we've got everybody checked in and ready to roll go ahead you're open to both three put it over the Slate now two one take camera one go jump welcome to the Washington Post welcome to Washington Post Live I'm lean Caldwell I'm y Abu Talib I'm David Ignatius that was uh quite an intro my gosh we should probably just leave it right there I've hit the big time Washington Post I can like go home and tell my parents what I did today between Facebook Twitter Youtube Washington Post Live itself we are now reaching hundreds of thousands of homes across all 50 states the power of this platform is it takes people into the world of ideas audience members of Washington Post Live are part of the conversation I would like to ask the audience how many of you knew before today's event that heart disease was the number one killer of women okay just me whether it's with cancer scientists of politicians now this panel I think was originally called you know two women against Putin it really should be three women against Putin and so the better way to get things done as I've demonstrated is by putting a group together and negotiating something that's good for both uh points of view so tell me what your plan is oh we have lots of plans I think Washington Post Live offers journalists like me a new way to do our job their work is hugely important a new way to connect with our audience hello Senator Schumer welcome to the Washington Post this is going to be fun a new way to deepen our engagement with people who care about the Washington Post and our mission of gathering news The Washington Post also uh said that we were the best film of the year so that was pretty cool as well yes well I mean the Washington Post doesn't ey Jeffy you know that I'm still having a lot of fun cat like a lot of fun and their individuality comes through more so than just their title thank you for being the agents and the Warriors of the light and truth that is the lock from the night of the burglary Jeff Bezos bought it at an auction right and we're trying to find out how much Bezos is paying come back come back next week I'm so grateful to be on a platform like the Washington Post I have I subscribe I read I Love The Washington Post we need films like this so thank you very much Steven ly it's been great to talk to you and I'm quite honored that the Washington Post should want to talk with me thank you I cannot thank you all enough hello and welcome I'm Susie Watford and I'm the new Chief strategy officer here at the post as our world becomes more digitized the significance of protecting our systems networks and programs from cyber attacks cannot be overstated cyber security is critical in safeguarding our economic Vitality National Security and of course everyday life recent ransomware attacks on the US Health Care system that potentially put lives at risk underscores the stakes of the issue the various motorvations for cyber disruption have expanded and geopolitics has become an increasingly more important part of the equation so first up today we have a conversation with kber Walden former ing US national cyber director intelligence and National Security reporter Shane Harris will talk to her about the recent cyber attacks on the healthc care system then we have America's first cyber Diplomat Nathaniel Fick will sit down with David ignacious to discuss the state Department's new Cyber strategy and why he has said foreign policy is Tech policy the post Ellen Nakashima will speak with retired General PA nakon the former head of us cyber command and the National Security Agency about the future of cyber warfare and we will also have a special presentation from Drew Bagley vice president and Council of privacy and cyber policy at crowd strike about the next Frontiers in strategic cyber risk mitigation and our special thanks to crowd strike for sponsoring today's event and with that my colleague Shane Harris will be up here after this video to kick off today's conversations thank you again for joining us and for your your support of the post thank you [Applause] [Music] I know this if we banned ransomware payments today we could bankrupt the very small and mediumsized businesses that the American economy relies upon think rural hospitals that serve four or five municipalities those can go bankrupt what we need to do is prepare for the worst prepare those organizations to be more resilient Against The Ransom or [Music] attack hello everyone welcome to the Washington Post I'm Shane Harris I cover intelligence and National Security here I'm very pleased to be joined today by kemell Walden uh who you just saw in the video president of Paladin Global Institute former acting National cyber director at the White House someone who has worked for many years really at the heart of cyber security issues throughout the government so we're really pleased to have you here today thanks for coming thank you for the invitation um I want to start by hearing your thoughts about this um hack on change healthc care a unit of United healthc Care Group that we saw here in the intro video this is you know an attack that hurt providers patients and really compromised the health heare industry Nationwide outside of the scale of that event which was huge what what struck you as notable about this latest Cyber attack well Shane thank you for having me here and um the healthcare industry is really something that I personally care about we all personally care about but I'm the daughter of a doctor that that owned a clinic a nephology clinic for for decades uh the two things that struck me the most is that this got in the way of access to healthcare for individuals it got in the way of providers being able to provide that Health Care to individuals that's the first thing uh the well-being of people uh and the impact it had the second uh is a little bit more wonky but it's it's what happens in the cracks what are the things that we're not really engaging on um the healthcare industry is become a corporate entity corporate structure of a corporate ecosystem that engages in merges and Acquisitions and it's in those merges and Acquisitions in the cracks where we find some vulnerabilities um and not paying attention and tending to those cracks I think is alarming and you know it's there have been some that say that the scale of this kind of attack shouldn't have surprised you know the industry right and you obviously you've been testifying about these things and working on these issues for a long time um a recent survey showed that us Healthcare organizations allocate an average of 7% of spending to cyber security whereas the average amount spent across sectors is 11 to 12% so there's about a 4 or 5% differential there is the healthcare sector allowing itself to be a Target by underinvestigated to its digital infrastructure I mean that's that's clear we've seen that um it's also that the healthcare industry operates on data that is that is valuable and while Ransom are actors and other nation state actors and organized criminals or opportunistic by Nature there's there's value in that data but that data is sort of the engine for the healthcare system to be able to work the way it's organized now um and we haven't been paying enough attention to securing that data and the infrastructure it flows upon uh in a way that we that that allows us to really consider the implications of a nation state attack on that system it's really the well-being of people the access to health care that becomes makes it Target rich and I would think if if you were a health care provider you're a doctor you're children doctors you're not sitting around worrying about data security I mean this this must seem to so many Healthcare Providers and clinicians and even you know at a hospital level like somebody else's problem right or you know how do we kind of because I've been writing about cyber security for 20 years now and there's always that question of how do you get the people in charge to realize no security is something that you have to invest in I mean what are your thoughts on that and how that's playing out in healthcare and I would imagine events like this are bringing it home for people making it acute yeah you know providers like you said are they're they are brilliant they care they're there to do one thing that is to to save and improve human life human well-being Managed healthc Care has become an industry now over the last few decades and that's a whole different policy conversation but managed healthcare they're providing Digital Services too they are tech companies United healthc Care is a tech company um and so as a tech company they have to think of themselves as as the responsible party for protecting patient data and services to enable uh access to healthcare these are tech companies now uh and we need to treat them that way change healthc care is a money is a is a payment system right we need to treat them that way we need to start helping hospitals helping providers but the tech companies that manage the services and manage the the healthc care in between to become um cyber Security Professionals full stop we need to be able to give rural hospitals the resources that they need in order to be able to employ managed service providers or cyber security uh or cloud service providers um giving them the training that they need in order to be able to look at vendor contracts in a particular way in a way that they're not used to looking at um giving them the resources that they need to be able to deploy endpoint detection and explaining what that is and why it's important uh we need to be able to Fan out into those rural areas into those areas that provide Healthcare Services to the most needy the underinvested communities possible uh and help them to become cyber Security Professionals because it's one it's sort of one and the same it's it's it's it's another tool to enable the delivery of healthare service is that ultimately a matter of educating people there or getting more people with those skills to take those jobs jobs and those rural facilities it's it's a matter of training and resources right you can have a plan you need a plan um but without resources without adequate training you don't have much more right so we need to be able we need to incentivize people to get out there and become cybercity Professionals for healthare systems and to retain those train trained professionals um we know in the cyber security space we tend to in and out private sector public sector large companies small companies I'm an good example of that um but the more people we can have out there that understand the intricacies of the Health Care system and understand how to secure data and the information networks that the data flows on the better off we are systemwide right so you mentioned resources so that's money let's talk policy to let's talk Congress you were we you saw the film there of you testifying what do you want to see from legis legislators on this and do you think there's appropriate concern and recognition on the hill about this threat I mean we've all seen plenty of testimony with members of Congress who don't necessarily seem the most technologically savvy obviously their staff are are Neck Deep on this issue but is there recognition on the hill that this is a problem and what you know concrete steps would you like to see now that would go towards addressing the threat I do think there's recognition on the hill I think there has been for some time I mean the I'm a lawyer so I'm sorry I'm about to to get into it but Washington there's plenty yeah there's plenty of us so you're used to it now the Cyber Security Act of 2015 uh did a couple of things one it created the cybercity information sharing act which is a thing I I dealt with when I was a lawyer at DHS but the other thing it did was to tell the healthcare industry that they needed to start focusing on digital security um and so at the end of last year health and human services along with the health sector coordinating Council and the health Public Health sector uh published a set of voluntary cyber security standards uh in a couple of technical notes some for small uh Hospital rural Health Care Systems and others for medium and large size systems I mentioned that because something that Congress can do um is to codify some of those it's called the hiccup these documents if you're looking for them codify some of those if not all of those untary requirements make it a a minimum cyber security standard required of all healthare systems and then once you make the system defensible enforce defending it and then cause cause hospitals to to continuously develop resilience what is the resistance towards making those voluntary guidelines mandatory you know I I think there are a couple of things some of them are political uh you know it's hard to get Consensus These days unfortunately in Congress I think that's a challenge uh and so in order to start working on making those systems defensible we do need a voluntary system now because we can't wait um there might be some pressure against the costs associated with mandatory minimum cyber security requirements so if Congress creates mandatory requirements Congress also needs to appropriate the right authorities to be able to give maybe Grant making authority to rural hospitals to be able to deploy some of those minimum standards to be able to employ the right people to deploy those minimum standards in those systems so it takes both a requirement some funding maybe through the grant making process um and then enforcement and I think we're talking about big Healthcare systems at the top but these rural un undef under resourc undefended places are the we click in the chain right I mean do you hear from you know rural hospitals I are they clamoring to say look we want to do this but we're under resourc you got to give us some help here to do this yes I mean the rural Health Care is and and I'm not going to talk just about rural healthc care but you know clinicians yeah that can be in urban centers that are that are under underinvested too they want to provide services to patients they want to improve the well-being of patients they want to improve access to healthcare um and they recognize part of it is to make sure that their networks and systems don't fail but they don't have uh the right resources they don't have the right training and they're they're seeking it out and begging for it and sometimes it's just too expensive to do it and is it a matter to of like the recruiting the right it talent I mean do people who train in these areas want to go live in bigger cities generally and it's harder to get them to want to go to these other places yeah we need to develop carrots to be able to do that I mean you become a cybercity professional and the Market's pretty good for cyber security right now you go to a small a small rural Hospital get the right training and then you're recruited immediately it's the same story across industry right uh that's the challenge I want to talk about incentives here too you know the White House has said in a statement that they've been quoting here strongly discourages paying of ransoms to stop the flow of funds to these criminals and disincentivize their attacks which I I think makes sense many people talk about you know not negotiating with terrorists not negotiating with kidnappers we all know that many cyber insurance companies do suggest paying if data backups are not available uh United Health seems to have acknowledged that they paid $22 million to a russian-speaking ransomware gang so did United set a dangerous precedent here do companies in general do that how do you view this tradeoff between what levers are there you know to raise the cost for hackers are we just incentivizing it and creating a market for them because they know these companies are going to pay and have the money to pay yeah so it's a that is a tough business decision I mean you saw the CEO of United Health Group say that this was a a horrible day for him to make that decision and I believe him yeah that's a really tough business decision I would like us to get to a point where paying Ransom is the last option that you have a system that's resilient that you have downtime that's short ransomware operators are are business entrepreneurs right I mean it's organized crime syndicate but they are business entrepreneurs there are social institutions that underline this this criminal business activity they know that they can put pressure on the CEO of a large Company by causing the the resilience infrastructure to fall right so backups are being encrypted before the sensitive high value data is encrypted for that reason and that's what we saw in in change Healthcare that we see across the industry um we need to get to a point where we're building in resilience not only making our systems more defensible and then defending them but building in resilience so that downtime is short so that paying a ransom becomes the last option we need to get there so that we get we put this with we put this criminal organiz organized crime to rest so they go and find something else to do essentially right or we lock them up use their skills somewhere else well kembell Walden this is a great discussion it's a great way to set the table for what's coming up next thank you very much for spending some time with me and for being here thank you Shane thank you and my colleague David Ignatius will be up next with Nathaniel Fick America's first cyber Ambassador after this video so please stay tuned [Applause] [Music] the overarching uh theory of the case here is that uh no no country no company um not the United States home to to the greatest number of global technology companies in the world uh nobody can go it alone here and the um the uh sort of tag line that was ringing in our ears as we were developing the concept was um a line from Ben Franklin during the American Revolution and he said we must hang together or surely we shall hang separately so welcome I'm David ignacius a columnist for the post I'm delighted to be able to moderate this conversation with my longtime friend uh Nate fck who is Ambassador at large for cyers space and digital policy at the state department uh Ambassador welcome to the to the Washington Post good to be here David thank you so uh let's start with something that's in the news uh two days ago Microsoft disclosed that Russia has been trying to disrupt the 2024 Olympics in Paris including a disinformation film called Olympics has fallen that has a fake uh AI generated voice impersonating Tom Cruz I'd love to hear that um uh tell us about about the campaign um what else you know uh and what else you see coming as the Olympics this big Global Gathering uh is just ahead of us I think there are a few uh trend lines that I would app point to in addition to the the specific headline one is uh the pace of Russ hybrid activity in Europe is certainly increasing um in the digital domain but also uh other things like moving those buoys on the narva river in Estonia for instance I was in Estonia last week that was very much a topic of conversation so uh I think we're going to see more of this kind of uh Russian meddling uh in in ways that are uh disruptive that violate our Norms that really are fundamentally unacceptable and that uh are calibrated to stay generally below the threshold of the use of force um so that's narrative or or trend line one um second is um how important it was that uh this Russian activity was quickly attributed um and multilateralization of technical interference was actually pretty tough to do uh technically that's migrated to being primarily a political Challenge and I think we NATO have learned uh that when we can publicly attribute and we can do it in a multilateral way it's more effective just say a a word about how Microsoft did this and about uh what Microsoft's disclosure tells us about the growing partnership between private sector in the US and parts other parts of the world and governments you know I think the uh one of the Silver Linings uh to the very dark cloud that is the war in Ukraine has been a material strengthening of public private Partnerships uh on cyber security and digital issues broadly exemplified uh in many ways by uh the partnership between the US government and Microsoft in some key ways uh the migration of the Ukrainian ENT government Enterprise to the cloud before the further Invasion the feedback sharing and threat intelligence sharing Loop among the Ukrainian government the US government Microsoft and other technology companies in order to blunt Russian cyber attacks in Ukraine and this is yet another example where um often the the first line of defense and also the first line of detection um is sitting in the private sector and so uh the government actually relies quite a bit on those Partnerships in order to uh figure out what's going on and move quickly do you worry um with this growing partnership you could even argue dependence uh on on private sector companies about what would happen if Microsoft decided for whatever reason shareholder pressure changing business climate to pull the plug what happens then I worry about everything David um uh I think uh look broadly speaking um we need in this world where uh digital issues inevitably are going to span uh government and the private sector uh we need public-minded business business executives we need people serving a government who have some technical technical exper expertise and some commercial sensibility um I think it's essential that uh that we have uh we avoid monopolies wherever we can um in technology areas where there's only one provider you end up with a much uh kind of scratchier relationship and and more risk um but the the the partnership with Microsoft in particular has has been you know so robust I think that this kind of collaboration is uh at this point in the DNA of the business so before we turn away from this question of disinformation I want to ask you at a time when our national debate is as polarized as ever uh in in particular on the question of of of Gaza but also obviously the trial of former president Trump in in New York what evidence do you see of foreign government efforts to to to uh make that polarization even worse to drive wedges deeper one thing that strikes me is uh after a couple of years in this role is I don't think most American citizens really viscerally understand how much of the content they see on social platforms is actually a foreign intelligence operation um I I just don't think we viscerally get it um how much of what we see is bot generated or or or foreign intelligence service generated so um it's Daniel Patrick Monahan said you're entitled to your own opinions but not to your own facts and and some shared understanding of the facts even though we disagree about them um or or about the implications of them we have to have a shared understanding of the facts um this this notion of information integrity and and a shared context around what's factual and what's not is the lifeblood of of democratic representative government so uh in my little perview uh something that we try to make very clear to Russia to China uh to others cons on a consistent basis is that we view any kind of interference in our Democratic process as dangerous uh as escalatory and as unacceptable and let me just push this a little further on the the immensely painful difficult question of of the Gaza War have you seen foreign governments attempting to exacerbate differences in the United States yes unequivocally across multiple platforms and and multiple vectors so that's that's a a chilling takeaway for me let's turn to some something else that's been in the news s groundbreaking talks on AI with China in Geneva last month I think we'd all uh love to hear your summary of what the agenda for those talks was and what in that first encounter on this very deep important subject matter you were able to accomplish I think the the theory of the case there um uh goes back to uh Woodside and the president's meeting with uh with President XI uh and a mutual commitment that that they made to um open a channel on AI given how foundational it is to so much of our national security but also to um potentially solving some significant Global challenges like uh weather forcasting and climate modeling and medical Diagnostics and these kinds of things um I went with secretary blinkin to Beijing about a month ago um a week or so before the talks in Geneva and uh we reaffirmed our our commitment to to do our part in uh opening that dialogue uh the dialogue itself was focused on AI risk and safety particularly um with regard to Frontier systems the most advanced AI systems and uh we traded our perspectives on um on governance uh on the proper uses of AI um and look I I think we have uh quite different views in some key regards the United States uh in all techn technology areas is committed to a multi-stakeholder model that has a robust role for the private sector it has a robust role for civil society organizations uh we're committed to uh rights respecting uses of Technology we have uh kind of a a societal Norms around privacy that simply don't exist in the PRC so um my view is that diplomacy is most important exactly when it's most difficult uh just sitting around and talking about comfortable topics with your friends um can be fun but it's not always useful uh having these kinds of channels and these kinds of dialogues is useful and so we committed to doing it again so I'm curious whether your goal as you continue this process is to seek rules of the road that would be shared or simply to maintain dialogue aspiration Al of course um the goal is some shared sense of rules of the road uh after the release of chat GPT in November of 2022 the US quickly moved to take a leadership role on these issues every government in the world was trying to figure out what to do um the White House started with voluntary commitments uh voluntary was important because voluntary is fast and given the pace of evolution of the technology we needed to get the first step of a governance approach in place quickly voluntary also matters because it by definition doesn't constrain Innovation the companies are agreeing to do it so we started with the voluntary commitments uh we ported the DNA really of those commitments into the G7 uh they became the Bedrock of the international code of conduct for AI developers at the G7 and they also formed the basis for our work at the un uh the US introduced a a resolution um in the general assembly on artificial intelligence it was ultimately co-sponsored by 123 States including China uh and passed by consensus and read the language it it really locks in in some important ways uh a a uh the sort of view that our like-minded partners have about the future of tech so if it's possible to bring every country in the World along with that kind of approach great uh and if it's not and I think it's probably naive to think that that will be easy then uh then we will commit to maintaining the dialogue uh so that we have a channel to discuss our differences so there are some cynical observers who say that the reason the Chinese were willing to talk uh about AI is that they're behind the United States uh and so they want to learn what they could about where about where we are you're our ambassador for digital policy you have the broad overview where are the US and China in the this technological competition on large language models on Quantum Computing on biotech are we ahead behind even what's your judgment I mean I I you know rather than let me make a sort of political pronouncement about where I think we are um which country in the world is thear largest the most popular destination for entrepreneurs who want to build businesses in these spaces which country in the world is the destination of the largest amount of venture capital and private e Equity investment in these areas um it's the United States this is still the place that uh people want to come in order to build great businesses and ultimately uh that's the most powerful Arrow uh in our quiver and so I think that uh if you believe that Tech Innovation as a source of National Power is foundational and I believe that with every fiber of my being that traditional measures of strength uh like GDP or like military capacity are more and more Downstream actually of a Nation or a coalition and economy's ability to innovate in these Court technology areas if you believe that um then innovation has to remain our North Star because uh we're we're in a in in the early Innings of a significant competition to see whose operating system becomes the dominant one in the world in these areas and if uh those of us who are committed to things like uh representative government and free markets and equal treatment of all people um need a a generally rights respecting operating system to Prevail so let's step back a bit and talk about your job which was an unusual and uh in Innovative thing for the state department to to do you're the first Ambassador at large for cyberspace and digital policy what's your mandate in in that job and how should we as observers measure your success or lack of success in the job fair question um every nickel we spend is a taxpayer nickel so yes we have to be evaluated against some clear criteria I'll give you a few um when secretary blinkin first called me about the job he said that the mission and I'm I'm pleased to say that you know two and a half years later three years later the mission hasn't changed uh he said the mission was to integrate and Elevate our approach to Tech diplomacy he said uh Tech is uh increasingly uh Central to our foreign policy and ex increasingly inextricable from every element of our foreign policy it's part of every bilateral relationship it's part of every multilateral forum and it's part of every functional topic from human rights to Arms Control to climate change and so our mission uh was to ensure that the state department is ready for that and has the people in the organization in order to operate effectively in that world and to ensure American leadership in that world so that's meant a couple of things for us we've uh built this new Bureau focused on uh cyber security policy digital policy uh digital freedom and emerging critical and emerging technology so we're trying to build a a team of experts within the department but that's not enough um the real work of diplomacy in the state department happens out in the world it happens at the 200 American missions around the globe and so we set an objective of having a a trained cyber and digital officer uh at every Mission around the world by the end of this year we're more than on track to meet that goal uh We've succeeded on Capitol Hill in getting a uh dedicated fund for cyber digital and emerging Tech assistance now it's up to us to deploy it well so I I think the key metrics are um whether American diplomats are are up to the task whether uh we are re-engaging fulsomely in the multilateral fora where these issues get decided uh and I think there's there's pretty ample evidence in the last couple of years that that things are moving strongly in the right direction so in rolling out this new portfolio you uh issued a a sort of foundational strategy document uh last month and uh in that uh document in its preface um it says a quote Central to our strategy is the effort to build digital solidarity among partners and allies explain what that means digital solidarity is the organizing principle of that strategy of of the US International cyberspace and digital strategy and um it recognizes that none of us as as that quote actually um that video clip uh that uh was shown when we sat down um we can't do it alone we we simply can't uh no country can do it alone not even the United States with uh all of its wealth and all of its power and Prestige and its Innovation economy we can't do it alone uh these Technologies are transnational they intrinsically cross borders in fact if they're not operating at global scale they lose much of their power uh their very power comes from being transnational uh companies in order to succeed want the biggest possible markets they want harmonized regulation they want common standards interoperable standards and so um digital solidarity means uh acknowledging that and linking arms with our uh partners with with allies uh and building the biggest possible tent that we can it means uh actually not forcing a choice in a tech ecosystem globally that might be fragmenting and balkanizing it's not the future we wanted but it's the future we're getting and if that happens if it continues uh we want our piece of it uh to be as big as possible and and fundamentally that's that's digital solidarity so to unpack that what I what I hear you saying is that to make uh this solidarity uh as big and powerful as possible some countries that are not democracy es but that are Advanced and friendly the United Arab Emirates Singapore would be some examples not Democratic in the American sense you want to be open to them being on our team broadly speaking is that a fair way to put it I think the the United States of course uh stands for represents and advocates for the the kind of Bedrock value of democratic participation around the world uh and in in some of these key technology areas yes we are going to have key Partners um who uh who who may have slightly different forms of governance than we do and uh I think it's uh it is pragmatic and wise for us to leave room uh to ensure that we can work closely with them so at the same time that you're pursuing your mandate and your strategy Russia continues what has been a very aggressive effort through the United Nations primarily to write new rules for cyber space I've written about this a half dozen times over the last few years uh and they just keep coming at it it's like the fox just is determined to to try to guard the chicken cpop uh and there's a new effort to that they just have cranked up uh at the United Nations and you're you're nodding uh you probably seen this same same information I have so um they seem to have from my uh judgment growing people who were sort of seem sympathetic to their broad U uh inclusive sounding formulations and are are close to having or may already have a majority of the general assembly ready to back their approach is that right first and second if it is what do we do about it so uh three things there um I think you are absolutely right that uh that Russia and China um but we can focus on Russia here uh have been engaged in a in a in an everywhere and all the time kind of uh campaign in all these multilateral organizations uh and and particularly the United Nations to set the rules of the road and Tech and uh you were focused on it early um and uh my very first diplomatic trip when I started this job was to go to Romania to whip votes in the final hours before the election of the the Secretary General of the international telecommunications Union probably the most important international organization that most people are unfamiliar with and um that that election was extraordinary it was an American citizen International civil servant Dorene Bogden Martin running against a former Russian Deputy minister of communications who before that was a Huawei executive it was like a comic book script and uh Dorene won and she won in a landslide uh and she won in a landslide partly because of American engagement um with so many of those Middle Ground States uh who perhaps needed a little bit Fuller understanding of what Russian dominance of the itu would mean um another example of it is the open-ended working group in the first Committee of the UN where the uh kind of the The Keeper of the framework for responsible uh Behavior responsible State behavior in cyberspace the uh we are trying to transition the open-ended working group to a new mechanism program of action uh the resolution in support of that uh the vote in support of that transition garnered 161 votes um you know 2third of the general assembly and that was for a pretty strongly you know American and like-minded position um I'll give you one other example which is the the uh AI resolution that we introduced um with 100 23 co-sponsors uh that passed uh with unanimous consent so yes the Russians and others are engaging hard in these multilateral fora because they really matter it is in fact where the rules of the road get written um I don't think that they are having the success that they want to have and um what does it mean going forward it means we can't rest on our Laurels uh look I'm a military officer and CEO by background I hesitate it's you'd be hard pressed to find anybody more frustrated with the UN and multilateral process than me uh it is slow it is clunky it results in suboptimal outcomes and it is absolutely essential um because just like nature abhor a vacuum when the United States pulls back as we are so often tempted to do because of how clunky it can be our adversaries fill the void so that's a a a good place to end I just would note that that Ambassador Fick and uh so many people are actually out there in these regulatory trenches around the world hard to imagine you know sitting through plenary sessions of subgroups in the international telecommunications Union but they're doing it uh and and it makes a difference so Ambassador thank you so much for for joining us today great thanks to all of you [Music] the adversaries are back not again Sheriff I got this protecting your business from cyber attacks can be unrelenting today's adver sering move fast crowd strike moves faster Crown strike we stop [Music] breaches good afternoon it's great to be here and it was great to hear from my friends Ambassador Fick and Kemba Walden in that last session um you know building off of those conversations today I want to talk about a topic that I think is really the you know the next cyber security policy challenge for us all and that's ecosystem level challenges in cyber security in an era of exciting possibilities fueled by technological innovation devices networks and data are interconnected in a vast digital ecosystem this means that what organizations build in this ecosystem affect other organizations For Better or For Worse today we are at an inflection point when it comes to the Cyber policy challenges to the resiliency of our digital ecosystem and to the Cyber policy Solutions needed to address them year after year there are significant cyber incidents perpetrated by nation state actors affecting government agencies and our national security these incidents Target specific agencies and significant government data repositories to further strategic geopolitical aims so what are today's ecosystem level problems the pattern is all too familiar a high-profile cyber incident is discovered and in the midst of an investigation it is revealed that a nation state actor has leveraged long-standing vulnerabilities in ubiquitous it architecture to achieve a jarring level of system access to make matters worse there are often indications that an adversary has been in the victim's Network for a long time yet if the victim lacked a resilient cyber security program to begin with then there generally isn't enough logging to tell the full story how long was the adversary dwelling was it a month months a year years the lingering questions leave Defenders alarmed not only at the known impact of cyber incidents but importantly at the unknown impact the long-term consequences of each cyber incident we've seen some deeply disruptive breaches over the past few years what stands out most however is how much worse some could have been for every breach where the threat actor's motivation was Espionage even those that required complex remediations there could have been a much worse scenario indeed recent breaches could have been catastrophic under different geopolitical circumstances adversaries might have deployed wipers or ransomware like attacks across thousands or tens of thousands of possible victims consequently impact to the victims was determined by the prerogative of the adversary not any particular limitation to their access resources or knowhow such access is a key component in adversaries pre-positioning for future attack opportunities the reality is that significant cyber security incidents resulting in data breaches disruption of services and National Security consequences occur with such regularity that policy makers are inundated with tactical demands these demands pose critical questions about it hygiene cyber security best practices and resourcing this means less time is spent on long-term strategic issues like achieving cyber resiliency in our digital ecosystem fortunately we have seen some positive developments in the Cyber realm as of late within the government specifically which often sets the tone for broader parts of Industry we've seen the executive order on improving the nation's cyber security and the national cyber security strategy help best practices to go mainstream and organize government agencies around foundational cyber security policy Concepts critically we've seen some incredibly promising initiatives aimed at providing solutions to the ecosystem as a whole for example secure by Design secure by Design principles have been developed by sisa to promote the notion of security being part of the design phase of a product and implemented by default secure by Design is a significant section of the national cyber security strategy and aligns with the goal of Shifting the burden from would be victims to those best suited to provide security recently sisa launched a secure by Design pledge which Crow strike signed to demonstrate measurable progress in securing products software supply chain security the concept of supply chain security was propelled forward by the executive order on improving the nation's cyber security and the Office of Management and budgets subsequent guidance to direct federal agencies to utilize soft Ware that was built following cyber security best practices with regard to open source the concept of open-source software security recognizes that all parts must be secure for the sum to also be so sisa has published an open source software security road map to begin to drive the community towards securing foundational open- Source software the software Bild of materials commonly known as esom which due to its ability to illuminate individual software components has become a potential tool in tackling software supply chain risk management and memory safe languages and leveraging memory safe languages can preemptively reduce a common attack surface sisa and international Partners have worked alongside secure by Design campaign Partners to address vulnerabilities and programming languages these developments set a policy foundation for creating a more resilient architecture for our digital ecosystem they're designed to improve the quality of the materials we use to construct this architecture and to help us verify the source of these materials now it's time to focus on how we Implement these materials in a resilient way a resilient digital architecture should be able to weather a storm rather than collapse in the face of an incident we must develop code in a secure Manner and verify its progyny however it is critical too that we deploy software in a resilient manner one that reduces rather than increases risk in our digital ecosystems the through line of these initiatives is that they apply leverage to a weak or failing part of the it ecosystem as it exists today and from the groundwork laid by these initiatives policy makers are in a good position to tackle Le the next emerging ecosystem level cyber security challenge concentration risk at present many government entities are extraordinarily reliant on one major vendor their it stack may include just a single provider for operating system Cloud productivity email chat collaboration video conferencing browser identity generative Ai and increasingly security as well this means that the building materials the supply chain and even the building inspector are all the same if that provider fails the consequences for its users could be catastrophic if that one vendor security culture is inadequate like Microsoft says according to the Cyber safety review board then the situation is dangerous the Cyber safety review board's most recent report covered the July 2023 breach by Chinese State actors but a subsequent breach by Russian State actors that occurred in November 2023 went undetected until January 20124 this illustrates that the problems are entrenched and have the potential for significant consequences when viewed as one-off incidents these problems seem as if they come and go however the longer Arc of recent history tells a much different story a quarter century ago the original edition of George Kurtz's book hacking exposed describe the golden ticket authentication vulnerability by 2020 a related attack dubbed golden saml permitted Russian State actors to gain access to sensitive government systems and the latest iteration dubbed golden MSA was a key feature of last Summer's Microsoft Exchange breach what began as an adversary getting the keys to a house has evolved into the adversaries getting the keys to the kingdom and ultimately becoming the locksmith all the while more and more critical services are unlocked with these keys I was on this stage a year ago with sisa executive assistant director Eric Goldstein who proclaimed identity-based attacks need to be our North Star in anticipating adversary tactics this remains true today but with each passing year the problem grows more consequential fortunately the community is beginning to assess these problems in a more concerted way last month the center for cyber security policy and law hosted a tabletop exercise which we participated in to assess how it stack concentration risk might impact federal agencies during an attack unsurprisingly in that scenario an agency using one vendor fared far worse than an agency using a constellation of it providers that was one scenario and as we all know conditions change and our adversaries are quite adapted but it's clear that more rigorous attention is necessary here so what can we do how can we break this cycle unfortunately as a security Community we failed to measure concentration risk well the security Community never really wrapped its arms around the monoculture problem decades ago when it existed at the operating system level now the problem exists vertically across the whole it stack with any risk it is critical to have visibility into the threat the status quo results in the threat of concentration risk remaining opaque until the adversary successfully infiltrates an entire it stack we now have an opportunity to start to take this problem more seriously the next steps are fairly clear as evidenced by a recent report by the center for cyber security policy and law characterizing the exercise I mentioned a moment ago the office of the national cyber director has demonstrated its ability to tackle complex issues and create results that have improved the way the US government manages cyber security risk given the on CD's placement in the White House is well suited to task other federal agencies such as sisa DOD and GSA to examine and address concentration risk across all agencies any concentration risk effort would be complimentary to on CD's ongoing work and they should collaborate with appropriate agencies such as om to orchestrate new initiatives given this role has the author initative developer of rigorous standards across it risk and security it would be logical for them to take action they have robust processes in place to engage the community on a topic of this complexity even those that believe that concentration risks in it are over rot a thorough list of best practices a framework or controls document could help Federal cesos andit Risk Managers address this type of problem implementation of such a framework or standard in the federal space would have positive effects for widespread adoption throughout the broader it and critical infrastructure communities additionally nist already has concentration risk on its radar in guidance stemming from the executive order on improving the nation's cyber security nist identified concentration of products or services from a single supplier as a condition in the supply chain that could cause vulnerabilities existing references are minor and lack definitions though so a more comprehensive look is warranted everyone including organizations I've referenced today should contribute to this dialogue by providing requests for comment responses and for its part the National Security Council could build on the previous cyber executive order tasking nist and other agencies to take action on these recommendations Congress especially congressional oversight committees should investigate and assess concentration risk across agencies given the significant risk to National Security posed by successful cyber attacks this action is within congress's purview there's also a very critical economic Dimension to this issue as a community we can't really price risk accurately until we've measured it or Worse until an organization has experienced the outcome of failing to mitigate it it's not clear that relying on one vendor for the entire it stack is actually more cost-effective on a risk adjusted basis and even if that were the case on the margin critical entities like government and Military users would nonetheless have a reasonable expectation to invest in Greater resilience by virtue of their missions some Enterprises require best-in-class solution some Enterprises have an absolute need for continuity of operations to address this problem holistically Defenders must have a means to assess and measure concentration risk in it Stacks we can no longer tolerate Solutions or architectures that risk crumbling from a single point of failure ultimately as a community we should have confidence that we are improving the long-term resiliency of our digital ecosystem we must not leave consequential strategic policy challenges like addressing it stack concentration risk unmet for yet another day thank you thank you all for being here and I'll now turn the stage back over to the Washington Post and it was delightful to be the warm-up act for General nakason I know I'm looking forward to his session [Applause] [Music] [Music] China is the pacing challenge of our nation it is the the generational challenge that we will address our children will address our grandchildren are going to address we see it across the the major lines of you know National Power their diplomatic information military economic it's different than adversaries that I've seen in my three decades plus of service in the Army hello and welcome I'm alen Nakashima a national security reporter at the Washington Post today I'm excited to be joined by retired General Paul nakasone who was the head of the National Security Agency and the Cyber command before ear retiring earlier this year he is now the founding director of The Institute for National Defense and Global Security at Vanderbilt University General nakasone welcome to the Washington Post uh Ellen thank you so much I must say it was a little bit different to see myself in uniform on the uh on the monitor but it's really nice to be here thank you so much great great to have you here in civilian cloes I I wanted to start with uh a comment that Ambassador Fick made uh in the last session with with David ignacius he mentioned that there are a lot of foreign actors um active out there working on to to sew divisions around the Gaza Hamas issue in the United States I wondered if if you could to explain that a little given your experience while you were still inside I think Ambassador fi first of all has done a marvelous job of talking about really the amplification of what foreign actors can do with both message and technology so we saw this in terms of everything post August 7th very very little discussion about 1,200 innocent civilians uh and Personnel that were killed in Israel and everything about what Israel was doing this is the opportunity to take what is a story and then an audience and then being able to use tools that have an ability to focus it on the message you want to send we've seen this particularly in the best of this are the Russians were were they active on this they were active and if you take a look at uh you know Russian actors such as lotka or what we used to call the internet research agency these are really the the folks that understand it I think this is the point Ellen that that uh I would emphasize here is that we think of cyberspace as being well defense and then offensive action but really the in between the in between is so important because that's information operations and this is what often times has the largest component or lasting power uh with regards to an action what what impact did you actually see or could you see between say what Russia was doing on uh the Hamas Gaza issue and actual out outcomes on the ground Behavior let me just let me just take a step back from it and just this is what we were seeing after the invasion of Ukraine in 2022 this is Russian actors in a series of different parts of the world particularly South America and Africa where they're providing their Narrative of the story an expansion of NATO this is you know obviously encroachment on on Russian uh sovereignty and this is a completely different story a false story from what is actually going on the ground and so as a result and you were still inside at the time head of the NSA you all took a fairly I don't know I want I don't know if it's totally unprecedented but novel Step at the time to declassify and release intelligence in advance of the invasion tell us a little bit about that that decision-making process how you came to it how much trepidation did you have about doing taking such a step and it's the fall of 2021 we we are watching the buildup of Russian forces on the border with Ukraine we have a very very good site picture as I would say in terms of what their goal and what they wanted to do and so the decision point is do we start to release this information and it's always Balan with you know what are the National Security objectives of our nation but also our sources and methods uh because our sources and methods are the same sources of methods that we need to be able to provide early warning protect Americans and be able to enable uh our own capabilities uh around the world and so the discussion goes uh for a period of of several weeks and and perhaps into a month or two about do we release certain information about what Russia is doing and president made a very very courageous decision say we're going to release it and that was after a a long discussion between policy makers uh and members of the intelligence community and members of my former agency about can we do this in a manner that first of all indicates what the Russians are doing but at the same time doesn't you know prevent us from in the future being able to do that same type of work it worked and so what's the result built a coalition disrupted an actor in in terms of what President Putin was trying to do he was trying to push this narrative that everyone knew was false and last thing enable to partner in Ukraine it didn't prevent The Invasion but it helped build a coalition indeed right but I I would say that having watched uh the Russians in this space for well over 10 years what they were saying was not gaining residence up until uh the invasion of Ukraine and this is the type of work that I think our nation has to do all the time so do you think that tactic could work with uh other actors for instance China I think it can in the right in the right sense I mean it's it's not a Panacea for everything but I think it's something we always have to look at and say hey is the the sharing of information the ability to have a broader Insight of an adversary's goals are can it be done effectively and safely so I also want to come to some an issue that is everyone's mind which is artificial intelligence and the news from last week that open AI the company behind chat GPT said that it caught groups from Russia China Iran and Israel using its technology to try to influence political discourse uh around the world and while these attempts to gain traction or struggled a bit they still underscore the concern we have about generative AI talk to us about how you think we should understand the risk and use of AI by Foreign actors in crafting more effective disinformation campaigns especially as we are five months out from a a very consequential and fraught presidential election let me zoom in and then kind of zoom out on that question zoom in I think the interesting thing is is that open
2024-06-07