The Road Ahead for Cyber & Emerging Tech Policy

The Road Ahead for Cyber & Emerging Tech Policy

Show Video

>> ANNOUNCE: Please welcome Anne Neuberger and Niloofar Razi Howe. >> NILOOFAR RAZI HOWE: So, I am thrilled to welcome Anne Neuberger, the deputy national security advisor for cyber and technology. And we're before Alicia Keys, who's on this afternoon. So, you know, we've got to compete somehow.

You have been in this role at the National Security Council for four years now. I'd love to start by delving into what's different. What's changed in the past four years? Starting with the threat landscape. >> ANNE NEUBERGER: Absolutely.

So, first, it's really great to be here. And it's been a fantastic RSA. So, it's great to be a part of it.

I think the fact that you see the Secretary of State show up at an RSA conference for the first time says it all, right? It's the geopolitical world meets the digital world. And when you think about that the evening before Russia's invasion of Ukraine started out with a cyberattack, that tells the story. And that's the essence of the threat landscape. In terms of in more and more complexing crises, the digital world, cyber, is a big part of it. And that's laid in on a digital world, particularly critical services.

Pipelines, water systems, oil systems that are as vulnerable as ever, and evermore digitally connected. So, the combination of countries, criminals, seeing the opportunity to use the geopolitical world to achieve - to see the – using the digital world to achieve the geopolitical outcomes and the level of vulnerability is why this community is more critical than ever. >> NILOOFAR RAZI HOWE: An we're going to turn in to everything you just said, from Russia-Ukraine to critical infrastructure to water to technology companies and their role.

Yesterday, there was this great panel here; the four horsemen. It was General Nakasone, Jen Easterly, TJ White, and Lieutenant General Stephen Davis. And they walked through the stand-up of cybercommand and how that happened and what they were responding to. That may have been a first step, but how has the government organized, or reorganized, to rise to the challenge? >> ANNE NEUBERGER: That was a great example of a step where the Department of Defense recognized that the cyber domain was a domain both of defense and of offense, and that it needed to organize in a different way.

And, frankly, attract different kind of people in order to be effective in that space. I think what you saw, following that, was really bringing together the intelligence and cybersecurity communities in ways they hadn't been brought together today. And when General Nakasone stood up, the cybersecurity director at NSA, and he asked me to lead that stand-up, what we were essentially doing was bridging what had been two parallel communities until then; the cybersecurity or information assurance community and the intelligence community. And I recall, you know, one of the missions at the National Security Agency is building the cryptography for nuclear command and control. You know, protecting the essence if the president – may he never – but if the president is giving a command to the nuclear command and control environment, the security of that communication, the validation of that.

>> NILOOFAR RAZI HOWE: Make code, break code, right? >> ANNE NEUBERGER: Exactly, exactly. And we brought together, for the first time, the individuals who were working to determine what are Russia, China's, Iran's programs against nuclear command and control? Collecting intelligence about it with those building the codes and the cryptography. And that community, working together for the first time, having common clearances is so powerful.

You can only defend something that you truly understand. So, that's a good example of another set of organization. And then you see, of course, the stand-up of CISA. Jen likes to describe as one of the newest agencies.

The stand-up of the Office of the National Cyber director. Each of these organizations stood up in a fit-for-purpose way to tackle both how government organizes, and then, even more importantly, how we work more effectively with the private sector. >> NILOOFAR RAZI HOWE: Your role was stood up to bring cyber and technology into the national security and the geopolitical conversation. Can you walk us through if that's happening, how it's happening, and why it's important? >> ANNE NEUBERGER: Yes. That really was the purpose.

To say that, in the national security world, cyber and emerging tech has to have a seat at the table. And that's a big part of what my role is. So, for example, when we first had the intelligence regarding Russia's planned invasion of Ukraine, we were at the table discussing a couple of things. One; what tools could we bring to potentially - deterring Russia from actually doing that invasion? Even more importantly, as the U.S. government was working with our European partners, to say what could we do in the role of sanction to impose cost? To punish the Russians if they do invade to – to say a country can't just roll over another country's borders.

A big part of that was Russia has a sophisticated, advanced cyber program. They've used it offensively in the past. How would we defend against them, potentially? The blowback of their cyberattacks in response to our sanctions. So, being at the table and a part of that conversation. And then convening the various U.S. government players who

are part of that integrated response where cyber and digital comes into the – into a specific geopolitical crises was really the – the goal of bringing this kind of role into the National Security Council. >> NILOOFAR RAZI HOWE: And that was critical, especially at the start of the Russia-Ukraine conflict. As you look to the future what are you most worried about? >> ANNE NEUBERGER: The same kinds of issues that we talked about at the beginning, which is - it's far easier to be on offense than on defense, right? An actor in offense has to find one point of entry, one vulnerability. Our defensive teams. And it's why there's so much burnout, and why it's such a challenging role for CIOs and CISOs.

They've got to be monitoring every door and window. So, how we use technology like AI, for example, to take the drudge word – the drudge work out of defense to close the gap between offense and defense. That's one. So, that worries me considerably because we see a more and more challenging geopolitical environment, greater and greater integration of software into critical systems, and more and more vulnerability in those systems. And that's why initiatives in every vein - initiatives like CISA's initiative to do secure by design. Like the White House initiative to do Cyber Trust Mark.

To give a way for consumers to measure the security of a product. Like the disruption the Department of Justice is doing to make it harder for actors. And the international partnerships we bring are all critical to making progress on that. >> NILOOFAR RAZI HOWE: So, you have a unique authority in your role, which is a convening authority.

Can you tell us why that authority is important and how it's been used? And maybe how it will – it will evolve in the future? >> ANNE NEUBERGER: So, I know in his opening marks, Kevin Mandia talked about ransomware. It's a really hard problem. And that convening authority has been a big part of the way the Biden administration has tried to take on the problem in a new way. So, let's talk about that.

So, there's really three lines to the way we've approached it. The first piece is we've got to lock our digital doors. We've got to make our critical systems more secure. The second is we've got to make it riskier, costlier, and harder for attackers.

Notably criminals who, in 75% - 80% of the case, are in Russia. So, they're outside the traditional reach of law enforcement. And finally, cyber has no border. There - it's fundamentally transnational. We see hospitals in Romania hit by actors in another set of country, using infrastructures or cloud accounts they create in – in a third set of countries.

So, we need to build the international partnerships to tackle that together. Because, ideally, once an attacker uses a particular strain of malware, a particular technique, a particular wallet once, if that's shared among the defenders, the - it's more defensible and the attacker has to come up with a new approach. So, as we started to see the surge in ransomware, and as we started to see that each of these efforts were needed at the White House, we convened all the different agencies.

Clearly, CISA, the regulators and sector risk management agencies to say how do we surge on defense? The Department of Justice, the U.S. cyber command, and our intelligence community to say how do we surge on identifying the actors, the infrastructure, the wallets? And ways to break that. And to break it faster and more repeatedly than we have before. And then, finally, the state department and some new players, like our financing arms to say how do we build those international partnerships in an operational effective way? >> NILOOFAR RAZI HOWE: So let's pull on that thread a little bit about operational collaboration.

There's agencies that we talk about every day at RSA. Their leaders show up. Their practitioners show up and talk. There are agencies that we're not used talking about in the cybersecurity community that are actually playing a role, partially because you have this convening authority. Can you give an example of an agency that might surprise the audience here that's involved with cybersecurity and Ransomware? >> ANNE NEUBERGER: That's a fantastic - absolutely.

So, that would be - believe it or not - the export/import bank under its really dynamic fantastic leader, Reta Jo Lewis. And how did she come into that? So, a couple of years ago, we get a call from the ambassador in Costa Rica saying there's been a very significant ransomware attack against government systems of Costa Rica. The president of Costa Rica believes it was right after he was the first Latin American leader to call out Russia for its invasion of Ukraine. >> NILOOFAR RAZI HOWE: I actually think one of the Russian ransomware gangs took credit for taking out the entire government of Costa Rica at that time. >> ANNE NEUBERGER: Yeah, exactly.

And for a period of time. And her call was we need help. So, shout-out to an FBI team who got on a plane and was quickly in Costa Rica. And then the question was how do we help this country build trusted infrastructure? And build trusted infrastructure in a real way. And that was where the export/import bank came in. Traditionally, the bank had been used to finance things like Boeing planes, hardware, the – the – the kinds of – the way we used to think about what our exports are.

And, increasingly, there's a change where we're recognizing that software and tech is really the way we compete around the world. And Exxon did its first ever financing. $300 million financing of the next generation of 5G infrastructure in Costa Rica, which was part of this buildup of new, trusted infrastructure in the country. And since then, we're working to rinse and repeat that.

So, very unusual. >> NILOOFAR RAZI HOWE: So, I was speaking with the leadership of the development finance corporation, which historically funds international development projects in countries around the world. And they were talking about how their mission has become a national security mission as well. Can you talk a little bit about even DFC, which is international development organization? And why it's important that every agency think about the geopolitical national security implications, especially in cyber. >> ANNE NEUBERGER: So, we're in a larger strategic tech competition with China. And we'll talk about - I'll answer that through the lens of 5G.

So, telecom is such an important sector, right? Everything - everything rides on our telecom, whether it's our company's IP or it's our nation's secrets. And telecom systems are so complex today that if you don't have confidence in those vendors, it's really hard to trust it. Because, at the end of the day, they have to, for example, maintain remote access to the system to keep it updated. How do you know the purpose of that remote maintenance if you can't trust them? And the Trump administration rolled out a real focus around the world on trusted 5G.

Really fighting Huawei – the Chinese broader presence – >> NILOOFAR RAZI HOWE: Clean networks, right? That was the initiative. >> ANNE NEUBERGER: And, while the U.S. government provided intelligence briefings to countries around the world and helped them understand why this was a real national security concern for them, the challenge was that there wasn't - as we heard again and again from countries - there wasn't competitive tech. Tech that was as good, at a similar price, that countries could use.

So, when you had a country that said, look, we want to upgrade to 5G, we need, you know - Huawei's products are 30% less. You've got to compete. That's where agencies now, like DFC and Exxon, recognize their role in helping provide financing so that trusted vendors can compete. So, that's closed the circle on enabling kind of more secure infrastructure around the world.

>> NILOOFAR RAZI HOWE: Beyond sort of the clean network initiative that continues today, and is critically important, is there anything else we can do to get in front of this problem? It's – it's become a scourge. I mean, it's hitting everybody. The largest companies, the smallest companies. And it's affecting not just their ability to operate Colonial Pipeline, but it's affecting their ability to provide the critical services that allow small businesses to operate. At United Healthcare, for example, and the payment system there. What can we do, beyond the clean networks, to get ahead of this? >> ANNE NEUBERGER: There have been two things that are - that we've put - as I talked about a moment ago, you know, one focus has really been improving the cybersecurity of critical systems.

And the White House has done - President Biden has done something dramatically different than was ever done before. And that is following almost every country around the world. We were actually pretty late to this. Establishing mandated minimum cybersecurity requirements for critical sectors. So, when Colonial Pipeline happened, and, you know, we turned and asked why is this happening? Don't we have rules for, you know, minimum practices? And the answer was we didn't. And what we recognized was the basics.

So, out of Change Healthcare. The pretty basic practices were not in place. We've seen millions of Americans' medical records stolen, not encrypted. Clearly, if a hack happens, if the data is encrypted, even if it's stolen, it can't be used to blackmail individuals.

So, the first thing we've been working on is putting in place, sector by sector, using cobbled together authorities, emergency authorities, and others. Minimum cybersecurity requirements to say kind of like if you park your car and leave the – leave the keys in the seat with the door open - with the – with the – with the door unlocked, are you being negligent? And that's the first step. And then, to your point, that's been sector by sector with different approaches.

And then equipping each of those sectors. Helping the Department of Energy hire the right people, engage with those sectors. We'll be doing that shortly. We're working with the hospital sector, putting in place minimum requirements to help hospitals ensure that they are doing what they need to to keep patient data safe. >> NILOOFAR RAZI HOWE: What about consequences? Is there a way to increase consequences on ransomware actors? We did – I mean, we didn't increase consequences, but with Colonial Pipeline, you know, we got the crypto. Is there a real effort to do that with cryptocurrency? And are there other consequences that we can impose on them globally, with our allies, to reduce ransomware? >> ANNE NEUBERGER: That's the key to the question, right? Because right now, it's a very profitable business.

American companies paid $1.3 billion in ransoms in 2023. It's almost - >> NILOOFAR RAZI HOWE: Yeah. And I think the gross margin is, like, 99%. It's a good business model. >> ANNE NEUBERGER: And it almost doubled from the year before.

So, I think three sets of consequences. Our first, every time a ransom payment is made, it feeds the beast. So, how do we slowly start turning that off, right? And some of that is companies having offline backup.

So, even if they're hit, they can recover, and they don't need to pay the ransom. And I think it's changing the language as well, because people now often say, well, you're revictimizing a victim. And I think we need to look at it as by the time a Change Healthcare hack happens, when, for a decade, we've been calling and saying companies, encrypt your data, use MFA, are they still a victim? Or is there a question of is this negligence? So, I think changing the language to say there's an expecting good housekeeping seal if you're operating a hospital, if you're operating a pipeline. That's really what's needed. The third - and a shout-out to the Department of Justice and cybercommand that have really changed their approach.

And a recognition that many of the actors are in Russia. It's hard to get to them physically. So - >> NILOOFAR RAZI HOWE: We can make sure they never go on vacation outside of Russia, though. >> ANNE NEUBERGER: That's the goal.

And so, to disrupt the infrastructure. And it has temporary impact. Let's be honest. We've seen – you know, I have a chart in my office where we show each disruption and the period of time it goes right back.

But doing them faster and more regularly. And, really, the Department of Justice has built partnerships around the world with other countries. We're working on this together. So, those three things together. Trying to turn off the spigot of money that finances it. More active and steady disruptions of the infrastructure.

As well as the larger piece, the really putting in place minimum mandates to make our critical services harder targets. >> NILOOFAR RAZI HOWE: You talked about NSA and the stand-up of the cybersecurity director, at which you are deeply involved with. And with that stand-up came the stand-up of the Cyber Collaboration Center, which was the first time the NSA had an unclassified facility that was externally focused. And its mission is to eradicate cyberthreats from the defense industrial base. Which, it is the – it has the authority to protect. Can you talk about these collaboration centers? Do they have a role to play? And, actually, walk us through that whole - the stand-up of CSD and CCC.

And what the lessons learned may have been. >> ANNE NEUBERGER: So, the collaboration centers have a critical role to play. You just need to walk around RSA and see the community here to know there is no way government or the private sector can solve or can really make progress in securing cyberspace without working hand-in-hand. And each has a unique role. In many ways, the intelligence community learned the humility of its role. The private sector is on networks, around the world.

Sees billions of endpoints. Often, will see a threat first. And has the ability to quickly push out a defense much more quickly, right? So, a part of the CCCs was a recognition in the national security community. We cannot solve this problem alone. And the best way to do that is to bring what we uniquely have, which is potentially threat intelligence about an attack that hasn't happened yet. A technique that hasn't happened - that hasn't been used yet.

Or a geopolitical situation that's evolving which raises the threat environments to where people should, as my – as my friend and colleague Jen Easterly says, put their shields up, right? So, that - that recognition of really the role of the national security community and the role of the private sector, an independent effective critical role. And that they each have to be supporting each other to make it more than the sum of its parts. >> NILOOFAR RAZI HOWE: How much of a cultural change was it to stand up this - I mean, it was no such agency, right? For a long time. To stand up this collaboration center to be more externally facing. To put their name on zero days that they found. To co-seal documents, white papers, guidance that they were giving to the - to the private sector.

>> ANNE NEUBERGER: It was a remarkable culture change. And I think about - you know, I joined the National Security Agency in 2009. Actually, for the stand-up of cybercommand.

And a couple of years later, I was leading an organization that did sensitive classified partnerships with the private sector. I moved in a month before the Snowden media incidents. And we saw that some of the private sector partnerships that had stood up after September 11th - companies stepping back and saying we can't work with the U.S. intelligence community. The cost to our brand, the cost to our global partnerships, the cost to our global customers is just too high. Following that, we saw the counter-ISIS fight, the counterterrorism fight. I think it showed, again, first, the role of transnational threats like terror threats.

And the role of technology, right? Because, at the end of the day, those terrorist actors were using U.S. communications because they were ubiquitous, often cheap, and available and good, right? So, you saw, for the first time, terror actors using Gmail, using Hotmail. And it showed the role of the tech community in helping to fight those kind of transnational threats. >> NILOOFAR RAZI HOWE: The other place that the tech community has been very involved is modern conflict.

And it's not a surprise, but our platforms are hyper scalars, our incident responders are communications providers. Companies like Starlink and individuals like Elon Musk have actually played a critical role in terms of ensuring that Ukraine was able to survive the first onslaught when Russia invaded in February. Can you talk a little bit about the changing role of the tech sector and private companies using the lens of modern conflict? >> ANNE NEUBERGER: Yes. And, you know, it's no surprise that the evening before Russia's invasion of Ukraine, Russia conducted a cyberattack against an American satellite company that provided, essentially, Ukraine's military communications.

As you said, that hack would have completely disrupted the ability of Ukraine's military to communicate if not for SpaceX and Starlink. But I want to talk a bit more about the Russia hack. Because when they hacked this company, it also impacted windmills in Germany and about 30,000 French homes who used VSAT terminals to – to get their connectivity. And then, interesting conversation just a couple of months ago.

The – the CEO of the company came in to talk about some of the jamming they're seeing in the Ukraine context. And to get a sense of we're – we see Russian electronic warfare programs evolving to – so they could build in the protections to avoid physical harm to their satellite. And he – and he made an interesting comment. At the time when Russia conducted the attack against Viasat, we wanted to take that opportunity as a community of countries to call it out.

Name Russia as the perpetrator, and also call it out to say that's against the UN global governance cyber norms. That all these – >> NILOOFAR RAZI HOWE: It took about two months to do that, right? I mean - >> ANNE NEUBERGER: It did. >> NILOOFAR RAZI HOWE: We knew the next day it was the Russians. I don't mean to interrupt the story. But one of the key questions is why did it take two months? >> ANNE NEUBERGER: I'll come back to that.

>> NILOOFAR RAZI HOWE: Okay. >> ANNE NEUBERGER: Everything – in short, everything in government takes longer than you expect. Add some multiple and then look over your shoulder and say, okay, here's the hill we climbed. Next time, maybe we can climb it a bit faster. But what was interesting was – so, at that point - to your point, it was the first time ever the European Union called out Russia for the cyberattack. We came in behind them because we felt that the impact was in Europe, so we should let the European Union lead.

And called out this attribution. Well, when I recently talked with that – you know, with the company, they made the point to say well, that attribution was excellent. It was important for international cyber norms. But after that, there was a question of insurance companies not paying as a result, because it was an act of war. So, that goes back to the question you asked the role of technology companies in a crisis or conflict.

And how we think about those roles as digital systems become - are more and more critical. As you see, for example, U.S. companies at the forefront of surging to help Ukraine defend, to help Ukraine move its data to the cloud, to make it more – to make it more resilient. This is an evolving area for a lot of deep thought because technology is the root of both defense and offense today. >> NILOOFAR RAZI HOWE: There's an interesting anecdote in terms of Starlink because Elon Musk did not – Starlink didn't have landing rights in Ukraine when Viasat was taken out. And he Tweeted, "Hey, I've got this system.

I can turn it on. I can give you communications. But I don't have landing rights." And Mykhailo Fedorov, who's the minister of technology for Ukraine, Tweeted back, "You got it. You now have permission."

And so, they turned it on. It may have been the first time a contract was formed on Twitter. But it also, I – I think, shows the importance of the private sector from a speed and agility perspective. Because I don't think the U.S. government, yet, can have contracts and treaties through Twitter. >> ANNE NEUBERGER: Something tells me you're right.

>> NILOOFAR RAZI HOWE: Let's talk about artificial intelligence, which we have not talked about at all at conference. >> ANNE NEUBERGER: Just - I would say, before we go there, for one moment – you know, because you asked about lessons learned. I certainly think, as Taiwan looks to Ukraine's experience regarding digital resilience, looking at the fact that it's an island.

And seeing that the number of cable cuts, whether unintentional anchor drags or malicious, has increased significantly in the last couple of years. Taiwan, you may have seen, has really been thinking about moving its data and having satellite connectivity for additional resilience. Putting those contracts in place now and really thinking about its national level ability to communicate, for its military to communicate, to preserve important data. Because if a government - a government must be able to communicate with its citizens, particularly in a crisis. I mean, think about the ability of the Ukrainian leadership to communicate to their citizens.

And had those communications been severed, how much that would have accelerated Russia's takeover of a country that was unsuccessful. So, I think we're seeing a lot of lessons learned about the role of digital systems and the role of using the private sector in planning to build in resilience for a crisis or a conflict. >> NILOOFAR RAZI HOWE: Yeah. So, this is the importance. Going beyond trusted technology and clean networks.

Resilience ends up being the key. And private sector is critical, as you said, to that. Another place where private sector is leading is artificial intelligence. And there was important news this week.

OpenAI and the Coalition for Content Provenance and Authenticity steering committee – so, OpenAI released a tool to a few researchers to detect content that's developed by Dolly. Which is critical. And to me it's really interesting that you have the AI companies creating the tools to detect synthetic media that's using their technology. It solves a little bit of the problem, but not all of the problem. It seems to be a positive step forward for safety. Having said that, there's a very vocal group of opponents who don't believe the U.S. government has a regulatory role

to play with respect to AI. Because it's moving so fast. And how do you regulate technology that you don't understand? We're still learning about AI. What is the government's role with respect to artificial intelligence? >> ANNE NEUBERGER: So, first to that point, you've seen three lines to the way the U.S. government is approaching artificial intelligence, right? There's tremendous promise. There's also significant peril.

And the guidance President Biden has given let's make sure we glean the promise for our society, for our citizens, for our economy, for national security while also doing it in a responsible way. So, to your point, one of the first steps was the president negotiated a set of voluntary commitments with companies. Because there's steps companies need to take to build the technology in a way that Americans can trust. In a way that there's transparency on the data models are trained on. So people can say, hmm, is that data, you know - does that reflect all the people who are using it? Or is it biased small beat because it has one set of data for various reasons? Similarly, how our systems red teamed? How are they tested? Where is there a human in the loop? If it's a system that can lead to physical actions happening out of it. So, the first step of the U.S. government's approach were

those voluntary commitments say, "Companies, step up. You have a role independent of regulation." The second piece was, you saw, the president's executive order that laid out, to the extent of current law. And it definitely included both a promise and a peril part to say, for example, you know, if you have a classroom of 30 children, every child is learning differently.

So, how do we integrate AI into education in a way that, again, is safe for kids? How do we use – how do we train hiring models? But in a way that doesn't promote bias. So, it had very explicit efforts in that way. And then, finally, the work that's happening on the Hill to think about new laws that may be needed in this space. And I think as we think about cybersecurity, there are – there are so many – and social media – there are so many sobering lessons learned. Just a link to our prior conversation. Because when I think about the biggest challenge we have, for example, today, you know, China is prepositioning in critical infrastructure.

We believe in order to disrupt it or break it or slow it in a time of a crisis, the fact that all of these critical services got connected to the internet without security at the beginning. And now we're trying, at the end, to layer it on top. It's more costly, it's less effective. There's a powerful lesson learned for AI in terms of how we bake in as we begin using AI, particularly in critical parts of our economy.

How we protect models that companies are training. We do want the advanced, most powerful models to be American. Well, how do we prevent them from being hacked and stolen? There's really powerful lessons from cybersecurity that apply in this space.

>> NILOOFAR RAZI HOWE: I'm just going to give a shout-out to the RSA Innovation Sandbox. Last year's winner, HiddenLayer, was - is focused on protecting AI algorithms. This year's winner, Reality Defender, is focused on finding synthetic media and exposing synthetic media. And they seem to have incredible technology.

It's a great team of folks. So, there's no question that the community is also involved, and grateful that the innovators and entrepreneurs are also focused on this problem. Because it's big. I want to press you on that - on that third piece a little bit. So, we live in an era unlike anything we've lived in before, right? It's - there was a time when we had 300 years to adapt to a technology revolution.

The printing press. Two hundred years to adapt the agriculture revolution. One hundred years to adapt the Industrial Revolution. So, not only has the timeframe shortened for how long we have to adapt - and I think AI is a great example. Its use cases are proliferating much faster than we imagined. We live in a time of exponential technology revolutions, right? It's not just gen AI.

It includes synthetic biology. It includes satellites. It includes quantum. It includes NextGen energy. It includes manufacturing. Can a government keep up with the use cases that are going to come out of this - because we don't even know what they are today - and actually regulate it? Or should that - is it more important to put out the guidance and the standards and the expectations, and allow private sector to regulate itself? And, by the way, I recognize how much that hasn't worked in the past.

But is this a time when we need to do that? >> ANNE NEUBERGER: You know, there's always a tension between innovation, competition, and security. And in the United States, and as we look around the world, there are really three national models to managing that tension. The U.S. approach, which generally puts innovation first.

You know, innovation has powered our economy, has made us a country entrepreneurs want to come to from all over the world. We see the model of the European Union that generally puts, you know, competition and – and safety to a lesser extent first. And, as a result, I think that's reflected in the number of AI and leading tech companies in Europe versus the United States.

And then, finally, China, which puts control and censorship as its primary vector that it aligns around, right? So, you literally see three national models in this space. And they reflect the country's culture, the country's history, and how this – how each country sees itself competing on the global stage. I think, to your point, there are real lessons from social media and from cybersecurity.

Because, in many ways, U.S. tech is the leading – is - leads around the world. I think as we look at the cybersecurity space, as we look at the ability of - whether it's malicious actors or criminals, right, to literally hold big parts of our infrastructure ransom. We're dealing with yet another ransomware attack against a major hospital chain in the country today. It's sobering. Because I think the lesson is that when you have critical services that cannot be disrupted, those are where we have to prioritize regulation.

And we obviously want technology in those places. But if we bring in technology without the right security and safety built in, then we bring in what could be too high a level of a risk. So, here's an example, right? In artificial – in the president's executive order on AI, he tasked every agency - pipelines, rail, energy - to do a risk assessment. Where is AI being used today? And what is the right way - what is the responsible way to do that? And those reports have come back. And some of the most promising areas of AI are in the energy grid. For example, they talk about maintenance of transformers.

Transformers are big systems. They take a long time to build. They take a long time to maintain. And right now, they're maintained, often, on a schedule.

That doesn't necessarily reflect did one get more wear-and-tear? Is one - does it prematurely need maintenance? So, a huge opportunity to use AI to optimize that maintenance cycle. Now, it could optimize. What if the model is wrong and you're taking transformers offline and affecting the grid before it's ready, right? So, that's a great example of where you'd want to know how you're red teaming that model. You'd want to know that maybe a human is in the loop, looking at those results, before you take a transformer offline. So, I think that's what we can learn as we look at AI. And what's the right balance between innovation and security.

It's instructive to say what are the most higher risk uses where we need to have more confidence in security and safety in these systems? >> NILOOFAR RAZI HOWE: So, are you an AI optimist or an AI pessimist? >> ANNE NEUBERGER: I'm definitely an AI optimist with guardrails. >> NILOOFAR RAZI HOWE: Okay. That's kind of right down the middle. >> ANNE NEUBERGER: I create my own category. >> NILOOFAR RAZI HOWE: An totally not an answer.

But I'll let you get away with it. Let's talk about - pulling on this - global elections. Something - we have a presidential election coming up, but it's not just us. Eight out of the ten most populace countries in the world have an election coming up this year. Half the world's population is going to be voting this year. It is the biggest year on record when it comes to elections.

We have a lot of effort going on - and I'll get into that in a little bit - with respect to protecting our elections. What are we doing to help our allies and countries around the world that maybe don't have as much sophistication in terms of dealing with misinformation, disinformation, synthetic media? >> ANNE NEUBERGER: You know, as you talk about - when we think about election security, we think about both influence - countering influence, countering disinformation. And then the physical hacking of systems.

I think, as you noted, the former influence efforts are the ones that are of more concern. And, to your point, deep fakes. And the ability for AI to generate more and more precise deep fakes is a real concern. And I think that's why watermarking, both invisible and visible marks that show a user this is AI-generated content – not it's - not it's wrong, not it's right.

It's just AI-generated content. So that a user looking at that can say, okay, then let me judge it accordingly. And I would note that the effort you talked about earlier, the CP to AI, is particularly important because it includes both platforms that generate AI content as well as social media platforms that can use that watermark to display the message but also collaborate on deep fakes that may not be watermarked. And use that to detect that as well. >> NILOOFAR RAZI HOWE: Or if the watermarks are then deep faked.

>> ANNE NEUBERGER: There's a lot there. >> NILOOFAR RAZI HOWE: I know. >> ANNE NEUBERGER: So, I think, to your point, I want to call out and commend, you know, Microsoft's president. Brad Smith really pulled together that tech accord of companies working together to both identify deep fakes related to elections, give the information about them. Because the more companies can do in this space is less fraught than governments being involved.

So, that's a great example of companies standing up to help ensure that people looking at AI-generated content, particularly in the context of an election, can know if it is or isn't. >> NILOOFAR RAZI HOWE: Let's turn to China. Our time is running down, and it's not possible to have this conversation without actually talking about China. And especially from a cyber perspective. Living off the land and Volt Typhoon. Can you talk a little bit about those two and why they matter so much? And the national security and geopolitical implications of that.

>> ANNE NEUBERGER: Yes. So, first, it matters so much because as we look at China as a strategic competitor, we're not equal in the way we can use offensive cyber capabilities. What do I mean? The first question, when a country thinks about, obviously, any use of offensive cyber capabilities is, well, what happens at Move 2? What happens if there's a response? And the level of vulnerability or resilience in the nation's critical infrastructure is fundamentally linked to how much a country is willing to use capabilities in cyberspace. And there's a fundamental disconnect between China and the United States because China has a great firewall.

China monitors its citizens' communications. The U.S., thankfully, under the Fourth Amendment, does not monitor national communications. And, indeed, as we know, critical services are owned and operated by the private sector. So, there's a fundamental mismatch in national defense because of our different national values and cultures.

So, the - what we learned in the last couple of years regarding China's presence in U.S. critical infrastructure was that that presence was in parts of our networks that didn't have intelligence value. A water system. There's little intelligence value there. Which led us to the conclusion that it was there to preposition, to disrupt, in a time of crisis.

Potentially, for messaging as well, to your point. To say to the American public, why are you getting involved in a crisis half a world away? The second piece of that is what was really eye-opening for us. Because we'd always thought when it came to sophisticated cyber programs, learning from Russia's programs, that if we hunted hard enough, we'd find really sophisticated exquisite malware.

And then build defenses against that. And I think what we've seen in the Chinese model is instead maintaining access to a system, learning enough about the system to use native commands. So, you can hunt and hunt; you're not going to find that special sophisticated malware.

You'll find odd behaviors, administrative accounts that logged on in the middle of the night, access to things where there shouldn't be access. So, it drives us to – to really think about defense in a different way. >> NILOOFAR RAZI HOWE: So intelligence gathering is a – is a legitimate function of a nation state. It happens all the time. We do it. They do it.

Prepositioning in infrastructure is not a legitimate activity of a nation state because there's no - as you said, no intelligence gathering purpose for that. Do we have the rules of the road to know what the consequences should be when a nation state does something that is not legitimate against us? >> ANNE NEUBERGER: So, when President Biden spoke with president Xi, and certainly when Secretary Blinken spoke to his counterpart, they conveyed that a presence in critical infrastructure is fundamentally destabilizing between two large countries that are in strategic competition but want to maintain a stable relationship. And that an attack on our digital systems would be treated as a kinetic attack on our homeland. To say that we don't view cyber and physical differently - they're fundamentally intertwined. And that - that's the way Americans access services. That's the way critical services operate.

>> NILOOFAR RAZI HOWE: So maybe if – if I'm hearing you correctly, prepositioning is something that's done in the kinetic world as well. Prepositioning in the cyberworld isn't going to have any other consequences - any more consequences than prepositioning in the kinetic world. It's – it's when they push the button that the consequences come, whatever they might be. >> ANNE NEUBERGER: I think the way we – we look at it is to say there should not be any prepositioned presence in our infrastructure.

And we are determined to push that out to ensure that critical services in America are safe. And you see a lot of hard work done at CISA, at the regulators, at the FBI, and certainly at cybercrime, moving forward to do that. Because we think that prepositioning - there is no legitimate - there's no legitimate reason to do so.

And we will do our best. And we will also say that if any action is taken, we will handle it accordingly. >> NILOOFAR RAZI HOWE: So another place in critical infrastructure that China has been able to really preposition themselves is in telecommunications. And we sort of walked away from the strategic importance with telecommunications for many years.

And it's come back to haunt us in a big way. What are we doing today with respect to 5G and 6G that's different and puts us in a different position? >> ANNE NEUBERGER: As you said, it's one of the most strategic sectors, particularly in an age of AI where telecom and data centers house the data that we need to train models. You know, when you think about a country that has - you know, particularly certain countries that may have national weather cameras, national surveillance networks, the ability to train those for facial recognition models, knowingly or unknowingly. The company that's managing that network has access to that. So, as important as telecom was, in an age of AI and training models, it's even more important.

And you see that reflected in the president's landmarked CHIPS bill that includes, for the first time, a billion and a half in an open innovation fund to really try to bring open standards into telecom. Because we believe that that's the way we bring the next generation of technology, virtualization, cloud, into what's been a very - you know, telecom's a really conservative sector. All of us, we don't - you know, we're not satisfied if even one call drops, one text drops. And as a result, telecom is really focused on ensuring 99.999% accuracy in – and as a result, isn't necessarily a sector that's innovated a great deal.

So, what we've been trying to do is bring in innovation. To bring in new players to allow our traditional strength in software to come to be here. And I think you've seen – it was pretty much a landmark announcement that took both a lot of work and also represented the changes happening. What AT&T announced; that they would be doing a new contract that included a number of companies with different radios, right? All part of that. To us, we just look at that and go, of course, right? We have a national network of phones from different companies. A company network with routers and devices from different companies.

But in our national telecom network, it hasn't necessarily been the case. So, that ability to use OpenRAM to talk to different radios so that a network can be managed in a virtualized way, so they can push traffic using the cloud and others where there's need. Is there a game? And more people are watching the game? Push traffic there. You don't need to stand up more hardware.

We're now seeing that change for U.S. vendors. And we're seeing competition around the world where there's now viable new technology approaches. >> NILOOFAR RAZI HOWE: Well, this is what - where I was going to go. Is – is it just about U.S. tech innovation and communications? Or is it also about our allies? I mean, when you think about it, in the companies that have gotten big, there's a fair number of both companies from Asia and companies from Europe that play a critical role in the communications network.

What are we doing to support their innovation ecosystem? >> ANNE NEUBERGER: You're exactly right. So, the first set of grants - the first set of big grants in the open innovation fund went to stand-up interoperability centers. And the companies playing in that are Indian companies, Japanese companies, European companies.

So that they can test the new tech together and learn – and learn from each other's lessons and scale much more quickly. So, those interoperability centers come from exactly your thinking of we need to move the world globally. The three biggest telecom markets are China, the U.S., and India. So, we've been building a very purpose-built telecom partnership with India because of the scale and recognition that when you innovate at that scale, you're fundamentally driving down costs in a way that we hope can push more and more innovation into the sector. >> NILOOFAR RAZI HOWE: So, the White House recently released a spectrum strategy.

Can you talk to us a little bit about how important that strategy is? Why it matters. >> ANNE NEUBERGER: When we think about the industries of today and tomorrow, they're all connected industries. Your connected car. Using UAVs to monitor distributed infrastructure. For example, electricity infrastructure, as we're doing in Ukraine when lines go down. To see which are the lines after a – after a Russian kinetic strike, which are the lines that are most important to bring back up quickly? All of that requires connectivity, requires more spectrum.

And we're at a point, as a country, where virtually all the spectrum that's usable and useful is already being used. The largest user is the Department of Defense for our military programs. Think ballistic missile defense.

Think just military programs that need to communicate with each other. As a result, as we think about how we lead in these connected industries of the future, we have to think about creative ways to use spectrum more efficiently and differently. So, that was laid out in that national spectrum strategy.

And we'll be launching, actually, a pilot this summer that includes, to your point about public/private partnership, we hope, a very new set of companies. Traditionally, defense contractors. But also companies who haven't necessarily played in the space. Thinking about how you share spectrum, how you use it more efficiently, and how you share it more effectively. So, it's a really - watch this space. Really interesting opportunity.

And, frankly, if we can crack that code, countries around the world are watching. Because everybody's dealing with this. How do you enable next generation UAVs at scale? Connected industries at scale? But also deal with weapons programs, national defense programs that are using exact same spectrum.

>> NILOOFAR RAZI HOWE: We spent a lot of time talking about the importance of clean networks with respect to telecommunications. But, of course, Chinese technology is embedded, you know, in many more places that are critical to us. Our cranes and ports have Chinese technology in them. Our autonomous vehicles rally on Lidar technology that comes from China. How do we address the bigger problem with respect to embedded tech - embedded Chinese technology? >> ANNE NEUBERGER: So, you've seen the initiatives at ports.

And I think what we've seen whether it's 5G, whether it's ports, whether it's Lidar and autonomous vehicles, is where we get involved in thinking about the risks is where we have the most impact. The earlier, the better. So, when you think about 5G, for example, we're really late in the cycle of in terms of American and many western companies having left that. Where you think about, for example, Lidar, autonomous vehicles, we're at the point to say what's a thoughtful approach that protects American sensitive data? That protects Americans' navigation data while also promoting innovation.

And I think, watch this space. You may have seen there was a notice of proposed rulemaking to think about the risks of Chinese vehicles, and to lay that out. Because it's certainly - there are real national security concerns. And the data collected, whether it's people, whether it's roads, whether it's military bases. And the areas around that.

And that's the work we're thinking about now, before there's a large number of Chinese vehicles in the market. And before the economic impact of Chinese subsidies of key strategic industries has its hit, has its impact. >> NILOOFAR RAZI HOWE: Well, we are out of time. I had, like, ten more things to turn into. I just want to really thank you for joining us at RSA Conference, and having this opportunity to spend an hour speaking with you across a wide range of issues. Join me in welcoming and thanking Anne to the stage.

>> ANNE NEUBERGER: Thank you so much. Thank you.

2024-06-15 03:54

Show Video

Other news