Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, White House National Security Council
Morris Arnold and Nona Jean Cox Senior Fellow, Hoover Institution, and Senior Fellow, Freeman Spogli Institute for International Studies, Stanford University; CFR Member
While much of the public’s attention over the last year has been on Russian information operations and threats to election integrity, actors tied to Russian intelligence were conducting an espionage campaign with significant impact on U.S. national security. This symposium discusses how the United States, along with its allies, may more effectively respond to Russian cyber operations.
The virtual symposium consists of a keynote session followed by a salon discussion on cybersecurity. During the salon discussion, a facilitator will help steer a conversation on how U.S. cyber strategy should change to respond to the threat of cyberattacks from Russia.
SEGAL: Thank you and good afternoon to everyone. I want to welcome you to today's annual Cyber Symposium, which is the big event of the Digital and Cyberspace Policy program. If you're not familiar with the program, we cover a wide range of issues, including information operations, content moderation, U.S.-China tech competition and, of course, cybersecurity and cyber conflict. The program has three main products, which I hope you will check out and subscribe to. The first is our blog Net Politics, which relies on the input of lots of CFR fellows and outside contributors and covers a wide range of issues in the digital and cyber realm. The second is the Cyber Brief Series, which provides background and policy recommendations for pressing digital issues. The most recent one was by Ken Propp of the Atlantic Council and Georgetown Law and dealt with transatlantic data transfers after Schrems II. And the third and final product is the cyber operations tracker, which is a database of all known state-backed cyber operations dating back to 2015, excuse me 2005. The tracker is searchable by the actor, by the victim country, by the suspected attacker company and the type of attack. We are continually adding to that database. We now have thirty-four separate countries. And the big four—China, Russia, Iran and North Korea—make about 77 percent of all the entries in that database. Before I turn it over to Dr. Zegart and DSA Neuberger. I want to thank the Meeting's program for all of their help in arranging, and in particular, Sara Shah, who's been really quite remarkable in making sure that everything goes smoothly. I checked my calendar, and I had the pleasure of hosting DSA Neuberger at a small roundtable at the Council in New York in December of 2017. At that time Anne was at the NSA. She was in charge of liaisoning with the private sector. That was an extremely insightful and useful discussion, and I'm sure today, given Anne's responsibilities, is going to be even more important. So thanks very much. Over to Amy and Anne.
ZEGART: Thanks, Adam. I want to welcome all of our members for today's CFR Virtual Cybersecurity Symposium in our keynote session with Deputy National Security Adviser Anne Neuberger. I'm Amy Zegart. I'm the Morris Arnold and Nona Jean Cox senior fellow at the Hoover Institution and a senior fellow at the Freeman Spogli Institute at Stanford. I have the great pleasure and honor of presiding over today's discussion with Anne. We have, as you can see at the bottom of your screen, several hundred members who have registered, and we're going to do our very best to get to as many of your questions as we can in the question-and-answer part of the discussion. We are so fortunate today to have Anne Neuberger here with us. She is the deputy assistant to the president and the deputy national security adviser for cyber security and emerging technology on the NSC. Now, if any of you know Anne, you know no short introduction can do her justice. So I'm going to try, but I know I will not succeed. She has had a long and distinguished career in both the public and the private sectors, often being the first to serve in a new role. Nothing says forefront more than being the first in any position. Among those roles she served as the National Security Agency's first director of cyber security, NSA's first chief risk officer, and before her career in government, she previously served as the senior vice president of operations at American Stock Transfer and Trust Company. Anne Neuberger, it's so wonderful to have you here. Welcome to CFR.
NEUBERGER: Fantastic. It's great to be here, Amy. Thank you so much for that introduction. Adam, thank you as well.
ZEGART: So let's start Anne with day one. So you started in this position, the first ever in American history. You took office with enormous strategic challenges in cybersecurity and emerging tech and a crisis, the SolarWinds breach, which public reports say has affected at least nine U.S. government agencies and thousands of companies. Talk to us about your first day in the job, what it was like, and more broadly about your leadership approach to being in the hot seat at one of the most challenging positions in the U.S. government today.
NEUBERGER: So, thank you for that, Amy. So in many ways, it's a gift to come into an area that needs strategic change with a crisis to create a sense of urgency. So I'll flip the question, if I may, and talk a bit about how we, as you've noted, we came in into the middle of a major incident and then also confronted one on our watch with Microsoft Exchange. And I'll talk about how we work to handle the second one as the key way of how we're working to push the change needed in the cyber arena. So, Microsoft notified us of the patch. That weekend, lovely weekend in DC, we pulled together a group across both private sector, key entities who had unique insights into U.S. victims' space and the technology, as well as key leaders across the U.S. government. We pulled them together to brainstorm. We knew this one would be significant. Microsoft Exchange has hundreds of thousands of servers used across U.S. government and the private sector. And we knew that this type of vulnerability was very significant as well. So given those two factors, we said, "What is the right way to handle this?" And that strategic level of brainstorming grew across the public and private sector was then augmented by a tactical-level group across DHS, CISA, the intelligence community, and the set of companies.
And from there, we quickly laid out a plan and the way CISA would be looking in and identifying the number of victims and combining that with what the private sector was seeing as well. We wanted to alert individuals that patching was critical. The national security adviser, I think, issued the first ever tweet saying, "Please get out there and patch. It's really significant." And then we used the Unified Coordination Group, which is where the government manages major incidents. For the first time, we invited those private-sector participants to be full participants to guide us together in handling that. We quickly saw, we heard feedback from both companies and government, that due to the number of patches over the years in Microsoft Exchange, people were having a hard time figuring out how to patch and people were also not quite understanding that they've been compromised before. A patch wasn't enough. So we went to Microsoft and said, "We need a simpler, easy way for entities to do this." And they quickly responded and built a one-click tool. That drove the number of victims from over a hundred thousand U.S. systems to less than ten thousand by the end of that week. That simplified way, combined with the messaging, was very effective. During that same next weekend as well, we said what else was possible as we brainstormed as a group and tried to see was there a legal and technical model to actually compel a company to patch systems out there so you didn't have to rely on each network administrator. In this case, we learned it couldn't be done. But that kind of brainstorming idea and partnership at the strategic and tactical level across the private sector, the way CISA and the private sector tracked victims and drove the number down was really the model we're going to be using as we approach the larger strategic challenges in cyber as well as the incidents we may expect.
And I want to come back to the really insightful question you asked me about the first day. So we're at the end of that first day, and I was walking out of the building that night and it was dark. And as I walked out of the EEOB, straight ahead of me was the White House with an American flag kind of lit up against the darkness. And to my right was the Washington Monument also lit up against the darkness. And, you know, I had a profound moment of gratitude, very much personally, coming from—my father's a refugee, my grandparents have profound gratitude for the opportunities this country gave them. And just walking out that day, I said to myself, "I feel tremendously grateful to have the opportunity to try to address these challenges and repay a part of the debt my family feels to this country."
ZEGART: Thank you so much for that. I want to drill down on two things that you said. You talked about SolarWinds and Microsoft Exchange. So first for our members, they're very different these breaches. So talk about the differences between them and what that means in terms of how you're thinking about policy. And then second, I want to probe a little bit more on the lessons learned from running incident response from Microsoft Exchange and how that's guiding the administration's approach moving forward. So first differences between the two breaches.
NEUBERGER: Absolutely. So first difference. In many ways Microsoft Exchange is bread and butter of cyber hacking—these are software, hardware. Unfortunately, there are many vulnerabilities. They are complex code. The hackers found vulnerabilities in Microsoft Exchange and exploited them. What was of concern was the number of systems that were exploited and just how much access Microsoft Exchange gives to interesting information. Think about what we all have in our email? SolarWinds in contrast was a far more sophisticated attack focused on a company that controls networks—so at a unique position—and compromising the company's update systems, the way it updates the hundreds of thousands of customers it has. It's much, much harder to detect. It was done in a very sophisticated way. And it enabled the actor to have broad, in addition to the scope and scale, access to each of those networks. That the reason it is of such concern is that access could be used for intelligence collection. That access could be used to degrade a network or to disrupt a network. The speed with which an attacker can move between intelligence collection, degrading, or disrupting is at a moment. And for a defender, it's very hard to tell what the hacker intends to accomplish. So as we look at your question from a policy perspective, in the first case, even if it's routine espionage operations, it's still counter to our interest in both cases, actually. So we want to think about is how do we change our attackers' calculus to make them think about those hacks that they may be doing. When we look at SolarWinds, we look at the scope and scale. We look at the level of risk in an attacker potentially shifting from intelligence collection to disruption to degradation, and we consider that in our policy options.
ZEGART: And then there's been a lot of public reporting about potential executive orders. Among them are some discussions about requiring software vendors to notify the federal government customers if there's a breach. Can you talk to the extent that you can more broadly about how this particular incident response is shaping broader policy moving forward?
NEUBERGER: Absolutely. So there's a “them” and “us” aspect in cyber. There's "them"—the question you just asked me about the two different hacks, what they represented in terms of sophistication, in terms of impact, in terms of national security concern. And then there's the "us" aspect. And one of the things that make cyber such a confounding problem is software and hardware is rife with vulnerabilities. If you or I are looking to buy network management software or email software, we have no way to assess the different security of the different products. Based upon that, understand, A, the risk we're bringing into our networks, into our services that we're offering. And second, to make a decision based on that. So we can put money on the problem. There's essentially a core market value in that because we don't have visibility into the level of risk, as a result there isn't accountability for that level of risk. So as we looked at the "us" aspect of cyber, we said, "How can we use an executive order? How can we use the power of federal procurement"—because the software and hardware that we buy is the same software and hardware everybody uses—"to fundamentally change those equations?” And that is some of the work that we've done that will be coming out in an executive order in the coming weeks. Fundamentally, A, working to add visibility and, B, setting particular standards for a particular type of software that is the highest risk and clearly requiring certain cybersecurity practices and the visibility to then see if those practices were used in creating that software.
ZEGART: So let's talk a little bit more about visibility. You've talked about the differences between these two breaches, but one of the key similarities is that hackers in both of these major incidents attacked us from American-based servers. General Nakasone, Cyber Command, Director of NSA, who I know you work with closely, has called publicly that this is a blind spot in our cybersecurity. The National Security Agency, of course, has authorization to monitor foreign internet traffic, but DHS and FBI have limited authorities to monitor internet traffic within the United States. And you have said, Anne, publicly, and I think this is a great way of putting it, "as a country we choose to have both privacy and security. But that choice of limiting those authorities, those domestic authorities, has created this blind spot that has now been exploited by both the Russians and the Chinese." So how are you thinking about the use of U.S. servers by foreign adversaries from which to attack us, and what should be done about that blind spot?
NEUBERGER: That's a really good question. And to your point, it is indeed a challenge and a challenge that as a democratic country, we're privileged to have and that we think thoughtfully about how do we ensure both the privacy and security. And the approach we're using is really three parts. The first part is to say there are existing authorities. We do need to understand virtual infrastructure better in the United States and to ensure because that is the virtual infrastructure that is used. Second, as we talked about in the Exchange case, there are private-sector companies who have unique visibility into U.S. victim space, into hacking activities. We need to build outcome-focused information sharing between the public sector and the private sector focused on ensuring that those companies, the small number that have that broad visibility into U.S. users, can highlight when there are incidents that are of concern so that as a U.S. government we have a better understanding of risks occurring in the United States. And finally, there's a role for the private sector in understanding where infrastructure is used by malicious cyber actors. The prior administration issued an executive order, the Infrastructure as a Service executive order, informally known as "know your customer," which set requirements for cloud providers, virtual infrastructure providers, to better understand who their customers are and to use technology many ways to do so. The Department of Commerce has done a request for comments on that and it's getting input. But those three parts are currently the way we're approaching that: using the existing authorities to the max that we have, thinking thoughtfully about refined public-private information sharing models that allow us to have both privacy and security, and thinking about how we augment and make clear the requirements of the private sector—much as we do in the banking area, know your customer rules—in virtual infrastructure space to take that responsibility on of finding and evicting malicious cyber activity leveraging that virtual infrastructure in the United States.
ZEGART: So we're supposed to be talking about cybersecurity threats coming from Russia. I wouldn't be doing my job if I didn't ask you about election interference, so a major cybersecurity threat emanating principally from Russia. I'd like for you to comment, as you know well, since you started on this job, the intelligence community issued an unclassified or a declassified threat assessment about election interference. And for our members, unsurprising for them to know, the assessment concluded that Russia's election interference didn't end in 2016, didn't end in 2020, and is unlikely to end now. And just for our members benefit, I want to share them one of the money quotes from that assessment and get your reaction to it. The assessment said: "We assess that Moscow will continue election influence efforts to further its long-standing goal of weakening Washington because the Kremlin has long deemed that a weakened United States would be less likely to pursue assertive foreign insecurity policies abroad and more open to geopolitical bargains with Russia." So continuing the ongoing threat of foreign election interference, how are you thinking about, in general, the ongoing threat of foreign election interference, and specifically, foreign election interference emanating from Russia and the best ways to address it?
NEUBERGER: President Biden has made clear that the U.S. will respond to any destabilizing Russian activities, including any attempts to interfere in our election. And whether in 2018 or 2020, as a U.S. government we've reinforced that in the run up to the election with regard to real focused efforts to improve the security of election systems, communicating extensively that the integrity of our elections is the crown jewel of our democracy, and imposing costs both during when there were attempts to influence as well as following those elections, including via sanctions. So those are really the ways that we seek to convey that interfering in our election is unacceptable to us. I also want to note that we're not in this alone. We have democratic allies and partners who share the same concerns. We continuously discuss how we ensure that setting that line and enforcing that line with any malicious actors in terms of interfering or influencing in an election is unacceptable to us as democratic countries. And in fact, it's one of the most interesting areas when we share the practices and the policies that are in place. Everybody's picking up their pen because everybody views this issue with such urgency and is eager to learn from each other and support each other's efforts in this [inaudible].
ZEGART: So one of the things that I'm sure you often hear from folks that are interested in cyber is we seem to have cyber threats everywhere. Just in the past ten minutes we've talked about a number of different challenges that you're dealing with. We haven't even talked about theft of intellectual property, ransomware, disruptive, deceptive attacks, influencing what we think and how we are polarized as a society. So can you step back for a minute and share with us how you conceptualize the cyber threat? And then you've talked a lot about innovations in the Biden administration about bringing the public and private sector together, but I'd be curious to get your take on what role do you think the government should play uniquely? And what role do we, as individual citizens and individual organizations, need to assume responsibility for ourselves in our cybersecurity?
NEUBERGER: It's really thoughtful the way you frame that with regard to Chinese intellectual property theft, or earlier, Russian hacks against our election, because fundamentally our cyber strategy, the government part of it, to your point, and the government role, has to be a component of our country's specific strategies much as the cyber activity is a component of theirs. China's intellectual property theft is a part of that country's aim to quickly gain technological primacy and grow their economy. Russia's attempts to interfere in elections is their part of destabilizing democratic systems to highlight that their model is a more effective model. And to that approach, we need our strategy to change these countries' calculations about the benefits of cyberattacks against the U.S. I think the president has made that clear in his public remarks where he said, for example, that we will counter Russia's aggressive activities and we will counter China's IP theft and economic coercion. So we need to ensure that we have the appropriate options to underpin our resolve. So our immediate goal, to your point on the government piece, is to say, how do we ensure we embed our cyber strategy within those countries' larger strategy?
And then to your point you talked about what is the role for the government versus the private sector? And I think very much it mirrors the earlier conversation around "them," how we counter our adversaries, how we counter their use of cyber below the level of armed conflict because they view it as an asymmetric way to harm our interests. And then the "us" factor. How do we ensure, as a country, that we modernize our cyber defenses and that we fundamentally raise the threshold and manage and reduce the risk that we have as a country? We have a set of initiatives. So within the broader Biden administration cyber strategy, we've built three legs of that strategy to reflect those components. One, modernize our cyber defenses. We talked about several aspects of that, including federal government becoming a leader in specific initiatives. We're rolling out there. The executive order, which will, we believe, take on issues, and in the terms we used, was aggressive but achievable. Let's fundamentally make progress on issues that we've kicked the can down the road on for a long time, including software and hardware security, including using federal government procurement to achieve outcomes, including actually reviewing incidents to take lessons from that. And then finally, let's rebuild our role on the international stage working with allies and partners, and be postured to compete with our adversaries who use cyber for their aggressiveness.
ZEGART: We have a little bit of time before we turn it over to Q&A for our members, but I want to tackle the second part of your title, which we don't pay a lot of attention to. So you're in charge of emerging technology, not just cybersecurity, and you just mentioned that we need to view China's IP theft as part of a broader strategy that the Chinese are pursuing to enhance their own technological competitive position. So can you share with us as you think about the emerging technology piece of your portfolio, where is the United States ahead in the broad scope of emerging technologies, from AI to nano to synthetic bio? Where are we behind? And where must we lead not only for our economic competitiveness, but for our national security? So where are we ahead? Where are we behind? And where must we get it right to lead?
NEUBERGER: Competition with China will be a central part of a challenge of the twenty-first century. China is one of the only countries that can combine their economic, technological, and military capabilities to fundamentally reflect a sustained challenge to an open international order. And we will be competing on the set of rules of the road for technology of the future, particularly use of technology for the future. How is that used? Is it used as a tool of authoritarianism of surveillance? Or is it used as a tool of open information sharing? We have competing value sets with regard to civil liberty, rule of law, privacy, which technology underpins and enforces. So at the center of that strategic and economic competition are some of the technologies you talked about: artificial intelligence, because of the way it brings together data and can uniquely enable surveillance or uniquely enable technological breakthroughs like medical advancements; quantum, because of the huge risks quantum brings to cryptography, which underpins our privacy with regard to underpinning the common encryption that's used all across the internet; and certainly 5G, because of the degree to which 5G enables broad communications and the technical assessments of experts that there is no way to secure the open 5G model if it includes technologies that are tied to a government like China where rule of law and relationship in government and the private sector is so intertwined. So for the U.S. and our allies, ensuring leadership in this area is foundational not only to our economic growth, but to protecting the values that which we live by over the next century.
ZEGART: So we started talking about threat. I want to close before we get, I'm sure, very hard-hitting questions from our members about success. So imagine that we are getting together four years from now—hopefully not on Zoom, but in person—at the Council on Foreign Relations, and we're assessing the past four years of the Biden administration and how the administration has done in cybersecurity and emerging technologies. How would you then measure the success in those areas if we were to meet four years from now?
NEUBERGER: On the cybersecurity side, we must have trust in the core systems of our society. And to have that trust, Amy, we need to have visibility as we talked about, and that visibility has to match the consequences if they fail. So today, and one of the efforts I didn't talk about, is an effort we will be launching related to securing control systems. And we picked control systems because those are the systems that control water systems, power systems, chemical systems across the U.S. And we're seeking to have visibility on those networks to detect anomalous cyber behavior and block anomalous cyber behavior. Today, we cannot trust the systems because we don't have the visibility into those systems. And we need the visibility of those systems because of the significant consequences if they fail or if they're degraded. So that's the threshold of success we seek from a cyber perspective. There are many efforts that we'll need to do to get there. And the model we will use is sequentially pragmatic, identifying specific areas and then executing in partnership with the private sector from a policy perspective, from a whole-of-government perspective, from a whole of society perspective, and then clearly with our allies and partners because we face many of the same issues. On the emerging tech perspective, it is a free and open internet. And like we talked about, do we have the leadership and ongoing innovation in the key technology areas to maintain our economic growth, our geostrategic leadership, and most importantly, our values because technology will be the way that we can assure those values—rule of law, privacy, civil liberties—are protected and enabled in the coming environment. So those are our two thresholds of success. They're not easy, and only the unity of effort across the government, government in the private sector, and with our allies to assure that success.
ZEGART: Well, at this time I think it's the moment to invite all of our members to join our conversation with their questions. I want to remind everyone that the meeting is on the record and the operator will remind you how to join the question queue. I need to make one other point, a programmatic point, which is there will be a salon discussion following this meeting and we hope that many of the members will be there. So let me turn to our operator and ask for the first question.
STAFF: [Gives queuing instructions] We will take the first question from Charles Bolden. Mr. Bolden, please accept the "unmute now" prompt.
NEUBERGER: It happens to every one of us, Charles, at least three times a day.
Q: It was a mistake. I did not have a question.
STAFF: All right. We will take the next question from Joe Nye.
Q: Anne, I'm so glad you're in the position you're in. I feel safer already. But let me push you a little bit on the international part of your strategy, which we didn't hear much about. The Russians have been proposing for more than two decades a treaty on cyber and we've responded correctly that a treaty, an arms control-type treaty, is meaningless because you can't tell what a weapon is and therefore can't verify it. On the other hand, there is one analogy from the Cold War that might be useful, and that's the Incidents at Sea Agreement. In 1972, at the height of ideological intensity, we and the Russians, or the Soviets then, reached an agreement about the dangers that arose from a close surveillance and buzzing of each other’s ships and planes, which had a communication system related to it. It worked. I wrote a piece about a year and a half ago suggesting we might want to have high-level talks with Russians about creating an incidents at sea arrangement, not because it's going to make them into nice guys or get them to stop—they're not—but it might make clear that certain limits to behavior are outside the pale and that we will respond when they cross those limits. And we and they could both communicate with each other what they are. Is that a feasible option as part of your international strategy?
NEUBERGER: I thank you so much for the question. One of the most fascinating aspects of cyber is looking to history and prior domains to see what applies and what we can learn from and what is unique and different about cyber. And you highlighted both of those in your question. One of the commonalities is clearly defining what isn't acceptable so our competitors, our adversaries understand that. And that's certainly something that we need to do. The other aspects of prior models are something we need to think about. One—attribution. It is very difficult in cyber, as you know, we've seen a number of times where various countries use each other's infrastructure to try to hide who did the activity and used different techniques. Attribution is more difficult as is enforcement. But those are key areas that we need to make progress on because overall the goal is indeed a correct one, which is to say we need to change the game. We need to change our adversaries' calculus about how they use cyber to achieve their objectives and making clear what we consider unacceptable and then being postured to enforce it.
ZEGART: So I'll ask the operator to ask the next question.
STAFF: We will take the next question from David Sanger.
Q: You know, we don't have any control over when they call us. But, you know, I always—my usual role in life is to let Joe go first as I've usually found except when we're fishing, when I find he clears all the fish out. So thanks for the presentation. It was really fascinating. I was wondering if you could dig in a little deeper for us on one of the lessons learned from both the Microsoft hack and also from SolarWinds, which is, in both cases, the U.S. government, at least it doesn't appear, had detected the activity. And maybe there are things we don't know about, may have seen hints of it. But in the SolarWinds case it looks like the first notice we got of this was FireEye and then the Microsoft case, Microsoft and the cybersecurity firm that it had gone to it. So one answer to that might be what you discussed, which is that these were launched from inside the United States where, of course, the NSA and others, for all sorts of good reasons, don't have visibility. You said you don't want to change the law on that. The other question is, would there have been any chance to see these using, sort of, defend-forward techniques, which were supposed to give us some visibility in the foreign networks as they were being put together? So I'm just wondering if you've looked at this, what have we learned along the way about what may be missing in our detection systems?
NEUBERGER: So first, you know, we have done an intensive study to ensure that we learned the lessons of what occurred across, certainly, intelligence collection, public-private sharing, and incident response. Those lessons will drive the policy work and the operational efforts across the U.S. government in the coming weeks and months. Cyber and identifying cyber threats is a uniquely challenging area from an intelligence collection perspective for a couple of areas. One, the actors are cyber savvy. They know how to hide their tracks. This is their native domain. So understanding their operations, finding their covert infrastructure from which they launch it is a uniquely challenging task because they are the most sophisticated actors on the web. Second, when we're looking at activity where they target U.S. systems, there are levels of law, policy in place that makes it very hard to draw a line directly from attacker do U.S. victim. To your point, the reason we—the first thing we want to do is as I talked about earlier, really maximize use of existing authorities, maximize public-private partnerships, and hold and ask the private sector to do their best to identify that activity in their infrastructure because that's a key part of our ability to uncover these activities. So clearly, we need to do, you know, we want to ensure that moving forward when sophisticated adversaries launch these kinds of broad hacks, we will be able as a country to detect them quickly, and most importantly, block them quickly. And that's the successful that we seek.
ZEGART: David, I think someone once called cyber a "perfect weapon." I think that's pretty much what Anne just summarized. Operator, next question, please.
STAFF: We will take the next question from Merit Janow.
Q: Thank you so much for this wonderful and informative conversation. Anne and Amy, it's really valuable. You know, I'd like to invite you, if I could, to say a little bit more about where you think our understanding of our adversaries is well aligned with our allies. In other words, you know, who among our allies are thinking about Russia and China the same way we are as you talk about changing the calculus that might allow us to work more effectively with them for that shared purpose? Thank you,
NEUBERGER: Thank you so much. And as a proud grad of SIPA almost twenty years ago, thank you as well for the fantastic and thoughtful environment that you've created there. So as we talked about, cyber is a tool of our adversaries' ability and desire to achieve their national objectives. So when we look at our allies and partners, in many cases they are victims of the same adversaries for the same reasons, right? I talked about interfering in democratic elections. You know, many of our democratic allies and partners are also targets of Russian attempts to undermine our democratic ideals, undermine and shake the unity of society by aggressive, malicious influence operations on, for example, social media. Similarly, Chinese targeting intellectual property, they target good technology in their key technology growth areas across the world. So it's upon us to build those partnerships. And the partnerships cross a number of areas. They cross, of course, effective sharing of cybersecurity practices, threat intel sharing. For example, you may have seen that in the recent Quad discussions that the President had, we're augmenting and strengthening the cyber effort within that Quad—with India, with Japan, with Australia. All of those countries are key allies in countering adversarial cyber activity and securing and building resilience in each country's infrastructure as well. So there's room to both individually and with groups of allies, as well as at the UN, in establishing norms of acceptable behavior. As you may have seen in some of the recent UN cyber norms and going back to the 2015 GGE [Group of Governmental Expert] norms as well, there is much room to build those common alliances against malicious cyber activity.
ZEGART: Operator, why don't we move to the next question?
STAFF: We will take the next question from Glenn Gerstell.
Q: Hi and thank you so much for doing this. Your clear communications on this topic and public outreach are just terrific, so thank you. I'd like to build upon your answer a minute or two ago about how the Biden administration might be graded in four years and ask you to think about for just a second what this conversation might look like a decade from now? Essentially are we going to have a world which is going to look like this but more so? In other words, with the internet of things, 5G, 6G, etcetera, will continue to have ever better defenses but also ever more ingenious hacks and we'll continue to live in a world of fundamental cyber insecurity. Or do you somehow see either a new technology or a greater political will either domestically or internationally that's going to change it so this will not be an enduring problem? What's your crystal ball? I know it's a sort of a fluffy question, but what's your crystal ball?
NEUBERGER: We must, we must change the equation. And as I look at the 309 participants on this session, I challenge us communally to work together to fundamentally change that equation. We owe it to your point that society ten years from now, within the next ten years, we can fundamentally, for new technology, ensure that that's built securely and with resilience. We don't buy a car and then get the airbags added, right? We buy it expecting security. It's our expectation, and that's how we then have that trust. Similarly, one of the ideas we've been looking at is when you look at the National Transportation Safety Board that reviews accidents, we make that commitment to say we will learn from each thing that occurs. So fundamentally, as a group, we must change the equation across those three components. One, modernizing our defenses and changing the expectation that we will have secure technology. The internet of things is a great example, Glenn, where when we look at a country like Singapore, Singapore's put in place a ratings model so that a mom who's shopping for a baby monitor and is concerned about surveillance can actually say, "Oh, that's more secure. I'd like to buy the more secure model because I care. I don't want a hacker to hack in and listen to my baby at night." We need to look and find those creative models around the world that bring visibility and accountability for cybersecurity and bring them to us.
Second, we need to build that alliance with allies and partners because we share the same concerns. We share the same need to ensure that our technology and the values it enables, the civil liberties that it enables from open and secure communication is protected. And finally, we need to change our adversaries' calculus on their use of cyber, as Dr. Nye asked earlier, to clearly communicate what's unacceptable and be in a position to compete and enforce those principles that we outlined. So I fundamentally believe we have no choice and we must. And I will say that in the upcoming executive order, we view it as a down payment on that first modernizing cyber defenses because we said, as a federal government, we will eat what we say. We will roll out things like encryption, like multi-factor authentication in a near term on a tight timeline because those fundamentally change the threshold and make it far more difficult for adversaries to, A, hack a system and, B, if they hack it, use the information they acquire. And just to close, I will say, Amy, I look forward to coming back and being in listening mode with the participants here because there's so much I'd love to hear. I'd love to flip each of these questions and just listen and hear your thoughts and ideas. I invite you, please, on these questions, your thoughts and insights, please pass them to Amy. I would love to receive them, reflect on them, and then we'll potentially follow up in the future and change the model to a listening model.
ZEGART: I think we've all just gotten some very important homework from the deputy national security advisor, which we welcome. If I could, let me just build on Glenn's excellent question in your answer. You talked about point three, which is changing the adversaries' calculus. But you haven't mentioned one word once, yet, and that word is deterrence, which is the conceptual underpinning of change the adversaries' calculus so they don't undertake these attacks in the first place. Big debate as you know very well, and Joe Nye written a lot about this, about whether deterrence can work in cyberspace and if so under what conditions? Share your thinking, if you would, about what are the conditions for success, for deterrence to be more effective in the future?
NEUBERGER: Really insightful question. So I think we need to ask ourselves where the strategic precedents for deterrence apply in cyber and what we can learn from that. So specifically, you know, individuals often bring up the area of nuclear weapons and nuclear deterrence. And I think in those areas the awesome impact that prior demonstrated use and attribution reinforced deterrence. We don't have good fits for that in cyber. We talked a moment earlier about that it's challenging to attribute and we talked earlier about the broad, widespread use of cyberattacks and even in some cases, we've seen disruption or degradation in cyber activities. So, to deter, really, I think it's important that we convey which behaviors we find unacceptable and be prepared to enforce that and also think about how we continuously work to degrade adversaries' most significant and worrisome cyber capabilities. And as David asked earlier, efforts like on forward, identifying adversary malware capabilities, and then ensuring they are exposed to the cybersecurity industry can secure against them are ways that we can effectively degrade those capabilities and just make it far harder for adversaries to continue to execute their operations, particularly those that are very much counter to our interest.
ZEGART: Well, thank you for that. Let's turn to the operator to help us with the next question.
STAFF: We will take the next question from Evelyn Farkas.
Q: Hi, Anne and Amy. Thank you so much for this conversation. I'm about to ask a question that you might not want to answer. But, you know, when you talked about the posture to compete and then also about what the Russians are doing, as you know, just inherent in what you've said already about what the Russians are doing, it's very dangerous because it relates to their war plans, right? We don't want to fight a war the way the Russians would be willing to fight a war, yet we have to deter them. And in order to deter them, we kind of have to show them how dangerous it is and/or we need to show them that we can do it back to them. So how do we address this dangerous conundrum that we're in, understanding that you probably might not be able to answer this in a really fulsome fashion?
NEUBERGER: So, I think, as we look at cyber and as we look at the asymmetric capabilities that it enables, we think thoughtfully about what are activities that we find unacceptable. There are various methods, most importantly, private messaging, that we can use to convey which of those activities we believe are of significant concerns, are of significant concerns to our interests, and that we won't find acceptable. So much of that probably is done outside the public eye in the most effective way, which is privately, and needs, of course, to be a part of an effective deterrence strategy.
ZEGART: Operator, can we have the next question, please?
STAFF: We will take the next question from Guillermo Christensen.
Q: Thank you, Amy. And Anne, thank you very much for taking time with us. Guillermo Christensen, I'm a partner at law firm Ice Miller where I head our cybersecurity team here in DC and a former CIA officer. So kind of on the front lines of some of these incidents. One question I have for you, this has been one that my clients have asked many times, that is what was so different about SolarWinds other than the scale? Clearly scale, massive scale, but incidents like that, supply chain compromises, have been common. Some have been even more fundamental. If we take scale out of it, what's different about this one than any of the others? Thank you.
NEUBERGER: That's a good question, Guillermo. Two things—one is the level of sophistication. Two is the access it provided. So level of sophistication. To give you a sense of it, the attacker compromised the update system of SolarWinds, but they didn't just go in, for example, to a source code repository and add code, add malicious code, because that could have been identified. Instead they compromised the step where code that you can read is made into executable that a human eye cannot read. They added their malicious code within that step. So it's virtually unfindable in that way. So that level of sophistication is significant. The second piece is they targeted the trust of networks where identity is done, which is incredibly persistent because it's incredibly hard to clean up. So in a network, if they modified Anne Neuberger's rights to make me an administrator, it has to be painstakingly reviewed. Think of networks with tens of thousands or thousands of users to see what was valid and what was not. Is Anne Neuberger still an employee? So that sophistication makes that persistent. The final thing I would say is the access it enabled and how that access could enable, as we talked about a moment ago, disruption or degradation as well as intelligence collection and, as such, is a significant concern.
ZEGART: Let's turn to the next question. Operator, if you could turn to our next question.
STAFF: We will take the next question from Alan Raul.
Q: Thank you. I'm a privacy and cybersecurity partner at Sidley Austin and appreciate being on with Guillermo, a colleague from another firm and former professor, Joe Nye, at Harvard Kennedy School. My question is about accountability and what is success, which you both mentioned. But one suggestion first in the realm of homework, perhaps. You might consider seeking to expand the mission of the Privacy and Civil Liberties Oversight Board—PCLOB—to cover the trade-offs between privacy and cybersecurity. That's maybe an additional mission given the importance of cyber, which has been for many years running the number one national security threat identified by ODNI. In fact, a higher risk than terrorism. So just to mention that. But with regard to accountability and how to measure success in four years, and I appreciate Amy putting it that way, how does the administration, how does the president, obviously by appointing someone like yourself and at the highest level at the NSC, but how does accountability for keeping the nation cybersecurity as strong be achieved with, you know, through the political accountability system? How does it become a factor in elections, in congressional oversight? And how, in four years, can we reduce the level of cyber insecurity by the actions at the highest levels of the administration and especially where, you mentioned, Anne, the changing the calculus of the malicious foreign state actors? You know, changing their calculus where the United States would certainly reserve on to ourselves the ability to do exactly what the Russians have done in SolarWinds and what the Chinese were reputed to have done in the OPM hack that a former director of national intelligence kind of grudgingly admired and sort of conceded we'd do the same thing if we could. So how do we achieve that, not just, you know, a success will come from accountability? How do we get accountability at the very highest political levels of our government?
NEUBERGER: Thank you for the insightful idea regarding the PCLOB. I appreciate that a great deal. And second, with regard to accountability, much of cybersecurity is in the investments we make and in the way we assess risk. For the reasons we talked about earlier, it is hard today sometimes to assess individual risk in a given system. So I think some of the factors we need to look at include setting requirements for, for example, new software must be built on a system disconnected from the internet. Encryption must be rolled out because it fundamentally builds security. Rolling out multi-factor authentication because identity is a good part of separating out anomalous malicious activity or the compromise of passwords, which has been broad. Cyber is an interesting space because we know what needs to be done. We need to do it. I think that that's where changing the culture to where we don't accept that, and we say, "What were the investment decisions I need to make? Why wasn't encryption rolled out?" Shifting it that way starts to change the calculus to where it doesn't become optional to have modernized cyber defenses, particularly in important parts of our society. It becomes a requirement and a mark of accepted leadership to do that. And I think as I said, the administration is seeking to lead on that by shortly rolling out this executive order, which will do so for federal government networks, to demonstrate that we recognize that a big part of addressing cyber is the "us" factor as well as the "them" factor we talked about so much here. And the "us" factor is ensuring that the things we know we need to do, we do.
ZEGART: Thanks for that question. Operator, can we have the next question, please?
STAFF: We will take the next question from Jim Miller.
Q: Great. Thanks to CFR and Adam and to Amy and Anne as well. Like Joe Nye, I also sleep better knowing that you're leading our efforts on cyber and emerging tech. You mentioned private-public partnerships. Could you say more about your thinking about how to boost information sharing and adversary threat models, exchanges in both directions? So first of all, you know, when we have the next SolarWinds or Microsoft Exchange hack, we'll uncover it faster or even better. We'll have improved active defense that has increased the work factor and risks that the adversary has perceived so that we're less likely to have it. And your thoughts about what are some doable steps in the near term? Thanks so much.
NEUBERGER: Absolutely. Thank you so much. So I think, you know, we've talked about information sharing for a long time. And I think the piece we want to ensure we add into the information sharing discussion is for what outcome. So information sharing with who or what outcome. To your point, I think one of the outcome-focused changes we need to make in information sharing is to recognize that there are enough key technology companies who achieve economies of scale for us with regard to cybersecurity outcomes. The companies who are core in our infrastructure, our cloud infrastructure, our cybersecurity companies who can deploy defenses, clearly our core software and hardware technology companies and focusing information sharing on there. Sharing adversarial techniques as well as sometimes the larger context to say, "We have concern that a given adversary is in a crisis situation where they may use cyber to achieve those outcomes and the techniques we think they will achieve will be that." So in summary, I would say, other than incident response, which I'll get to in a moment, building more of a focused key outcome information sharing with regard to who the participants are, with regard to who is shared, and with regard to the regularized sharing is key. Then there are the broader building trust and relationships and solving problems together. I use the way the administration worked to handle and manage the whole-of-government response to exchange in that way, where there was both the strategic public-private partnership and active ready discussions identifying what we were concerned about—tracking victims, coming up with innovative ways to drive the number of victims down, as well as the tactical information sharing that enabled those outcomes. So taking the model that was used for incident response and making that a regular part will be key. I think a final factor, I would say, is when we talk about the who, some of the really effective models done in individual sectors that you've seen and been involved with—the financial sector or the utility sector—our efforts where sector by sector they're valuable, we want to think about how we scale that in a way that gives us a threshold of sharing and enabling across all those sectors.
ZEGART: Well, Anne, we have come to the end of our time. I want to emphasize to our members of the program note that in the chat you will see the link to the salon session, which begins at 6:15 Eastern Time. For us Californians, 3:15 California time. On behalf of everyone, I want to thank our members for coming and a special thank you to you, Anne Neuberger, for spending your time with us, for sharing your thoughts with us. You started by talking about your first day and how grateful you are to give something to your country that has given so much to your family. We are grateful to you for your service in this incredibly difficult and important job. Thanks so much for being with us today.
NEUBERGER: Thank you, Amy. It was wonderful to talk with you, to talk with everybody, and I look forward to continuing the conversation. I truly appreciate the opportunity. Thank you all and be well.