm glad to say, yes, your hypothesis is correct. A couple of reasons why.
>> NILOO RAZI HOWE: That shouldn’t be something you’re happy about.
>> KEVIN MANDIA: What’s that? I am happy about it. You can just look at the numbers, that in 2019, we saw 32 zero days. That was the largest amount of zero day exploits you saw in a year. In 2020, we saw 30. It took a dip. 2021, over 70. What does that tell you? The attackers are getting zero day capabilities. And it used to be that zero days were the purview of nations, that if we saw a zero day in use, usually it was a modern nation behind it done for espionage. Last year, it was approximately 60% of the zero days were used by nations for their resources or contractors, 40% were criminal actors. So, that means there’s enough money in cybercrime right now that they're buying the zero day. And so, when you see that, that means their defenses are getting better. That means the offense has to get better. But there are so many ways to answer your question. I could probably go on for 20 minutes supporting your hypothesis.
>> NILOO RAZI HOWE: How about three?
>> KEVIN MANDIA: No. I'm almost done. I’m 20 more seconds. The bottom line is all of us depend on technology more than ever before, and because of that, the impact of the breaches, both in a positive for the bad guy, the negative for us, has been just massively ‑‑ the impact is magnified today more than ever before. And it's just getting more complex. More apps, more APIs, more malware, more threat actors, more risks and repercussions or liabilities when you're compromised, no risks or repercussions to the bad guys doing it.
>> NILOO RAZI HOWE: So, the threat surface is getting better. Are the threat actors getting more sophisticated?
>> KEVIN MANDIA: I think we're forcing them to be.
>> NILOO RAZI HOWE: Jen, you have a unique perspective here. Not too long ago, you were in the private sector. You were running the fusion center at Morgan Stanley, responsible for detecting these attacks and helping Morgan Stanley respond to them. Today, you’re running -- I believe the tagline is the country cybersecurity agency. You're responsible for the cybersecurity of critical infrastructure. So, you have this unique perch over the last 18 months as all these attacks have happened of having seen it both from the private sector perspective and from a government perspective. If you combined those two, what are the unique insights that come out in terms of the reality of the world that we live in right now?
>> JEN EASTERLY: Yeah. Huzzah. So, I mean, it's a great question. A couple of things. One of the reasons that I came back into government from four and a half years at Morgan Stanley was I served on the transition team for the Biden-Harris Administration, and we were there from September to inauguration. Of course, during that time, it was SolarWinds. It was a big revelation to me when I got to Morgan Stanley after spending 27 years in government that government really looks quite incoherent, frankly, from the private sector. I felt that there was a real need to try and change that and bring coherence.
One of the things that I remember most clearly is after SolarWinds broke, and you all can talk about that much more than I can, but on the Morgan Stanley side, as well as the transition team, there were some reports that came out from the U.S. government, there was a report from CISA, my agency, that was an emergency directive to federal government networks to take certain actions. Of course, these things are only binding on dot gov, but we certainly took that as a signal of what we needed to do if we had SolarWinds in our infrastructure, which we did not. But a couple days later, then there was another report from the National Security Agency that talked about a compromise with VMware. But it was not clear that there was no relationship between the NSA report and the CISA report, so we actually thought that there was some sort of a vector, similar to SolarWinds with VMware, and we were very worried because we had a ton of VMware.
And so, it was just a lesson learned that government was not coordinating as it should. It's been one of the things that we have really tried to work on with Chris Inglis, with Rob Joyce, with the FBI, to create much greater coherence. And the other thing that was the big lesson learned was the fact that SolarWinds, even though it impacted many government agencies in the private sector, was not discovered by the U.S. government. It was discovered by a private sector company. And that really taught me the importance of building a model where the private sector and the government are working together collaboratively to put together the pieces of the puzzle that you have, that you have, and that we have to be able to create that threat picture because we certainly can't do it alone. And, quite frankly, given that most infrastructure is owned by the private sector, you all, technology companies will see threats before the government sees it. We can enrich it based on what we know, but we really have to work this together.
>> NILOO RAZI HOWE: Does the cybersecurity threat landscape look different to you now that you're in government, better, worse, same?
>> JEN EASTERLY: You know, I don't think it looks any different. I think we have seen this over the years that it is increasingly complex, increasingly dynamic. I think we see nation states becoming more sophisticated, more well-resourced, and then cybercriminals being more well-resourced and more sophisticated. And so, I think the lesson out of that is we have to make cybersecurity a national security priority, and I think you've seen that from the Administration, but we also have to be able to communicate it in a way that people understand what they need to do to keep themselves safe. I think, frankly, cybersecurity and technology people are not very good at translating what we do into a way that the American people can understand it and can protect themselves.
We talk about zero days all day long. But at the end of the day, we just put a report out on this yesterday with Chinese exploitation using common vulnerabilities, unpatched vulnerabilities. So, the basics of cyber hygiene and things like patching vulnerabilities are really what's an important message, even as we get sort of into the more exotic type things as you were talking about with the NSO exploitation.
>> NILOO RAZI HOWE: So, Sudhakar, huzzah. Good to have you on stage. You had been announced as the CEO of SolarWinds, but you had not yet stepped in as a CEO of SolarWinds when everything started happening. You sort of jumped into the deep end of cybersecurity head-first as a technology infrastructure person. What were your assumptions about what the threat landscape looked like, and what were the insights you gained having gone through this process?
>> SUDHAKAR RAMAKRISHNA: Absolutely. First of all, Niloo, thanks for having me here. For the benefit of the audience, we all nominated Kevin to provide comedic relief today. So, from time to time, you'll see him going off on tangents, but we’ll do the best we can to bring him back on track, I promise. The operative word is try, not succeed. In the security landscape, as we all know, we can only keep trying to improve it every single day.
And to your question, Niloo, suffice it to say, I joined the company in, call it, unusual circumstances. But the way I have looked at it coming from the security industry is what if I had taken the job, and 48 hours later, we discovered the issue? Chances are, I'm not going to turn around and run. So, when you look at situations such as this, there's always an opportunity to learn. There's always an opportunity to serve. And that was a mindset that I joined.
We are fortunate to have an incredibly strong team within SolarWinds. I am extremely fortunate to have a great set of partners, and incredibly thankful for the trust that our customers have in us. So, the ingredients to get through the storm, so to speak, were in place. At that point, it was my job to do my bit and expect others to do their bits as well.
The approach we took, I would also say, was somewhat unusual, and I still believe it remains unusual today in the industry. We committed right from the get-go that we will be super transparent about what we know, what we don't, because anybody that claims they know exactly what happened does not know what happened.
Then the next thing we said was we need to focus on a sense of urgency, do something. About all do something was kind of the thought process.
The third was collaboration. And, Jen, thanks for being with us. You have been a great partner for us as well. So, third piece was collaboration.
The fourth was constant communication, engage with our employees, engage with our partners, engage with the authorities.
And the last, probably the most important thing I would say, is humility. When you think about humility, what I mean is the endeavor to constantly learn and constantly iterate and improve because I don't believe there are silver bullets, but there are always learnings in every situation.
So, that's what brought us here today.
>> NILOO RAZI HOWE: Did you appreciate the vulnerabilities that happened given the complexity of our technology infrastructure as you were stepping into this role?
>> SUDHAKAR RAMAKRISHNA: Yes, in a sense, as an industry practitioner. So, prior to joining SolarWinds, I ran a security firm, oddly enough, in the zero‑trust secure access space for six years. So, I come from this industry.
At the same time, as we investigated the SolarWinds breach, while ‑‑ or Sunburst, as it’s broadly known, while supply chain attacks in computer science are not anything new, the particular approach that this particular threat actor took in our environment was incredibly sophisticated and incredibly novel, if I can say that. And in a very large build process it was a matter of a few microseconds, I would say, if that, where malicious code is injected into the build system and taken back out. So, it was very difficult for any tool to identify it or, for that matter, even the best of engineers to identify it. And that's the reason why I think it got a lot of attention.
>> NILOO RAZI HOWE: Jen, Kevin, is the damage assessment complete? Do we understand exactly what the Russians were after? How far they got?
>> KEVIN MANDIA: Do you want to go first?
>> JEN EASTERLY: Yeah. I mean, we spent obviously a lot of time on this early in the Administration, really before I was confirmed, and I think we've got a good understanding, certainly within the Federal Government. Part of our issue is there is not the level of visibility that we need into critical infrastructure. Given what Kevin does, he might have a little bit more on that. But that, again, is why we need to come together to put that visibility together, given that private infrastructure is largely critical ‑‑ largely in private hands. But coming out of SolarWinds, there was a lot of good work that manifested into the President's executive order that we've now been working to implement to really raise the bar on the dot gov. Again, a lot of that is making sure that we have the visibility to be able to run the, what we call, the federal civilian executive branch, the dot gov, run it as an enterprise, not 101 separate departments and agencies all running their own systems and networks. That is not a trivial endeavor, at the end of the day. We've made good progress, but we have a lot of work to do.
>> KEVIN MANDIA: Yeah. I think on the forensic side, what made it possible to get ‑‑ you always only know the lowest bounds of what you lose whenever you do an investigation. A lot of companies when they get breached and they know it just assume every machine accessed or every system accessed, we lost everything, and that sometimes overestimates what was taken.
But in regard to the threat group that got hands on the keyboard with the Sunburst implant, you could get very good telemetry as to what they were taking, because it was the SVR, and they minimize on collection. So, they do do keyword searches that are unique to the victims, and they were primarily going after email. So, you know the email stores that were affected, and you know the keywords that they were looking for responsive documents on it. They're not like a tank through a cornfield. They're kind of more precise in their collections. They've always had the discipline of doing the keyword search, even on initial access sometimes, not being curious and just poking around in your system. They get in, there's a human operator on a keyboard, but they just do the keyword search and get out of dodge, and they come back four days later and grab the responsive documents. But again, you walk away going, do we know 90% of what they took, 70%? But it’s not zero. And you do get an idea based on the keyword searches and the people targeted what the collection requirements were.
>> SUDHAKAR RAMAKRISHNA: Niloo, if I can offer a clarification on that, also. In terms of Sunburst, the reason why I believe it got so much attention was not so much due to the maliciousness of the code that was injected itself as much as the trade craft that went behind it. So, it wasn't like the run-of-the-mill virus or ransomware that has been implemented to create the most damage in the fastest possible time. In fact, the malicious code that was injected in Sunburst was essentially useless unless it was able to contact a secondary server on the internet and then come back into the enterprise. In other words, there were many other hoops, so to speak, that they had to jump before they could cause the real damage. The reason why it is significant is for the longest time, the time-tested way of delivering integrity from a software vendor standpoint was to sign the code you deliver with your digital certificate. And so, in this particular case, we still did that, but there was malicious code injected. So, that was the uniqueness from a software supply chain standpoint, which is why some of the initiatives that the government has created around software bill of materials and such will start becoming useful and important for all of us to adopt and proliferate.
>> KEVIN MANDIA: Yeah. Going back to the topic on zero‑trust and piggybacking off what you said, cybersecurity went through the stage of ‑‑ I hate physical analogies, so I'm going to do what I hate. You have a gate guard outside the New York apartments, all they ever did is inspected who is coming into the building. They never watch who is going out. Zero‑trust is watching every single door in the apartment, and every time someone walks out and every time someone walks in. With an implant, if all you’re doing is watching what’s coming inbound, it's pretty, pretty tough, and you’re not watching what’s going outbound, which was the beacon going out.
>> SUDHAKAR RAMAKRISHNA: And as they say, the world goes in circles, but some of these concepts have been there in software forever. You could set a firewall rule essentially to do exactly what Kevin just described. Right? So, a lot of it has to do with education. One of the biggest challenges that we continue to have in cybersecurity is user education, end user education. How to use passwords. How to use MFA, the basics, which then either result in greater security or poorer security.
>> JEN EASTERLY: Yeah. I agree with that. I think you were going to sing more than a password, Kevin.
>> KEVIN MANDIA: Me.
>> JEN EASTERLY: Yeah.
>> KEVIN MANDIA: Say it?
>> JEN EASTERLY: Sing it.
>> KEVIN MANDIA: At the end.
>> JEN EASTERLY: In Klingon. Okay. I totally agree with that in terms of individual responsibility. We just launched this more than a password to get people to enable two-factor. But I also think it is incumbent upon technology companies to make things easier for the end user, so things like enabling multifactor authentication by default. Things like logging should be a basic security thing that we don't get charged extra for.
>> >> SUDHAKAR RAMAKRISHNA: Absolutely.
>> JEN EASTERLY: Right? These are all -- both the responsibility of the individual, but the responsibility of those who provision the technology ecosystem. So, it's a collective responsibility model.
>> SUDHAKAR RAMAKRISHNA: I totally agree with you on that. And the intent behind security should not be to lock everything down in walled gardens because you're just simply going to kill productivity of enterprises. Ultimately, we're here to improve the productivity of the people that we serve. So, security technology, from a user experience standpoint, has to be seamless and has to promote access and productivity as opposed to building layers and layers of security that make getting anything done impossible.
>> NILOO RAZI HOWE: There's multiple elements of this. One is, absolutely, we've got to fix the technology, and we've got to fix the people problem. There's another aspect of this, which is transparency, real-time information sharing, unity of effort, unity of response, and coordination. When the Sunburst intrusion happened, there was no obligation to report for either of your organizations. Can you -- Kevin, you came out pretty fast. Can you talk about how you weigh the equities of not just disclosing but the timing of disclosure?
>> KEVIN MANDIA: The timing is as fast as you can, but you don't want to do it without detail. The why, there is no other alternative. As a security company ‑‑ I actually think as a business, it's all about trust, period. Right? So, you have to be forthright about the upsides and the downsides of your business. But in security, it's doubly -- it’s way more important to have that trust.
I know that the day I got the briefing, that I felt it was going to be a significant breach for FireEye at the time, we held a board meeting that day, and it was a race to go public as soon as possible, even though I didn't have a lot of details. It does no good to go public and fearmonger, hey, something bad happened, but we can't help you, and we have no details. You do have to have a certain set of data and intel that's helpful and impactful and can help people.
Without a doubt, though, we were in a sprint to go public and inform people in a way that was helpful to everyone. So, just having knowledge of a breach actually doesn't help you. Having knowledge with a whole bunch of information and patches and indicators and steps you can take to proactively prevent or detect whether you already had a problem is critical.
>> NILOO RAZI HOWE: Jen, you said earlier the private sector discovers so many of these vulnerabilities and compromises. But, of course, the government also has incredible access, incredible intelligence and authorities to discover vulnerabilities and compromise. How close are we to creating -- and anyone can answer this -- a common operating picture, bringing all those stunning pieces of intelligence and information together to improve our collective security?
>> JEN EASTERLY: Yeah. I would say that we are improving. This is sort of the theory, the case behind the joint cyber defense collaborative. We are working with the private sector so that we are able to understand their visibility. We can enrich what they are seeing with what we are seeing from an intelligence perspective and what we see in terms of the civilian enterprise. But getting that common operating picture is, in part, predicated on getting reporting right. There's ‑‑ we have this new legislation on cyber incident reporting that is actually incredibly important to enable us to understand the full bounds of the landscape. So, part of it is the data we're bringing together, but also part of it is the importance of getting the incident reporting regime right. We're starting to work with all of the private sector. We're going to put out an RFI, request for information, to get that right because we want to make sure that we are not burdening CISA with noise, and we are not burdening the private sector with providing us noise when they're trying to deal with an incident under duress.
>> NILOO RAZI HOWE: How do we know that the incident reporting legislation is actually doing what it needs to do?
>> JEN EASTERLY: Well, we won't know that until we're actually able to put a final rule in place, and that's why we're going to be working over the next two years in a consultive process working with the private sector. And then, quite frankly, really important here, harmonizing the regulations that are already in place or the regulations that are going into place, and making sure that we, again, are not overly burdening the private sector.
I’d hit on something here because you started out talking about technology and people. It's interesting when you think about, we spend so much time talking about zero‑trust. You walk the floor and it's all about zero‑trust. But we all know, at the end of the day, we cannot get this job done without trust. As a leader, I look at how we speak in technology, how we speak about leadership. You talk about the importance of vulnerability, we talk about eradicating vulnerabilities, you talk about the importance of emotional intelligence, and we spend a lot of time talking about artificial intelligence. Right? You can't just be authentic. You have to be multifactor authentic. Right? So, I mean, it's this language that sort of has this oppositional quality to it.
But the most important thing that we can do, whether it's working together with Sudhakar and Kevin, or working with the private sector to get that incident reporting legislation so that we see that as value added to the ecosystem and not a burden, is to ensure that we're developing that trust among our partners. As I've said several times, trust is hard to build and really easy to lose, and so we need to move from just plain old partnerships to true collaboration. These are such great partners here. Some of our partners are still in that transactional mindset, and we have to move people out of this, actually, we really just are in it for the business, or we're really just in it to have our name there because we care about the reputation. We really need to have the type of relationships where we're adding value, are relevant, and are trusting each other.
>> NILOO RAZI HOWE: So, ‑‑
>> KEVIN MANDIA: Can I expand on that, too?
>> NILOO RAZI HOWE: You may.
>> KEVIN MANDIA: When you hear disclosure, you think, oh, I got hacked, and I have to do this investigation and then tell the world and deal with how the government responds to that and how the nation or the public responds to it, and it's really hard to tell. But it's really -- it’s different than that. When I look at the disclosure laws, first, there's a level of where's the intel that's actionable that safeguards and protects us, and that can happen very, very quickly. I just want to tell folks it's already starting to happen. Every year, it happens faster and faster. If our company and other companies see something that is new and novel, it feels to me that we're actually calling folks that you might arguably say are competitors and we're telling them, hey, listen, we've got something new, we’ve got something that nobody's stopping. And so, even the vendors are starting to work together and wear one jersey of defense better than ever before. So, that's the first level of disclosure that we all want because it blankets us with more protection. And so, there’s that.
And then the next level, I think, is visibility for the government to deal with more of a doctrine approach, more of a damage assessment approach to understand and give visibility to different nations on how many ransomware cases, how much espionage, what are we losing, so that you can use diplomacy with real facts and data to try to have some sort of deterrence, or at least you can proportionally respond to what’s happening.
Those two things, in my opinion, are different thresholds, different audiences, and we keep trying to jam them into the same disclosure laws or legislation, and it’s hard to do.
But on the protection side ‑‑ and the JCDC, I think, is right. You have the companies in there that usually find the new and novel, and anyone can find the new and novel on any different day. Sometimes it's Cisco that sees it, sometimes we see it, sometimes it’s Crowdstrike. It could be Semantech. It doesn't matter. I can tell you the moment companies are finding it to the moment all vendors are sort of encompassing and swarming to defend against it has shrunk massively in timing, even though we're competitive. We're getting there. And then I think where the disclosure will mostly help is for more of the visibility for the government to arbitrate, have doctrine, and diplomacy.
>> SUDHAKAR RAMAKRISHNA: If I may simply try to round that out, I have described myself as a stubborn optimist, so I'll stay optimistic on this. While we've made -- while we’ve taken some steps, I think we have a long way to go. It's better to be realistic about it. Recently, I heard a statement which cannot be more true in the context that we're in, which is as it relates to cybersecurity, we're quick to mobilize but very slow to act. So, there's a lot of talk and drama and all of that stuff that happens, but in terms of real actionable things, we have a long way to go. I know Jen is valiantly trying to do that, and you have our complete respect and support to do this, but there's a lot of work to be done. There's multiple reasons for that.
We are in an asymmetric situation. If you think about the adversity, let's take a foreign state adversity here, they're coordinated, and they don't have scruples. We are fragmented, and we have to follow rules. So, that is a big asymmetry that causes us to be an easy target, number one. Number two, speaking for the private sector, it is sometimes very confusing to me as to whether my own government is an adversary or a partner.
>> SUDHAKAR RAMAKRISHNA: Because oftentimes, there's victim shaming. Most recently [indiscernible 00:30:43] got berated for being late in terms of disclosure, this, that, and the other hand. On the other hand, we’re creating disincentives to disclose, on the other hand, I'm all for accountability. We've got to challenge ourselves. I think some of the compliance rules are absolutely important. And as a private sector member, I'm fully obliged and accountable to support them. Equally, it's important to get support from your government and not have to fight two wars at the same time and lose the most fundamental edge that we have as a community and as a nation, which is what? Innovate, invest wisely, support your customers, and get ahead, and contribute to the community. We are not doing that. So, in that spirit, I think we have a long way to go.
>> JEN EASTERLY: I think that's so important just to reinforce that point. You and I have talked about this. I'm certainly very sympathetic to that coming from Morgan Stanley, right? At the end of the day, a public company. I think that's one of the reasons why Congress gave the incident reporting to CISA, not a regulatory agency, a voluntary agency, to ensure that we are not focused on naming or shaming or blaming or stabbing the wounded or hurting anybody's reputation, but we have the authorities to be able to protect liability, privacy, so that we can render assistance as necessary, but importantly, so we can share that information in a way that we can protect others from getting hacked. So, very, very, very sensitive to those concerns.
>> SUDHAKAR RAMAKRISHNA: On that point, Niloo, as a responsible private sector member, this is an idea that Jen and I have discussed, one way to kind of really create collective defenses is I suggested that, as SolarWinds, I'll offer up a full‑time equivalent to CISA under the guidance of CISA. Let's say there are 3,000 companies, which will be easy to find, each one of us submits one resource to call it threat intelligence, threat research, with one collective goal, stop the bad guys, share the information proactively with the rest of us. That could help each one of us have the intelligence to fight collectively. Right now, it's a case of to each their own, and that is not a scalable model.
>> NILOO RAZI HOWE: A lot of what's underpinning this conversation, and actually the entirety of this conference, is this concept of trust, and it's trust between public and private, how do you build it, how do you operationalize it, how do you instrument it?
There's an annual survey, the Edelman Trust Barometer that comes out every year. It's a survey of about 36,000 people in 28 countries. And the 2022 survey provided some really troubling data points. This year, it showed that most people believe that they're being lied to by journalists, they’re being lied to by their government leaders, and they’re being lied to by their business leaders. These are core pillars of a well-functioning society. And when I say government leaders, it's really politicians, not so much the amazing people who lead our government agencies. And the two institutions that people rely on for ground truth, media and government, are actually seen as dividing forces. In fact, the quote was, they're doing a dangerous tango of short‑term mutual advantage with exaggeration and division to gain clicks and votes.
So, given that we're at a historical low when it comes to trust between the public and the institutions that it relies on, how do we really build that trust? We have a lot of agencies -- and cyber, by the way, is the perfect place to do it, right, because it's a nonpartisan issue. It's apolitical by nature. It's a great place to build that cooperation and collaboration across the aisle. There should be no political disagreement when it comes to cyber. So, how do we actually do this?
>> KEVIN MANDIA: We're all jumping in on that one. I'll go first, I guess. There's no way to answer all that. It is way beyond the cybersecurity issue. This is a human nature issue. I think nobody likes to be lied to. There's no algorithm you can write that detects truth versus lies, and everybody's allowed to have opinions and those sorts of things.
From my angle, I look at the issue, there's a difference between anonymity and privacy. We’ve got to sort through that. Different nations will have different expectations of privacy or anonymity. But I think a lot of what we have to deal with that creates a challenge for all of us as cybersecurity professionals is the anonymity of disinformation being posted, the anonymity of the attackers, and it emboldens mostly malicious intent rather than safeguards whistleblowers. That's in different countries, anonymity is absolutely necessary for folks to survive, really. The bottom line is I look at it from that perspective, that anonymity is, for the most part, a security professional's problem because we don't want anonymity on our networks, we don’t want anonymity behind the IP addresses that are posting things, that are threatening our employees, and we're always trying to pierce that anonymity to defend ourselves.
>> SUDHAKAR RAMAKRISHNA: I would suggest a few, let's call them common sense solutions that are probably uncommon and tough to achieve.
One is I think we need to defragment the government agencies and have a single clearinghouse because, right now, the reason why there's not as much trust is when you have eight agencies talking about the same issue in eight different tones, who do you trust? And then, obviously, you then multiply that with disinformation and misinformation, then you get the effects that you get today. So, I would say simplify and have a single clearinghouse. And Jen and CISA are as good as any, I would say, that way there is one source of truth and one collaboration point for us as private industry to work with.
Two is overtly stop victim shaming in the industry because the whole point is you want to stop the threat actors. What do you do? Time is of essence, as they say. Now through your actions, if you create disincentives for people to come out, then you are basically putting yourself back. That's the second thing I would say.
Related to that, create the notion of a community which is through public-private partnership along the lines that we just discussed.
>> NILOO RAZI HOWE: Jen, you started out by talking about how when you were at Morgan Stanley, you had CISA coming out with an advisory related to Sunburst. You had NSA coming out with an advisory related to VMware. What we’re seeing today is mutiseal advisories, and it’s not just the U.S. government agencies, but it includes our international partners. And we're also seeing it when it comes to attribution in cyber, right. When the U.S. government attributed the Sony hack to North Korea, suddenly everyone became skeptical that it was North Korea. With [indiscernible 00:37:53], we saw something very different. It took 2.5 months. But when the attribution came out, it was the U.S., EU, and UK coming out together, and it's much harder to deceive, deny, and misinform when it’s a coalition coming together. Are our government agencies working together better? What are you seeing?
>> JEN EASTERLY: Yeah. I mean, I think it has improved a lot. Part of it is because everything we’ve seen over the last 18 months has really put a premium on the importance of collaboration and the importance of coherence. It's really great to have somebody like Chris Inglis in the job as the National Cyber Director whose job it is to try and forge that coherence. As we know, personalities matter, so it’s great that, you know, I've known Chris, I've known Rob Joyce, I’ve known Paula Broadwell at the FBI, and so we all work really well together, and we understand that, to your point, Sudhakar, we do want to be this confusing board to the private sector. It's not good for anybody. You shouldn't have to have a PhD in government to be able to interact with the government, and the Congress agrees with that. That's why they developed CISA to be America’s cyber defense agency, and that’s why we've built the JCDC to be that one platform that brings together the federal cyber ecosystem but is the front door for working with private industry.
I would just say on this point about trust, you don't ‑‑ I hadn't seen that Edelman thing. You sent it to me. I’m like, oh, that's bad. But, you know, you don't trust institutions. You trust people. And so, working to make sure that we are forging collaborative partnerships. We are being responsive, something the government is not very good at historically. We're not a black box. We are trying to be as relevant as possible, enabling information that is useful to a network defender. That's what takes work. With the JCDC, Mandiant's a partner there, and we have a lot of conversations around this, but some of the partners still see it as a transaction. This is where, as we develop this concept, we need to ensure that we're coming to the table and adding value for the defense of the nation at the end of the day.
>> NILOO RAZI HOWE: So, I want to ‑‑ we sort of talked a little bit around the edge around our nation's state adversaries, Russia, China, Iran, et cetera. We touched on the fact that Sunburst was incredibly well-executed, it was disciplined, a little bit shocking given some of the historical experience with Russia. And then on February 24th, of course, Putin announced the start of special military operations into Ukraine. I’m just curious, we saw Russia evolving its tactics and becoming more sophisticated, and then Russia-Ukraine happened. Most people are sitting back and going, where is it? What happened? How has Russia evolved its tactics? How is that showing up in the Russia-Ukraine conflict? And what do we think of them today?
>> JEN EASTERLY: I’m happy to start. I think because of the magnitude of the kinetic war, the atrocities, the brutality, the civilian casualties, it has focused a lot of energy on that. I think it's been fantastic how the alliance and our partners have all come together. But there's been a lot of cyber activity focused in Ukraine by the Russians. We've attributed a good bit of it. There was a spillover. You mentioned Viasat, Niloo, that had impacts on communications in Europe. So, the big question is why have we not seen a significant cyberattack when we know, as the President said, there has been planning for potential attacks on U.S. infrastructure. In my view, I think it's a bit of deterrence by punishment if you look at the sort of Joe and I article from 2017, deterrents by punishment, there's a fear of escalation. I think there's a bit of deterrence by denial in that we've all been working together to get the word out on the threat. We worked with critical infrastructure since November to brief at the classified level, at the unclassified level, with our state and local partners, what's the threat, and what do we need to do to mitigate it, and that's what's behind our shields up campaign. I don't know what shields up is in Klingon, Kevin, but you’re going to tell us. But we've been working to make sure that every business leader, Americans across the board, CEOs understand those steps they need to take to ensure that they're prepared. I think a little bit of it is the resilience by denial ‑‑ or deterrence by denial and resilience. But as we've made very clear, and we mentioned this yesterday, we do not think the threat has passed. We think it's very important that we continue to keep our shields up. We are going to continue to put out advisories and information. And when we think that threat is no longer relevant, we will absolutely communicate that transparently.
>> NILOO RAZI HOWE: Should we be thinking about cybersecurity -- as cybersecurity professionals, should we be thinking about cybersecurity differently during this act of conflict than we would if Russia had not invaded Ukraine?
>> JEN EASTERLY: I think so.
>> KEVIN MANDIA: Yeah. I think the conventional, it's broadened into way more unconventional breaches today. There's just a lot more brushfires out in cyber right now, and they continue to escalation. We’re looking at what we’re seeing, to piggyback on Ukraine, we’re responding to 20 different incidents in the Ukraine, responding remotely, we have secure messaging with government folks there, and we’re doing the forensics, and it’s constantly ongoing in cyber there, meaning I think most offense operates at capacity, and I think the Ukraine is getting quite a bit of the offense out of Russia, but it’s mostly destructive. We've seen seven different wipers in use there, which is a lot. For those of you who don’t have context, the most we ever saw in a year was like two or three. And I mean wipers that evade endpoint detection, so they’re specially crafted to do so. We're seeing some email compromise there and things of that nature. But this thing is everyday persistence, offensive in cyber for specific objectives, probably to destroy, and the Ukrainians are doing pretty good on the defensive side so far.
>> NILOO RAZI HOWE: Are you surprised, relieved, by how Russia is behaving toward Ukraine? Any insights there about --?
>> KEVIN MANDIA: No real opinion one way or another. We all know, whenever there is conflict, you have space, land, air, sea, you're going to have cyber domain and cyber activities, and so we're going to see that in conflict. Since cybersecurity is only 30-40 years old, it's just going to change. It will come a day where wars are fought by software, and whatever nation has the software that thinks fastest, learns the fastest, is secure will do pretty well in that war.
>> NILOO RAZI HOWE: One of the things about the Russia-Ukraine conflict that we're all really hesitant to talk about is this hacker army that Ukraine has recruited, right? By some counts, it’s 400,000 multinational hackers. That's twice the number of soldiers that Ukraine has. To be clear, it's illegal in many countries, including the United States, to partner, even in cooperation, with a foreign country to join a hacker army. Thoughts on that? Good idea? Bad idea?
>> JEN EASTERLY: Look at the government person. At the end of the day, there's a reason why it's illegal. My concerns are that there could be rippling effects, cascading consequences that could come back within the U.S. or within our partner nations. So, I think while anybody who looks at the horrific atrocities in Ukraine would have sympathy for anybody who is marshalling capabilities to go against the Russians, I think we need to ensure that these capabilities do not have any sort of blowback or impacts on us.
>> KEVIN MANDIA: I think it's a very bad idea to have wanton uncontrolled offensive operations in cyberspace. It’s already going to be hard enough to tell when nations are behind it and there’s ambiguity there. To have private citizens take up arms in the cyber domain will impact relationships between nations and escalate in a way where governments won’t be able to control the escalation. It’s a bad idea.
>> NILOO RAZI HOWE: And the splash effects. Uncontrollable splash effects.
>> JEN EASTERLY: You're thinking about NotPetya, right?
>> NILOO RAZI HOWE: Why is that?
>> KEVIN MANDIA: There will always be, at least today, in my opinion ‑‑ there will be collateral damage for almost every offensive cyber op, period. It's really hard to contain it. Especially if you are moving fast for a quick objective, you deal with the unintended consequences. That’s actually what makes the doctrines so hard because there will be nations that say we didn’t mean to shut down your water. What we meant to do is send a message or whatever. Bottom line, when you send an armed Word document into one company and it crashes a machine, you have no idea how it will propagate, where it could end up, and what could happen with it.
>> NILOO RAZI HOWE: Jen, this has been great in terms of talking about critical infrastructure companies about Shields Up and what they need to do to make sure at least the baselines are taken care of. What about the general American public? What should people be doing differently to secure themselves?
>> JEN EASTERLY: Thank you for this question. It's also on the Shields Up webpage. We launched our More than a password, so we’re trying to really enable that multifactor authentication. Look, if the Russians and the Chinese want to break into our networks, we know they're going to, at the end of the day. They also do it not with zero days. They do it just getting in there using very common unpatched vulnerabilities or using credentials, quite frankly, like Kevin was talking about this the other day. So, passwords, password keepers, updating software, training around phishing, and multifactor authentication are so incredibly important, and we need to break through and communicate this in a way to the American public that it really sinks in. We know that over 90% of successful cyberattacks start with a phishing e‑mail. We know how effective multifactor authentication is to keeping us safe. And so, we do a ton of work across the country where we have a field force on what are the basics we need to do to keep ourselves safe. So, incredibly important.
>> NILOO RAZI HOWE: So, we only have two minutes left. Silver bullets. If each of you could wave a magic wand and cause either the private sector or government to do something differently that could fundamentally change the dynamics of cybersecurity in the threat landscape, what would it be?
>> JEN EASTERLY: I'm going last.
>> SUDHAKAR RAMAKRISHNA: I'll go first. I'll keep it simple. Defragment the government, meaning provide a single clearinghouse and work in true partnership. We don't need any fancy silver bullets. Those two things will give us 10X at least benefit.
>> JEN EASTERLY: Kevin?
>> KEVIN MANDIA: Get attribution, right, because you can't proportionally respond unless you know who did it. I just kept the list at ten. I mean, there’s never -- if world peace occurs, we're all good. If crime goes away, we're going to be fine. But neither of those are really realistic. I don't have the two‑factor auth. Every CISO knows to do that. The reality is we have to know who is doing the intrusions. You can't impose risk. You can’t impose repercussion. You can't have proper doctrine or proportional response.
>> NILOO RAZI HOWE: How do we improve attribution?
>> KEVIN MANDIA: We'll find a way. Let’s all work on it.
>> JEN EASTERLY: Part of it, I think, incident reporting legislation will help with that. The more we understand what the threat landscape is.
>> KEVIN MANDIA: International cooperation. There's a lot of ways to do it.
>> JEN EASTERLY: Yeah.
>> NILOO RAZI HOWE: Bring us home, Jen.
>> JEN EASTERLY: I mentioned this earlier, but I think it's incredibly important. I think that we need to both as government officials, but really as citizens, demand that we have technology that is resilient and secure by design, by design. I think that's incredibly important. Multifactor authentication enabled by default, security features like logging, a basic thing that comes that we shouldn't have to be paying extra for. So, it's really about resilient tech by design. I think it's so incredibly important. And it's really about creating the most robust and important and collaborative partnership that we as Americans and we as the government have with our great technology partners.
>> NILOO RAZI HOWE: Resilience, defragmentation, and attribution, real-time attribution. Thank you so much. We actually ended exactly on time. Really appreciate you guys engaging in the conversation.
>> SUDHAKAR RAMAKRISHNA: Thank you, again.
>> JEN EASTERLY: Thank you.
>> KEVIN MANDIA: Thank you.
Policy & Government Security Strategy & Architecture
application security incident response software code vulnerability analysis practitioner perspectives
Share With Your Community