Washington Post Cybersecurity Summit 2017

The Washington Post hosted its annual Cybersecurity Summit in Washington on October 3. This year’s summit was sponsored by Hewlett Packard and Georgetown University.

The summit included three sessions: “The View from the White House;” “Threats Facing America;” and “Cybersecurity and Civil Liberties.”  Featured speakers included White House Cybersecurity Advisor (and former NSA’er) Rob Joyce, former White House Cybersecurity Advisor Dick Clarke, former NSA and CIA Director Gen. Michael Hayden (Ret.), and Representative Will Hurd (R-Tex) of the House Committee on Homeland Security and House Permanent Select Committee on Intelligence.  Highlights of the summit are included in the following summary.  Click here for more details. And click here for a complete transcript.

The View from the White House 

  • Rob Joyce, White House Cybersecurity Coordinator
  • Ellen Nakashima, Washington Post 

White House Cybersecurity Coordinator Rob Joyce made several newsworthy remarks about current cyber events and ongoing work in the White House. In discussing the Equifax hack, he called the Social Security Number (SSN) “flawed” and something that has outlived its usefulness as a personal identifier. Joyce is leading an Interagency group looking at alternatives to the SSN, including blockchain technology. 

Asked about the U.S. Government ban on Kaspersky anti-virus (AV) software, Rob said the original decision to allow Kaspersky was “flawed.” He placed the current decision in the context of national equities.  He noted that no U.S. company has access to the Operating System (OS) level of any Russian government system. This contrasts with Kaspersky’s AV software, which like any AV software, accesses OS’s and files on any computer where it’s deployed. He also said that Russian law requires Russian companies to share data with the government, suggesting that any data collected via Kaspersky AV software is shared with Moscow.  He demurred, however, when asked whether any sensitive data had been lost through Kaspersky’s access to U.S. systems and would not discuss classified information generally.  (Subsequent news reports indicated that the Israelis tipped the U.S. to the presence of stolen NSA cyber tools in data found in Kaspersky’s lab.) 

Another topic of interest is the Interagency group Joyce is leading on the Vulnerabilities Equity Process (VEP).  Vulnerability equities refers to the process for reviewing hardware and software vulnerabilities and how they may affect U.S. systems or, in contrast, be used by the U.S. to access foreign computer systems and networks.  Up until now, the VEP has been run out of the White House with little or no visibility except for a small group of government experts.  The Interagency is reviewing the VEP with two goals in mind. First, to make the VEP charter public to allow the public to understand the overall process. Second, to publicize the outcomes of VEP decisions that may affect the public.  As an aside, Joyce noted that NSA discloses 90% of the vulnerabilities they discover to U.S. companies in Silicon Valley. 

Asked about Russian interference in the U.S. 2016 elections, Joyce noted that President Trump accepts the fact of Russian interference, but continues to believe that the hacks of the Democratic National Committee and many state election systems did not impact the outcome of the election. He also reminded the audience that the previous administration designated the election system as a “critical sub-sector” of the national critical infrastructure, meaning that states can request DHS support to ensure their voting systems are secure. He noted that NIST has published technical security standards for voting systems as another helpful initiative. 

Threats Facing America  

  • Richard Clarke, former White House Cybersecurity Coordinator
  • Gen. Michael Hayden (Ret.), former Director, CIA and NSA
  • Craig Timberg, Washington Post 

As you might expect, this was a lively discussion with Dick Clarke and General Hayden on the Russian hack of the elections, the growing threats posed by social media, and the “weaponizing” of information. 

Mike Hayden noted that the Chief of the Russian General Staff has declared that “combat in the information domain” is an important aspect of modern warfare.  It’s obvious from Russian meddling in European and American elections that the Russians are implementing this new aspect of their strategy of “information operations.” Hayden’s view is that the Russians “want to dominate the information space.” 

Dick Clarke added the thought that Russia is using cyberspace to conduct psychological operations and create chaos as part of an overall strategy to regain its global prestige after the fall of the Soviet Union.  Clarke pointed out that the 2016 election was the first in which most Americans got their news from Facebook and other social media, which made the Russian operation much more effective.   

Both Clarke and Hayden believe that the Russian social media operation affected the outcome of the election. Clarke asserted his view that the situation is so serious that the Government should monitor and fund federal elections in the U.S.  He noted that the Constitution allows this. (Note: Article 1, Section 4 of the Constitution states: “The Times, Places, and Manner of holding Elections for Senators and Representatives, shall be prescribed in each State by the Legislature thereof; but the Congress may at any time by Law make or alter such regulations, except as to the places of choosing Senators.”) 

Both men were asked why the U.S. didn’t anticipate the Russian information operation and alert election authorities.  Clarke mentioned he had just published a book on the subject of “warning” that included 14 case studies on missed opportunities for alerts about national security threats.  But even with that background he didn’t anticipate the Russian actions.  Hayden noted that former director of the CIA John Brennan and former DNI Gen. James Clapper (Ret.) had alerted the White House in August 2016 and again in September about what looked like Russian interference in the election.  Both times they were sent back to get more information before President Obama would make a “tough decision.”  The Intelligence Community brought more information in October, but by that time the White House thought it was too late to do anything. 

Mike Hayden characterized the Russian hack of the DNC as “honorable espionage,” something we would do if we had the chance to gain insights into another country’s presidential election.  He said that the subsequent leaks of DNC emails through Wikileaks and DCLeaks could be considered a logical step in terms of classic espionage.  But the use of bot armies to troll social media and the micro-targeting of individuals was a “discontinuity” in terms of any precedents.  He added that the Intelligence Community isn’t good at seeing around corners and is subject to the “tyranny of expertise” in trying to analyze activities for which there is no precedent. 

The Equifax hack was another topic addressed by Clarke and Hayden.  They discussed the risk assessment process used by major companies holding large amounts of PII (personally identifiable information) on U.S. citizens. (Rob Joyce also talked about this, saying that Congress would likely consider whether companies should be fined for large data breaches affecting Americans.)  Clarke noted that CEOs, CFOs, and other corporate officers should be told the “day of” a data breach and not have to wait weeks to find out.  Hayden mentioned that the average time between a data breach and the company leadership finding out is about 200 days. 

Both speakers referred to a recent article by Rob Knake of the Council on Foreign Affairs who suggested using cyber insurance as a tool to create incentives against breaches for companies with large PII data repositories. The approach would be modeled on regulations enacted by the U.S. Government after the Exxon Valdez oil spill. After that incident, ships carrying oil were required to carry insurance for the entire value of an oil spill before the Coast Guard would grant them authorization to enter U.S. waters. This regulation created a business model for ship companies and insurance companies, which in turn led to fewer risks of an oil spill and lower insurance rates. By analogy, companies with large PII data bases would be forced to carry insurance to cover the costs of a PII data spill, which can be enormous. (Click to see the full article.)

Cybersecurity and Civil Liberties 

  • Christopher Furlow, President, Ridge Global and former Director for State Affairs, White House Office of Homeland Security
  • Rep. Will Hurd (R-Tex.), Member, House Committee on Homeland Security and House Permanent Select Committee on Intelligence
  • Michelle Richardson, Deputy Director, Center for Democracy and Technology’s Freedom, Security, and Technology Project
  • Marcy Wheeler, National Security Journalist
  • Brian Fung, Washington Post 

Rep. Will Hurd (R-Tex) is a former CIA officer and IT entrepreneur. Throughout this panel discussion, he commented on the lack of knowledge about cybersecurity among his peers in Congress and about the lack of understanding of cyber risk management among CEOs, most of whom have been trained in financial risk management but not in cybersecurity. He added that Congressional oversight of the Executive Branch in cybersecurity is hampered by the lack of basic “cyber hygiene” within the Congress. 

Other speakers noted that the OPM and Equifax hacks demonstrated that “you can’t trust the government or the private sector.” One speaker mentioned that the Europeans are “laughing at us” for our lack of cybersecurity. 

Rep. Hurd pushed back against this comment.  He noted that his counterparts in the European Union (EU) Parliament are envious of the intelligence oversight responsibilities of the U.S. Congress. He also noted that the German Government owns one-third of the telecommunications infrastructure in Germany, meaning that “the BND can do things to German citizens that NSA would never think of.”  

The EU’s General Data Protection Regulation (GDPR) that becomes effective in 2018 was mentioned as a model for data protection. Rep. Hurd agreed, although he said that GDPR may be a “back-door trade sanction” for non-EU companies. 

Rep. Hurd cited Estonia, a country of 1.3 million people (about the size of his home city of San Antonio) that provides all government services on-line. He cited this as a model of digital trust established between the government and citizens. 

(Note: Rep. Hurd is IT- and cyber-savvy. He has sponsored or supported several cybersecurity bills in the House, and seems to be a strong advocate of NSA. He is currently working on a bill to establish the Cyber National Guard, a scholarship program to train students for cybersecurity jobs in the Federal Government. For additional information, see his website at hurd.house.gov.