Rethinking the Cybersecurity Challenge from an IC Perspective

Posted on in Presentations

As cyber challenges and malign actors proliferate, the Intelligence Community is committed to protecting the nation by working with industry and international partners to rethink the issue in terms of how we collaborate and design networks… and the cyber security that protects those networks.

Video Transcript

   >> SPEAKER: Please welcome Director of National Intelligence, Avril Haines, and co-founder and managing partner, WestExec Advisors, Michele Flournoy.


   >> MICHELE FLOURNOY: Good to see you. We have saved the best for last. Thank you all for sticking with us. So, it is really my pleasure to introduce Avril Haines who is the Director of National Intelligence in the United States. She is the seventh DNI, but the first woman to hold the job. Yay.




   >> MICHELE FLOURNOY: The DNI’s job is to lead 17 different intelligence agencies in the United States and to lead intelligence integration and ensure that the intelligence community gives the best possible insights to our decision makers.


   I got to know Avril during the Obama administration when she was the assistant to President Obama and the Principal Deputy National Security Advisor. Prior to that, she was the Deputy Director of the Central Intelligence Agency. She was also the first woman to hold both of those positions, so we are seeing a pattern here. She spent over 20 years in government, has worked in every branch of government as well as academe. She holds a bachelor's degree in physics and a law degree from the Georgetown University Law Center. But a few fun facts.


   >> AVRIL HAINES: Uh‑oh.


   >> MICHELE FLOURNOY: While attending the University of Chicago, she made money on the side as a car mechanic repairing engines. She is also an amateur pilot and founded an award‑winning independent bookstore in Baltimore. So, a woman of many talents, and I can attest to a wonderful colleague. But let's get down to business.


   >> AVRIL HAINES: I’ll just say that it’s an incredible honor to be here with Michele. For anybody who knows her, she is one of the most extraordinary national security leaders that we have in this country.


   >> MICHELE FLOURNOY: Thank you.


   >> AVRIL HAINES: And I’m really grateful.


   >> MICHELE FLOURNOY: It’s great to share the stage. Thank you.




   >> MICHELE FLOURNOY: So, we are living in a very different world than when the U.S. intelligence community was designed. We have the advent of the internet, the digital revolution that’s affecting every aspect of our lives, from our social interactions, our economic activity, our national security. So much has changed. Everything is networked. So, how is this impacting the U.S. intelligence community?


   >> AVRIL HAINES: Yeah. It's a really interesting question. And I also just want to say how much fun it is to be here with all of you. I had a chance earlier today to interact with some of the RSA scholars who are some of the most extraordinary people I have had a chance to interact with in this space. But also, just having an opportunity to tap into this community is so important to us in the intelligence community.


   In terms of how it's changed our work, I would say that, you know, there is sort of the tactical to the strategic. There is, of course, an increased volume of threats. There is increasing interconnectedness, frankly, of systems that make it hard for us as we sort of create an attack surface that has more high‑value assets as a part of it. And all of that is obvious to all of you. What is, I think, sort of on the strategic end that is something that I know you have dealt with and that we have seen in government over time is that, in effect, this, you know, cyberspace and cybersecurity puts tension on a series of kind of key traditional distinctions that we make in our world in ways that are increasing. So, these are distinctions for which there are other tensions, but I would say that in the sort of digital space, you see it enhanced in some respects, and I will just talk through maybe three of them.


   One is the domestic international distinction. So, for us in the intelligence community, this is, obviously, an important one. We have different rules under which we are collecting information domestically versus foreign, abroad. And this is an area where if you’re really going to bring together the threat picture, you have to look across both the domestic and the foreign, essentially, threat space. And so much of the critical infrastructure that is, you know, of interest to us from a national security perspective is in the United States, and we have to make sure that we are actually managing to collect on adversaries as they are trying to attack assets in the United States, and often they’re doing so from places within the United States on our infrastructure. So, that is sort of one of the classic tensions that this creates for us in the IC.


   A second one that is sort of interesting to pull apart, and particularly because I have a background as a lawyer, this is something that we’ve spent a lot of time thinking about, there are different legal regimes that apply to us in our activities in the U.S. government if you are in a time of conflict versus a time of peace. And often the discussion, I think, you know, maybe 10 years ago on cyber issues focused on, for example, could we have a Geneva convention for cyberspace, right, and thinking about this in the context of conflict. And, of course, we have seen cyber used in conflict, but we’ve also more often seen what cyber incidents look like before you get to a conflict and before anybody is willing to call it a conflict. And this question of when you shift from one realm to the other, right, is important because it gives you additional response options from an international legal perspective, but it's also important in terms of how you are developing the rules of the road and what those actions basically instigate or implicate. So, in other words, is it a hostile action, is it not, before you even get to essentially use of force. So, that is another distinction that I think has affected our experience in these spaces.


   And then the third one I’d say is the public-private distinction, which, again, is obvious to this crowd in many respects. And I know it’s actually wonderful to have a community of people come together that is government, industry, academia, you know, the NGO community, so many different parts of our world. But one of the challenges here is that so much of our critical infrastructure, our cyber infrastructure is privately owned, and that obviously has an implication for us in terms of trying to protect it and think about it in the context of national security, and it means that we have to and, you know, throughout our history, we have not been so good at it from a government perspective, collaborate with the private sector in really intense ways to order to actually address the challenges that we are facing. So, that gives you some concept of some of the issues that I think are important to think about from our perspective on these.


   >> MICHELE FLOURNOY: Yeah. Some very different and new challenges and risks, as you noted, from the type of cyberthreats that we’re seeing from everybody from criminal actors to state-sponsored actors.


   >> AVRIL HAINES: Yeah.


   >> MICHELE FLOURNOY: At the same time, incredible opportunity. You just spent a little bit of time walking around the booths here, just the eye-watering new technologies, the emerging capabilities, the innovation that’s happening. So, the question – this may be an unfair question – but from your vantage point, is cybersecurity getting harder or easier?


   >> AVRIL HAINES: Yeah. I mean, I think cybersecurity is getting harder. But what I would say is I will pull it apart in a couple of different ways. I think one is we still, obviously – again, I don’t need to tell this crowd this – but have not figured out how to prevent intrusions of even sophisticated networks. Right? And that is a challenge, I think, that we’re going to live with. And the reality is, we are, from an intelligence community perspective, we’re not a shield, but we do provide warning, and that is really one of the greatest values that we can give, in effect, so that others can take action to the extent they can. But it has caused us to think about, how do you, frankly, build a risk of failure into your systemic design? How do you actually manage systems in a way that recognizes the fact that you’re not going to be able to create perfect defense, in effect. And that is one aspect of the work that we’re doing, and I think that’s critical to addressing cybersecurity within the U.S. government. I would be really interested in how it is that all of you think about this.


   I also look at it through a couple of other lenses. One is we talk, for example, in our annual threat assessment about, you know, state actor cyberthreats, which are ones that we’ve been talking about for a long time, and we all know what the major four are in this area. It’s China. It’s Russia. It’s Iran. It’s North Korea. These are the principal adversarial threats that we see in the cyberspace. And yet, at the same time, we see growing transnational criminal organizational kind of cyber challenges, cybercrime, ransomware, other things in that space. That’s continuing to expand. And we see increased commercial availability of really sophisticated offensive tools that make it harder for us to manage, and it makes it easier for other actors to basically obtain tools that then allow them to engage in pretty sophisticated attacks in a variety of ways. That much is a challenge.


   And then, finally, I would say another aspect of cybersecurity that’s getting harder from our perspective that I think is also critically important, including in the IC, is really the challenge associated with privacy and civil liberties in this space because I think as we’re increasing the amount of data that’s available, and the pandemic is a perfect example of where so much more dta about us in our daily lives, whether it’s for contact tracing or other things or health issues and so on are becoming available. Right? But data across the board that people are able to pull together in a variety of ways, particularly using a data broker or commercially available information and so on means that it’s much harder to maintain, essentially, privacy and civil liberties in this space as you’re trying to, in fact, protect people’s cybersecurity on these spaces. So, it’s another aspect of it, but I think it’s harder.


   >> MICHELE FLOURNOY: So, you mentioned that partnerships are becoming critical in making cybersecurity more effective, whether it’s domestic, public/private partnerships between the government and the industry or whether it’s international partners and allies. Could you talk a little bit about the role of partnerships, what you see working, what ‑‑ where we have had some lessons that we’ve had to learn? How do we strengthen those partnerships as a core element going forward?


   >> AVRIL HAINES: Yeah. I don't know if you feel this way about it, but I think, for me, just decades in government, I have always had the talking point of we need to improve our private/public partnerships. Right? It is extremely frustrating to still be sitting here -


   >> MICHELE FLOURNOY: Some day, we’re going to figure it out.


   >> AVRIL HAINES: Right. Exactly. To still be sitting here and saying this. And I do think that we have improved in some respects. Just there is enormous work still to be done, in my view. And so, for us in the intelligence community, what I’d say is a lot of our work, right, is focused on ensuring that we have the best collection that we can in order to be able to effectively provide a landscape of the threats. That is both the sort of urgent crisis of, you know, a particular attack that we’re focused on, or it’s the strategic outlook of what is the threat that we are looking at for the United States, et cetera.


   As we do that, then, of course, if we are in the context of a tactical particular threat, one of the key aspects of partnership will be providing that information to whoever it is that might be the victim. That could be private sector. It could be another country. It could be a variety of actors that we are looking at, and we want to be able to do that as quickly as possible, and we often do that through partners in the U.S. government, and yet being able to develop the mechanisms that allow you to do it real time is absolutely crucial, and that is something that CISA and DHS has been working very hard and trying to improve, and I think they are really making some strides under Jenny Easterly's directorship, and I’m sure she’ll talk about some of that when she comes. And that is one aspect of it.


   Another aspect that’s kind of, again, parochially for me in the IC, is also providing information to foreign partners about what is the basis of our attribution of a particular attack so that those partners can come out and say something about it, and so that we can also share information that they may have and that we may have together to look at to make sure that we’re, you know, analyzing the situation appropriately.


   Another aspect of our work is, frankly, for the more strategic work, really working with so many, frankly, of companies that are represented here, industry, academia, NGO, others, to think about the strategic threat that we’re facing because what we find is that we are not the only ones with analysts who are thinking about this, right? We could stand to learn a lot from others. We’ve started to do some work where we bring in essentially private sector companies, do some analytic work with them, learn from them, trying to do more of that on a more systemic basis so that we can actually begin to compare notes. And we have some interesting and useful information and also some terrific analysts on different issues, also on cyber, but also on functional issues, also on regional issues, that can help to contextualize things in a way that gives you a better strategic picture, I think. So, a lot of that.


   And then, finally, I would just say expertise. I think, you know, it will come as no surprise to anybody here that we are in a competition for talent, and we really need as much as we possibly can. And we recognize that people are going to move in and out of government and into the private sector and learn different things in different spaces, and that is as it should be in many respects. But it's critical to us to make sure that we’re keeping those channels of communication open, and that we’re also brainstorming together about what responses can be and other ideas for how we can actually effect the challenges we’re facing.  


   >> MICHELE FLOURNOY: Yeah. You mentioned the sharing of threat information with allies and partners, and I think one of the things that has been remarkable to watch in the Russia‑Ukraine conflict is the speed with which the intelligence community has declassified information, shared it with allies and partners to build a common threat picture and really deny President Putin the ability to assert a false narrative that was really not fact-based, which is pretty different than how it’s worked in the past. But I wonder if you, reflecting on this conflict, and particularly, I mean, we’re all seized with what we’re seeing in the news on the ground campaign and what’s happening with rocket and missile attacks, which is just tragic and horrible, but there’s also a war going on in the cyber domain here. I wonder if you can comment on any lessons being learned from the Russia-Ukraine conflict in the cyber domain and what that means for what we should do in the future.


   >> AVRIL HAINES: Yeah. I mean, I think, honestly, in many respects, my first and best answer is that we don't yet know just because the conflict obviously continues, and I think there is still further chapters to be revealed on how this develops, and even with respect to Russia's use of cyber. In many ways, I think people didn't see quite the level or scope of attacks in effect that they expected to see combined with the invasion. And yet, I think we are still watching to see how Russia continues in this space. And, of course, we have attributed to Russia a number of attacks that have occurred thus far with respect to Ukraine, targeting Ukraine in particular, and their command and control, their websites, their emergency response, a variety of things that we’ve indicated thus far.


   So, in terms of lessons learned, I think there are a few things. One is maybe starting where you did on the point, just the degree of sharing that we’ve done during this whole process has been pretty extraordinary. From my perspective, a part of that was because as we entered into this really the fall of last year as we were starting to see the intelligence that indicated that Russia was going to, you know, or was at least very seriously considering an invasion along these lines, we sort of encountered a fair amount of skepticism among folks. And when we explained to our policymakers and our policymakers went to their interlocutors, they found that there was a fair amount of skepticism about it. As a consequence, the President came back to us and said, you know, you need to go out and share as much as you possibly can and ensure that, you know, folks see what it is that you’re seeing and that – so that we can engage again and perhaps have more productive conversations about how to plan for essentially the potential of a Russian invasion.


   In that process, we did a lot of sharing in this space with, you know, partners and allies, and we learned a lot from them in that process, and we also developed mechanisms for sharing that I think will help us in the future, and among the key issues was cyber, right, like how would the Russians use cyber, how do we expect them to engage in that in the context of a conflict, what were some of the things that we expected to see. And as the conflict has continued and we’ve seen attacks like the VSAT attack, for example, that spread into Europe and other things like that, we’ve benefitted from the opportunities to, you know, share that information as quickly as possible and get it out and then also learn about the impact from these spaces. But I would say that we are still looking to see how it is that the Russia cyber story develops over time.


   >> MICHELE FLOURNOY: Great. Thank you. You mentioned the competition for talent. And sitting with an audience like this, I have to circle back to that because you have got a whole room packed full of talent that the U.S. government would love to recruit to help with cybersecurity.


   >> AVRIL HAINES: Yes.


   >> MICHELE FLOURNOY: So, what is your one message you would say in terms of getting people to think about service at least as part of their career, maybe not a career professional, but some aspect of service as part of a career in cybersecurity?

   >> AVRIL HAINES: Yeah, I – so, I will make my pitch, but, Michele, I suspect you, too, have this sense of the privilege of having had an opportunity to serve. And I will tell you, I think, growing up, there were sort of three things that I hoped in my life I would have the opportunity for. One was adventure. Honestly, I love adventures. I always felt like, you know, if you have great stories at the end of the day, you have sort of made it.




   >> AVRIL HAINES: And there really is nothing like the work that we do in the intelligence community to satisfy that in many respects. And if you enjoy that, I recommend this work highly.

   Another is the relationships that you make, the people that you get to work with. I think that, you know, so much of my personal joy in work is based on who I get to work with. You know, if you don't like the people you work with, when you wake up in the morning and just don't really want to go. And the reality is I can't think of a greater group of people than you find working on these kinds of issues because they are there because they want to be there, and they are there because they all serve a broader purpose, and that creates a team mentality that I think is just hard to replicate anyplace else. And when you talk to people who have been in government, I think they will tell you that is the first thing that they miss is the people, that extraordinary talent. That sense of purpose that all of you come together to do is just unmatched, I think, in so many different ways.


   And the third thing is really just that feeling of just wanting to leave your community in a better place than it was in a sense, doing something that you feel is productive, and I ‑‑ I do feel as if you have an opportunity to do that. But there is another part of this that particularly this group, I feel like, serves in that space, which is each of you, particularly the scholars that I met today, have a diversity of thought, of experience, of perspectives that is absolutely critical in the U.S. government right now, and I just think that we will not succeed in the future unless we have many of you to shake things up for us and to make us think about things differently and to, you know, force us to reexamine a variety of things that we continue to push along on. It is ‑‑ it's an exciting time, but it’s also daunting. There is a lot to work on. And I think that hopefully that excites you in terms of the intellectual challenge that it presents, but also, you know, the importance of the work that you can do in these spaces. How do you -


   >> MICHELE FLOURNOY: It is the mission that matters and being - working with a group of people who are just as mission‑focused as you are and dedicated. You know, no one is there for the big bucks, right? It's really about ‑


   >> AVRIL HAINES: That's true.


   >> MICHELE FLOURNOY: Serving and getting something done for the nation and protecting the nation. Unfortunately, we are out of time, but please join me in thanking the wonderful Avril Haines.


   >> AVRIL HAINES: Thank you so much.


   >> MICHELE FLOURNOY: Thank you very much. 

Michèle Flournoy


Co-Founder and Managing Partner, WestExec Advisors

Avril Haines


Director of National Intelligence, Office of the Director of National Intelligence (ODNI)

Share With Your Community