National Cyber Director Chris Inglis on stemming cyber threats
In this episode of Intelligence Matters, host Michael Morell speaks with the country’s first national cyber director, Chris Inglis, about his office’s mandate, its mission, and the top cyber threats facing the U.S. today. Inglis and Morell discuss the prevalence of ransomware and why countries like Russia and China might tolerate the presence of criminal hackers on their soil. Inglis also talks about why deterrence in cyberspace is difficult, and how the U.S. government is engaging the private sector to bolster cyber defenses. This episode was produced in partnership with the Michael V. Hayden Center for Intelligence, Policy, and International Security at George Mason University’s Schar School of Policy and Government
- Heightened cyber threat today: “What we’ve seen is that…transgressors, criminals to nation states, they’re brazen – [they] cross anybody’s definition of a red line. They’re indiscriminate. You don’t need to be the target to be the victim. And they’re impactful, having borderline existential effects on the conduct of national security functions, critical functions and the conduct of our daily lives. We’re not resilient and robust against that.”
- “Permissive” environment for hackers in China: China “is another place where we see a certain permissiveness in terms of the state – not so much looking the other way, but being tolerant of the criminals who are given harbor there. And so long as they don’t annoy or impose some friction or harm on the local economy or the local government, the government tolerates them.”
- Perils of “proactive ambivalence”: “What keeps me awake at night is our proactive ambivalence. By that, I mean that we’re generally aware as a society that something is amiss. You can’t miss this. You can’t stand there and watch the news reports and believe that nothing is amiss. Where the proactive ambivalence comes in is we all believe it’s somebody else’s problem. It’s not my problem to solve. And so we variously point to the folks that have Cyber or IT in their names and say, ‘You need to hold me safe from mistakes or risks that I take.’ That’s simply not a tenable proposition.”
Download, rate and subscribe here: iTunes, Spotify and Stitcher.
Intelligence Matters: Chris Inglis
Producer: Olivia Gazis
MICHAEL MORELL: Chris, I want to start with the cyber threat facing the nation. You’ve said publicly that, and I want to quote here, “The threat is greater than I can ever remember.” And I’m wondering what led you to say that; I’m wondering what the context around that is. Is it because we’re more vulnerable? Is it because the number of adversaries are growing? Is it because they’re getting more sophisticated? Is it because they’re getting more aggressive? Is it all of that stuff or is it something else? What does the threat landscape look like to you?
CHRIS INGLIS: In a phrase, it’s all of that. I think we first began with what is our dependence on what most of us think of as the internet, what I describe as digital infrastructure. We have a massive dependence, whether it’s for our conduct of our personal lives, our business lives, our national security. Everything we do is fundamentally dependent upon that, to include a broad range of critical functions, critical to health and safety.
Second, having created that dependence over many, many years, transgressors, whether they’re criminals or geopolitical foes, have realized that dependence and they’re increasingly using that to hold us at risk. And in recent years, and I think that there was an inflection point in about 2017, what we’ve seen is that those transgressors, criminals to nation states, they’re brazen – cross anybody’s definition of a red line. They’re indiscriminate. You don’t need to be the target to be the victim. And they’re impactful, having borderline existential effects on the conduct of national security functions, critical functions and the conduct of our daily lives.
We’re not resilient and robust against that. We don’t have the basic resilience and robustness of technology, people, or, for that matter, doctrine – who is accountable for what, such that we can simply look the other way and assume that they simply can’t hurt us. We don’t actually defend these systems as a collaborative endeavor such that they have to beat all of us to beat one of us. They can pick us off one at a time. And we really don’t have a good range of remedies to align actions to consequences.
So in all of those facets, we’re falling further behind. It’s not to say we don’t have some very talented people and we don’t have some really great technology, but we’re not really joined up to solve this problem in a way that’s required. And a premise in the job that I have is we need to rethink how do we actually make it such that if you’re transgressor, you’ve got to beat all of us to beat one of us. We have not done that to date, and therefore we’re falling further behind
MICHAEL MORELL: Are ransomware attacks the biggest chunk of the attacks that we see?
CHRIS INGLIS: I think the most notorious, to be sure. I’m not sure that I could say with confidence that in quantity they’re the most numerous.
But they are a symptom of the larger problem, which is the ecosystem within which they operate essentially has low cost of entry; a set of transgressors – criminals, in most cases, but some nation states – who can syndicate, who can collaborate, to find someone who might find a weakness in a system of interest, someone that they could sell to, who would then prosecute that entry into that system, someone who might then take over – it’s a business – who might then take over to actually effect the actual extortion.
They ask for resources to essentially exfiltrate that ill-gotten gain in the form of cryptocurrency, which is hard to track. Many of them operate in safe havens in Russia, near and abroad, or other places where it’s hard for the reach of law to find them. And they operate against assets that are at once valuable and poorly defended. Those assets are information that companies find essential to the conduct of their business, or which they kind of hold as information on behalf of others, that is, personally identifiable information and/or health related information for which they would pay a pretty premium in order to get that back without some further disclosure.
It’s a perfect storm. Long in the making. We’re not going to turn that around in a fortnight. But given that I’ve described a systemic set of weaknesses, the way to address that is to take each of those systemic flaws on and address them one at a time, but in collaboration.
MICHAEL MORELL: Chris, I wanted to mention that we’ve learned of at least one tragic instance where human life, an infant, was perhaps lost as a result of a ransomware attack in 2019 in a hospital in Alabama. And I know you probably can’t comment on that particular case because there’s a lawsuit underway regarding the care of the infant. But what I want to ask you is that ransomware attacks aren’t just about money, right? I mean, there’s human lives at risk here. Is that a fair statement?
CHRIS INGLIS: That’s a very fair statement. I think there’s another incident that I think is in the public record in Germany, where a patient attempted to enter into a hospital, the hospital was down because of a cyber attack. That hospital diverted that patient to another hospital that could properly service them, could coordinate the arrangement of a room and a doctor, and the patient died en route. And so, you know, that is something that I think you could say is directly attributable to a cyber attack.
There are untold numbers of deferred appointments because health systems weren’t able to efficiently and effectively schedule the activities that were required. You really can’t say how far this problem has gone, but it is not an attack on data or systems or simply an attack on the critical functions that rely on those. It’s an attack on health, safety and confidence that relies on all of the above.
MICHAEL MORELL: Chris, you mentioned Russia as being a place where organized crime is able to conduct ransomware attacks. You testified that we’ve not seen yet a decline in attacks originating from Russia since President Biden pressed President Putin on this very issue at the summit in Geneva. Is China another place where organized crime is able to conduct ransomware attacks or not?
CHRIS INGLIS: It is another place where we see a certain permissiveness in terms of the state – not so much looking the other way, but being tolerant of the criminals who are given harbor there. And so long as they don’t annoy or impose some friction or harm on the local economy or the local government, the government tolerates them.
As to whether there’s a formal connection, a direct connection between the activities of these individuals and a government that would sponsor them or aim them at geopolitical foes, the United States being perhaps a case in point – hard to tell. We lack actually quite a lot of information about the rate of incidents, the seriousness of those incidents because we don’t have a universal reporting mechanism within the United States or many other countries that would say, ‘Do we really know the scope of what’s happening in this mist and smoke that covers this battlefield?’
MICHAEL MORELL: Do you have a sense of why the Russians and the Chinese and perhaps others don’t crack down? Is it because there are political relationships or security relationships or they just want to do damage to the United States? What’s your sense for why they allow this to go on and don’t crack down?
CHRIS INGLIS: Without revealing or reverting to classified sources, let me imagine what some of those possibilities are. I think it’s a set. It’s a range of possibilities.
One, they may not be specifically aware that these are happening. They don’t actually govern the population the way we might, in terms of ensuring that the various actions that harass or bother others we look into, we pursue, we investigate. And when necessary, we will bring that person to justice. The rule of law is not the same in those states.
Two, there might be a relationship between the local leadership and these criminals such that there is a profitable arrangement, a, “We’ll look the other way, so long as you get us a cut of the proceedings and so on, and you do not attack the hand that you’re actually being guarded by here.”
And there might, in some cases, and I have to imagine that it’s true in some cases, be an elicit or perhaps an explicit but not seen relationship between the government and these criminals, such that they can be an artifact of harassment or competition by that nation state against this nation state.
I think the Russians under the Gerasimov doctrine – again, this is very hypothetical, but the Russians under the Gerasimov doctrine have made it clear that there’s no such thing as peace or war. There’s just competition. It’s all on, all the time. Any mechanism that you can bring to bear, whether that’s propaganda or harassment below the use of force, is fair game.
And they, in many cases have asserted that they believe we do the same thing. We do not. But their belief perhaps motivates and fuels their use of these assets in ways that we find somewhere between interesting and befuddling, because we do not have mercenaries in this country who operate on behalf of the government without some very direct contractual relationship such that the government bears the burden of actions taken.
MICHAEL MORELL: Chris, Rob Joyce, who is the director of the Cybersecurity Directorate at NSA and who you know well, said recently publicly that almost every nation in the world has a cyber exploitation program, but that more countries are starting to move beyond just cyber intelligence.
And it got me thinking about how you think about international norms here. What’s acceptable in cyberspace and what’s not? Is intelligence collection for national security purposes acceptable, ransomware not? IP theft not. How do you think about that?
CHRIS INGLIS: I agree with Rob’s perspective on that, both what he observed and what he describes as a trend, but would say that the first observation shouldn’t be terribly surprising. Most nations have militaries that are armed with various weaponry that can impose violence on others. But the issue isn’t whether you have that for legitimate defensive purposes, but rather how you employ them.
And so Rob’s further observation that many of these capabilities that can surveil or – what we might describe in colloquial terms as ‘hack’ on the internet – many of these are being used to impose consequences or to do damage. Classically, the term of art would be ‘degrade, disrupt or damage’ something on the internet or, more importantly, something that’s dependent on that data or those systems or the confidence that’s dependent on that.
So some number of nations are, in fact, crossing that line.
You asked about norms – they’re actually very solidly defined norms that the United States subscribes to. The global group of experts sponsored by the United Nations in 2015, came up with a set of norms that don’t have the force of a treaty or convention, but they generally have been looked at as the reasonable, rational foundation for the expectation one nation should have of another, and they wouldn’t surprise anyone on this forum.
I think, typically they would say that no nation has the right in peacetime to hold another nation at risk by holding their critical infrastructure at risk. Therefore, cyber should not be used to hold that critical infrastructure at risk. Any nation seeking the support of another nation in a moment of extremis should expect the support of that nation. And so on and so forth. They’re generally very sensible arrangements.
They leave off the table the possibility that surveillance using these cyber means may or may not be an appropriate activity to undertake – that would lead us to conclude, and I’ll stand in the role of an academic here, that there are circumstances under which that is appropriate, that can be a stabilizing factor.
Knowing something about the aspirations, expectations, activities of a potential competitor or aggressor allows you to prevent those misunderstandings, prevent crises and conflict. And traditionally, for millennia, but at least the life that I’ve lived, we can see that espionage can, when used in proportional ways, be a thoughtful addition to the interaction of nations.
And so we have to distinguish between the deny, the degrade, the disrupt and the use of this to simply understand what’s happening in that network of networks.
MICHAEL MORELL: Chris, let’s switch to your job. You’re the nation’s first National Cyber Director. What are your responsibilities? What are Congress and what is the president holding you accountable for?
CHRIS INGLIS: If you read the law that created this position, it would look like this is yet another power entered into the space, an already crowded space. Another role to coordinate, drive, lead, perhaps in a czar-like fashion, call the shots of who does what. We’re not interpreting it that way.
What we’re doing is to say that there are actually quite a lot of capable players and capabilities, whether that’s technology or expertise in the form of people, there are quite a lot of that in this space. What’s missing is coherence and context and perhaps some complementary action.
So my job, principally, is to ensure that we are joined up, that some of the parts is greater than the arithmetic sum, that the various roles and responsibilities complement one another. One case in point is that there are, within the US system, what are called sector risk management agencies that have the responsibility from the federal government to have a relationship with that critical sector.
So the Department of Energy has a relationship with the energy sector for purposes of peace and tranquility, helping them understand best practices, make themselves resilient and robust and, in a contingency or crises, be a principal source of support from the government. There are 16 of those for 16 critical sectors.
At the same time, the Department of Homeland Security has an organization calle dthe Cybersecurity and Infrastructure Security Agency, which is the on-the-field quarterback operationally responsible for ensuring that all of that is done in a coherent fashion.
My job as the coach – that’s the term we use – is to ensure that that’s the way it’s established, that everyone understands their roles, that those roles are complementary. And when we execute those roles that they, in fact, are coherent and you don’t need a Ph.D. in government to understand who is going to do what under what circumstances. I have roles that descend from that of driving public-private collaboration. We’re doing performance assessments of actually driving future resilience, because today is mostly about response. We need to get to a point where we’re actually preventing these incidents, getting left of event, as it were.
All of that adds up to a responsibility I have to make the system better, more accurate, make the performance more efficient and effective, but not to introduce yet another power that’s hierarchical in nature in the system.
MICHAEL MORELL: Senator King, who was one of the leaders of the Solarium Commission on which you served, said that the national cyber director role was at least in part recommended so that there would be, he said, “one throat to choke.” And I’m wondering if you’ve felt any of that pressure sense since you’ve taken this job.
CHRIS INGLIS: Well, of course I have. So I was on the Hill just yesterday for a three-hour hearing, and there is an expectation, especially when one looks at the organization chart, the static picture of all of the pieces that are in this space, a natural question is, ‘Who on Earth is in charge of that?’ That’s a quite natural, quite reasonable question.
It turns out it’s not that simple. It turns out that when the video gets started, when those begin to operate, much like it is in the physical world, there are kind of lines of effort that are not so much independent of one another, but they don’t actually have a hierarchical relationship. They have a horizontal relationship. We know what individual police forces do to defend their part of the situation in the physical world. We know what militias do in the National Guard to help us in times of crisis, whether that’s of natural disaster or some civil crisis. We know what the U.S. military does. We know what all of those parties do and their concurrent without having a single battle captain that stands at the top of some hierarchy.
So I think the right question to ask of this very complicated domain is, ‘Do we know who’s accountable for what under what circumstances and for what purposes?’ My job is to make sure that we have an answer to each of those lines of effort.
And so if you ask who is the on-the-field quarterback that synthesizes everything the government knows and pushes that back out to the largest possible set of beneficiaries, that’s CISA, and my job is to make sure that they’re set up to succeed in that. Do we know who deals with the energy sector in times of peace and tranquility or in the rise of some contingency or crisis? That’s the Department of Energy. My job is to make sure they’re set up for that and that those two complement one another. There’s, of course, a lot more threads on that map. But my job is to make sure that all of that works and that the system is performing in an optimal fashion.
MICHAEL MORELL: Because you know that some of the commentary about your position is that you don’t have the authorities that you need to ensure that you meet your responsibilities. How do you think about that critique?
CHRIS INGLIS: There’s some truth to that if what you’re thinking about is a hierarchical set of authorities where you can direct, drive things, even to the point of micromanagement. The law is written in many regards with a view to – this is really about coordination, this is about establishing relationships and then allowing those to execute with some degree of accountability delegated.
The law even begins by saying, ‘Upon direction of the president” – giving the president further authority to determine how else he or she would want to assign that power. Case in point: within the scope of my job, I really am inside cyberspace, ensuring that all the assets that live inside cyberspace are properly prepared, properly assigned or complementary, and that we execute.
But if you’re operating outside of cyberspace to try to bring conditions of some sort about inside cyberspace, let’s say you’re using military powers or diplomatic powers or intelligence powers, a broad range of traditional instruments of national power – that is traditionally the role of the National Security Council. That is not mine to drive. I’m at that table. I inform that. I heavily inform that, but that’s in someone else’s hands.
That’s just the way we, as a government, have almost always kind of conducted our affairs. We want to achieve conditions inside a domain by using other instruments that are outside that domain. National Security Council adjudicates and drives that. And so I’m the same in that regard, I’m in the lane of cyber trying to make sure that, as an instrument of power, not the only instrument of power, affected by other instruments of power, I’m doing my part in that lane.
MICHAEL MORELL: So, Chris, the building of your office. So the infrastructure bill gave you $21 million, I think, for your office. You’ve talked about growing your staff to 75 folks. Where are you now in terms of people? And what are you looking for in terms of your staff? And where are you finding them?
CHRIS INGLIS: That’s a great question. So I’m going to expand that question just a little bit so that the context is clear.
So this position was created in January. It was authorized in January. There wasn’t an appropriation in January. I was nominated, confirmed and showed up for work in July. But the appropriations to essentially fund the positions required and the facilities and the material – those appropriations weren’t made until Monday of this week, the week that we’re in; so, like, two days ago.
So what we’ve done between July and now – and actually there’s a silver lining in this – is we’ve had to work hard to figure out if we don’t have the resources ourselves to hire 75-80 people, how do we then work with and through others to get the resources, loan-ins – what are called non reimbursable detailees to create a sufficiently robust set of team players here that can begin to coordinate, begin to champion, begin to create the connective tissue that will give additional leverage to the discrete parts that are out there.
So I got 18 people at the moment. All are essentially non-reimbursable detailees, loan-ins from other organizations, and they come from across the gamut of the federal ecosystem: from the intelligence community, from the Department of Energy, Department of Homeland Security, Department of Defense, and so on and so forth.
It’s an impressive group of people with significant experience under their belts, so much so that, walking the halls, sometimes somebody will say, “I recently met – fill-in-the-blanks, somebody from your organization.” They asked me, “Are you with them?” Right, it’s the other person who carries the reputation – that’s cool. That’s really good. I love being in an organization where the talent exceeds your own ability to perhaps script something from the top down.
But now that we do have the money, we’re kind of at a breakout moment. We have defined the outcomes that we’re accountable for. We’ve built relationships. Some of those relationships will be very key. So, for example, the Office of Management and Budget, which traditionally has policy and resourcing in this space, cyberspace, their chief information security officer for the entire federal government has been appointed by mutual agreement between me and the director of OMB as my deputy for federal cybersecurity.
So we’re harmonizing and aligning those roles and responsibilities. But now that we have the resources, the $21 million dollars, we will find the space necessary to conduct these activities, will then begin to hire the people to the tune of 75 or 80 that can build up four broad lines of effort, which I described earlier. I’d be happy to go into details on that.
MICHAEL MORELL: Chris, do you see yourself as putting together a national cyber strategy or not, or – how do you think about that?
CHRIS INGLIS: Yeah, I think there should be a national cyber strategy, and I like the term, the way you describe that. Neither with a defensive mindset alone or an offensive mindset alone, but just: what are the aspirations this nation has that we want to achieve in and through cyberspace?
It is necessarily a derivative of a national security strategy. So what is it this nation wants to achieve? What things do we hold near and dear? What do we want to perhaps achieve in terms of our own initiative? That is currently being worked through by the National Security Council. The interagency process comes to bear on that. Once that’s done, then they’ll be a derivative out of that, since cyber is an instrument of power in its own domain of interest that we would then be able to say, ‘So what’s cyber role with that? And what do we need to do with all instruments of power to ensure that we bring those conditions about in cyberspace?’
I think there will be, not a standalone, but perhaps kind of an appendix that says, ‘Here’s the cyber play. Here’s the cyber part.’ But it has to be part of the whole.
I’m then asked, ‘So if you have a cyber strategy, will you have a cybersecurity strategy or federal cybersecurity strategy or Eisenhower Building cyber strategy’ – and all of those things can inferred, but it gets dangerous to kind of call them out and create stovepipes of those things in and of themselves. So I think at the moment, we’re kind of trying to make sure that we stay holistic in that description.
MICHAEL MORELL: And your office will take the lead on that and I guess there will be a classified version and also an unclassified version for the public?
CHRIS INGLIS: Yeah. So back to the conversation. The answer is we’ll have a heavy influence on that. But given that the cyber strategy will depend upon the application of all instruments of power to achieve the conditions we desire in cyberspace, and that cyber can affect all instruments of power, all domains of interest, I’m a significant player in that – I don’t mean to over or understate my role – I’m not the only player in that. And ultimately, the National Security Council will determine, do we have the right strategy?
I think we’ve left behind the idea that cyber is a domain unto itself, that it’s independent of the other domains of interest, that we can somehow determine, in a purely symmetric way, that what happens in cyberspace should be responded to in cyberspace. That’s not true, especially when you have the safe havens that we’re kind of encountering that require the application of other instruments of power: legal remedies, financial remedies, diplomatic remedies.
MICHAEL MORELL: So Chris, you’ve said publicly that a strategy that is overly reliant on indictments and other actions by, say, the Justice Department, doesn’t do a lot to affect the psychology of hackers who are sitting in, say, Russia. So how do you think about the United States actually deterring those folks? How do we do that?
CHRIS INGLIS: That’s a great question. I wish we had six hours to talk about it.
First, I think that, I’m confident that this administration, and previous administrations, but this one believes that cyber deterrence is possible, but we have to hedge our expectations. It’s not the same thing as what we experienced in the realm of nuclear deterrence where the game was, we needed to keep the weapon off the field. It was an offense-dominant era, such that when a nuclear weapon showed up, it was game over. You lost. Abject failure.
The cost of entry is too low, such that in cyber this is an offense-persistent domain. But the game remains the same, which is cyber deterrence has always been focused on changing the decision calculus of a transgressor, not on some absolute sense of whether you can keep the weapon off the field or not; that’s unique to one domain, it’s not going to work in this one.
And where does the change of decision calculus come from? Several places. One, is you need to convince them that it’s simply not worth the cost, to become a harder target. So deterrence by denial actually has a place in this space. Actually, 80-90 percent of what’s happened in ransomware is attributable to simple human errors. You go back through the most notorious events of this year, and in each case, you say, but for this very simple, kind of single-threaded vulnerability that was traceable to a human action, it wouldn’t have happened.
It’s not to say that transgressors wouldn’t up their game and try and find another way. They would, of course. But we get rid of a lot of this just by deterrence by denial, complemented by a very proactive defense, meaning these systems can’t be made secure; at best, they’re defensible, but we need to actually defend it.
To my earlier point, you need to defend those in a collaborative manner because they can beat us one at a time if we use only those things we know in our respective stovepipes. But if we combine our insights, our authorities and our capabilities, we’re a tougher bunch to beat.
And then finally, you do need to impose consequences on those that continue to come at, harass or succeed against you. So that denial by, deterrence by cost imposition is a real, material factor.
Of course, classic deterrence theory says that there’s also the role for norm setting. We’ve done that. There’s also a role for entanglement, meaning that, let’s come up with a like minded group of nations that creates a bulwark against the kind of folks who would transgress. And let’s make sure that, to the extent necessary, we entangle ourselves with those transgressors so that they at least understand what we believe is appropriate or inappropriate behavior. And they’re more likely, if we have some shared activities -we might not agree on everything – but they’re more likely to have some shared activities, they’re what I call common interests at risk.
That’s, of course, a complicated formulation, but it’s the sum of all those things that I think creates a change in the decision calculus of a potential transgressor. And I think if we were to give more time and attention to that, we would make a discernable impact on the level of threat that we’re experiencing.
MICHAEL MORELL: Now, because you mentioned a key part of that is us defending our systems. And I’m wondering how you think about what’s standing in the way of that? What’s standing in the way of people applying the technology they need to apply and undertaking the behaviors they need to have? Why is this so hard in terms of defending these systems?
CHRIS INGLIS: Yeah, I think that’s a great question, and I don’t want to steal thunder from a question, you might ask me later – what keeps me awake at night – but it’s in this category. Which is, what really keeps me awake at night, is not kind of the nature of threat that’s constituted in the form of either criminals or nation states.
What keeps me awake at night is our proactive ambivalence. By that, I mean that we’re generally aware as a society that something is amiss. You can’t miss this. You can’t stand there and watch the news reports and believe that nothing is amiss. Where the proactive ambivalence comes in is we all believe it’s somebody else’s problem. It’s not my problem to solve.
And so we variously point to the folks that have Cyber or IT in their names and say, ‘You need to hold me safe from mistakes or risks that I take.’ That’s simply not a tenable proposition. We believe that individuals can’t make a dent on this. That organizations, small to medium sized organizations can’t make that promise, that only the champions of sufficient heft and size can — or worse, that we can shoot our way out of this. It’s simply a game of if somebody does A to us, then, tit for tat, we’re going to do B back to them.
All of that, I think, is in the realm of we simply don’t understand the problem as it is, and we sometimes refuse to acknowledge it for what it is. And I worry about the latter of those more than anything else.
MICHAEL MORELL: Chris, I’d love to get your take a bit on what you see as the proper relationship between the government and the private sector here. Obviously, that’s important. And for context, let me just tell the audience something. I’m sure you know that in a recent accounting of the response to the SolarWinds incursion, the president of Microsoft, Brad Smith, actually wrote, and I quote, “It’s impossible to avoid the grave conclusion that the sharing of cybersecurity threat intelligence today is even more challenged than it was for terrorist threat information before 9/11.” So there’s some pretty strong views out there. So how do you see this? What do you think it should look like and how do we get there?
CHRIS INGLIS: Yeah. So that was a comment made circa late 2020 – I agree. Contemporaneously, I agree.
So let’s go back to 9/11 and use that, perhaps, as an analogy. You and I remember quite clearly that two things that we thought we learned in the immediate aftermath of 9/11 was – and I quote General Hayden here – that ‘garrison was not sanctuary.’ That we were held at risk in our homeland. That’s true times ten in cyberspace.
The second thing I can remember thinking that we learned in the immediate aftermath was we had failed to connect the dots. That actually in the long arc of our experience, that wasn’t really the problem. The problem was we had failed to put our various hunches and insights, shards and shreds of information together in a way that we could form the dots, that we could learn something together by combining these authorities in an appropriate and lawful way to discover something that no one institution could discover alone.
That’s true in cyberspace times 100. And so when various parties, whether it’s the person you referred to, whether it’s other CEOs say, ‘It’s really hard to share information,’ that’s only half the problem, right? Sharing information is one thing, but creating insights in a collaborative fashion that no one could find alone, that’s another thing, and that’s where I think we’re really falling short.
So you and I well know the nature of what’s called the special relationship between the US and the UK. And the real secret sauce there isn’t the degree of what sharing will do for exquisite, finely tailored reports. The real magic there is that we collaborate at the lowest possible level to share insights and partial understanding so that we together form analysis is that neither one of us could form alone.
I’m not giving away the secret here. It’s actually the magic, the miracle of that. So what we’re proposing that we do differently to address the concerns you raised is, how do we actually reverse the model for collaboration, which used to be information itself is a form of collaboration. It’s not – information doesn’t collaborate. Or that we all kind of find something that we think is so exquisitely valuable – it’s, of course, it’s probably going to be classified or proprietary – that we’ll then work to try to figure out how to sanitize and push it across to the other party. At that point, it’s sufficiently denuded of any valuable content or timely content, timeliness, that it’s typically not worthwhile.
That’s what people were reflecting on 2020: Let’s actually figure out how to get together, to co-discover, co-mitigate threats that we can only find by saying we need to form this together.
It’s not a notional aspiration. Our British counterparts, our Israeli counterparts have both done this. They have different names for those activities than we might’ve assigned to them. But they’ve essentially put private and public sector experts together on common floors, and they’ve achieved demonstrable success in trying to figure out what can we discover together for the benefit of all of us, right. So the transgressor needs to fool all of us to get past one of us, or more importantly, to beat all of us to beat one of us.
MICHAEL MORELL: So, Chris, when you step away from this job in two years, four years, eight years – whenever it is -what would success look like as the nation’s first national cyber director?
CHRIS INGLIS: I can think of three things at the moment. One, that this organization was known and quantitatively could be assessed as having added value to the ecosystem. That the private sector, public sector ecosystem combined, the parts were more effective, that they had greater leverage, greater context with respect to their ability to make the difference that they should.
Two, that we had established a culture within the federal government that, while it does need to ensure that it regulates and ensures the delivery of critical functions and other activities consistent with law and the expectations of customers, that more often than not, what it did was to proactively generate capacity, insights, capability before the event to aid and abet the kind of improvement of the resilience and robustness of the system and the creation of conditions that essentially got us left of the event.
And then, finally, third is that we, in the community of nations, increasingly saw this as an international kind of challenge, not a national challenge alone – that we saw that the largest possible context is the most appropriate and most impactful context, which is that we do this among like-minded nations.