• Show Notes
  • Transcript

In this episode of Cyber Space, Chris Inglis, the former Deputy Director of the National Security Agency and current Professor of Cybersecurity Studies at the U.S. Naval Academy, joins host John Carlin for a wide-ranging conversation about U.S. cyber defense. They discuss Inglis’s role on the Cyberspace Solarium Commission and the group’s proposals, the importance of instating a National Cyber Director to coordinate policy across the government and the private sector, why Russia, China, North Korea, and Iran pose the greatest cyber threat, and his reflections on the Edward Snowden revelations.

Cyber Space is the newest podcast for members of CAFE Insider. Every other Friday, John Carlin, the former head of the Justice Department’s National Security Division, explores issues at the intersection of technology, policy, and law with leaders who’ve made an impact in the world of cybersecurity. 

REFERENCES & SUPPLEMENTAL MATERIALS

THE SOLARIUM REPORT

  • Cyberspace Solarium Report, U.S. Cyberspace Solarium Commission, 3/2020
  • H.R.5515 – John S. McCain National Defense Authorization Act for Fiscal Year 2019, Congress.gov, 8/3/2018
  • Robert Chesney, “The Law of Military Cyber Operations and the New NDAA,” Lawfare, 8/26/2018

CYBERSECURITY LEADERSHIP

  • Maggie Miller, “Congress backs push for national cyber czar,” The Hill, 7/16/2020
  • Daniel Arkin, “Trump’s decision to eliminate role of cybersecurity czar rattles experts. Here’s why,” NBC News, 5/16/2018
  • David Uberti and James Rundle, “Inside the Renewed Push for a National Cyber Director,” Wall Street Journal, 8/11/2020

NOTPETYA ATTACK

  • Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” WIRED, 8/22/2018
  • Ellen Nakashima, “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes,” Washington Post, 1/12/2018
  • Zach Whittaker, “US slaps new sanctions on Russia over NotPetya cyberattack, election meddling,” ZDNet, 3/15/2018

NORTH KOREA

  • Emy VanDerWerff and Timothy B. Lee, “The 2014 Sony hacks, explained,” Vox, 6/3/2015
  • David E. Sanger and Nicole Perlroth, “U.S. Accuses North Korea of Cyberattacks, a Sign That Deterrence Is Failing,” New York Times, 4/15/2020
  • Eileen Yu, “North Korean state hackers reportedly planning COVID-19 phishing campaign targeting 5M across six nations,” ZDNet, 6/19/2020
  • Ron Shevlin, “North Korean BeagleBoyz Hackers Step Up Attacks On US: What Banks Should Do,” Forbes, 8/27/2020

DDoS ATTACKS

  • “Cyber Actors Exploiting Built-In Network Protocols to Carry Out Larger, More Destructive Distributed Denial of Service Attacks,” FBI.gov, 7/21/2020
  • “What is a DDoS Attack?” CloudFare, 2020
  • “Manhattan U.S. Attorney Announces Charges Against Seven Iranians For Conducting Coordinated Campaign Of Cyber Attacks Against U.S. Financial Sector On Behalf Of Islamic Revolutionary Guard Corps-Sponsored Entities,” Justice.gov, 3/24/2016
  • David Sanger, “U.S. Indicts 7 Iranians in Cyberattacks on Banks and a Dam,” New York Times, 3/24/2016

THE SNOWDEN ERA

  • Mary Louise Kelly, “A Former NSA Deputy Director Weighs In On ‘Snowden,’” NPR, 9/17/2016
  • “NSA General Keith Alexander: ‘Snowden betrayed us,’” BBC, 6/23/2013
  • “NSA deputy Chris Inglis pledges ‘more transparency,” BBC, 10/10/2013
  • Garrett Graff, “How the US Forced China to Quit Stealing—Using a Chinese Spy,” WIRED,” 10/11/2018

John Carlin:

From CAFE, welcome to Cyber Space. I’m your host, John Carlin. Every other Friday, I explore issues of the intersection of tech, law, and policy with guests who’ve made an impact in the world of cybersecurity. My guest this week is Chris Inglis. He’s the former Deputy Director of the National Security Agency where he was the highest-ranking civilian leader until his retirement in 2013. Chris helped transform the NSA into an organization equipped to defend and respond to the increasing threat of cyber warfare. He’s recognized throughout the world as one of the leading experts on cyber defense. He’s also a leader on the Cyberspace Solarium Commission. That group was tasked by Congress with developing a cohesive national strategy to defend against significant cyber-attacks against the United States. In March, the Solarium Commission published a report with over 80 recommendations to improve the nation’s cybersecurity. Chris Inglis, welcome.

John Carlin:

Chris, before we dive in too deeply, I want to get a sense from your perspective, what do you see as the real-life stakes if we don’t get better in terms of our cyber strategy and soon?

Chris Inglis:

That’s a great question, John. Let me say what I don’t think the stakes are, which is that there’s a lot of discussion at moments like this about a cyber Pearl Harbor, some cataclysmic event that brings it all down in a smoking heap. I think that’s unlikely. It’s possible, but unlikely. What I think is more likely is that we’ll have this insidious onset of a lack of confidence in the mechanisms that are the foundations of our society, whether that’s for individual efforts, whether that’s for organizational pursuits, whether that’s for government pursuits, and that lacking confidence in the internet and the things that come to us across the internet, we’ll make less than robust use of it and will fail to solve some of the problems that the internet is well designed for.

Chris Inglis:

More importantly, I think that the internet increasingly is being used as a means to bring ideas, ideology, to people who aren’t yet prepared to understand the providence of those ideas, who don’t know what they’re really dealing with. That, too, is insidious and I think constitutes and exacerbation of the natural conflict of ideas that exist in this society that has always been a positive feature, but now we’ve turned that to something that might in fact be divisive in the extreme, so I do worry a lot about that and that not being digital natives. I think very few people today really understand how all the stuff works, but rather being app natives will look at the surface, think everything is fine when in fact we’re getting further and further away from a true sense of how the system works and a true sense of what’s actually being delivered to us, in a true sense of who’s friend, who’s foe in this space.

John Carlin:

From here, you’re worried less about things we take for granted, like disruption of the electrical grid, water supply, or nuclear and more about loss of trust in the day to day ways people are using digitally connected system to do pretty much everything now. Work, banking, get your driver license, etcetera.

Chris Inglis:

That’s not to say that I’m not worried about the former. I think that the former constitutes a very real and, depending upon the size of your organization or your aspirations in your use of the internet, a possibly existential threat, but I don’t think a cataclysmic event that sweeps across the entirety of the internet or cyberspace, if you want to use that term, is likely. It is possible and it would have extremely high consequence. We therefore need to deal with that. What’s more likely is that we’ll continue this insidious, slow accretion of confidence in these systems and therefore wind up being less trustworthy, not simply of the systems, but of each other and that insidious aspect of our society is one that we’ll, I think, only take us to darker, meaner places. I worry about that because I don’t think that there’s any technology alone or, for that matter, authority alone that can deal with that, can hit that head on.

Chris Inglis:

The first class of problem you described, there are some pretty clean ways to deal with that. Hardware, software, training individuals about how do you head-on interdict those who would take advantage of the content or the availability of the integrity of data systems that exist in that space and it’s being worked. We might be short on the number of people, but we’re taking that on. That second problem, the one that I’ve been talking about I think is coming out of a dark space and I’m not sure that we yet all agree that it’s a problem and certainly we’re not coherent in taking it on.

John Carlin:

Joined something, remember something called the Cyberspace Solarium Commission that met and produced a report starting in 2019 that was established by Congress. What was the objective there?

Chris Inglis:

The stated objective was to come up with a recommendation for a US national strategy. Of course, it has to operate in an international context, but a US national strategy that would try to deal with prevent, deter, interdict cyber-attacks of significant consequence. Now, that’s really a catchphrase that means we had been experiencing, up to 2019, significant impactful events that were attributed to nation states. Dating back as far as 2008, we saw the massive theft of intellectual property by China, 2014 we saw the attack by North Korea on Sony Pictures, 2017 saw an attack by North Korea and Russia in turn, in the form of WannaCry and NotPetya that had a very significant deleterious effect on the private sector and there were no consequences to those actors. They operated with impunity, so what we were seeing as a nation was brazen impactful and indiscriminate behavior. You didn’t need to be the target to be the victim on the part of nation states.

Chris Inglis:

The National Defense Authorization Act in 2019 declared that we should not simply study the matter, but we should undertake how do we form recommendations and ultimately, the expectation would be implement those recommendations. We stopped that, so that we create order and discipline in the realm of cyberspace for the benefit of the nation writ large, but not least of which to essentially ensure that other nation states were not continuing to take inappropriate, unfair advantage of us.

John Carlin:

You’ve been in this field for a little bit of time now and seen a fair number of reports. What’s different about the Solarium report?

Chris Inglis:

That’s a good question. Three things come to mind. One that I think it was very thoughtful of the people who framed the commission that they drew members from several places such that the commission was by definition neuro diverse, diverse in their authority, diverse in their thinking, diverse in their aspirations, the things that they hold near and dear. There were four members of the Congress and Senate, elected representative, two congressmen, two senators. There were the deputies of the Department of Homeland Security, the Defense Department, the Director of National Intelligence, of Justice, and there were six members from ostensibly the private sector. I was one of those, so it’s arguably as to whether I’m private sector at this moment or public sector in my DNA, but then six members that would bring an external perspective, one of those was Tom Fanning. He’s the CEO of Southern Company.

Chris Inglis:

You had a set of people who could bring a truly diverse set of perspectives to the table. Two, the commission spent a lot of time trying to ascertain what were the views of others as opposed to the United States government alone. They had over 400 different engagements, about 300 of those I think, if I recall correctly, were outside the US government and the lessons that we learned from those parties were not always pleasant to hear in terms of the performance of the US government, their expectations of the US government, but all instructive and influential in our final thinking. Three, the third thing and most important thing is we tried to make every action that we recommended at once something that was coherent to a national strategy, a true national strategy, but at the same time, actionable to the extent that there were 82 recommendations in the pile, organized in some particular fashion such that it should make sense to the executive reader, about half of those, a little bit more than half of those had a legislative component. Some piece of law must have changed in order to authorize, permit or direct something to happen.

Chris Inglis:

We wrote all that legislative language such that coming out of the box, it wasn’t left to the observer, well what am I going to do with this, how am I going to actually turn this to action. We wrote that out in as much concrete detail as we could. Part one, you have people who are actually invested in all of those different domains that have to actually share the work of implementing this report. Part two, you have a truly diverse perspective invested in the report, and three, you’ve got something that’s actionable. As we speak, of those 82 recommendations, probably a third of those are in some way, shape, or form, making their way down the lane towards execution. That’s good. That doesn’t say enough about the remaining two thirds, but I think that out of the box and especially in the time of COVID, when we’re not able to do the face-to-face, we’re making good progress.

John Carlin:

You and I had the opportunity to work closely together in government and we’ll talk about a few of those incidents, but I know one thing that we learned to expect was the unexpected and it became hard sometimes to focus on execution of strategic change because there was so many fires to put out. It seems like the Solarium report is designed in part with that in mind, to make some structural changes to help execute, even when you’re dealing with… you’ve mention some very unexpected events like North Korean attack about a movie about a bunch of pot smokers that [inaudible 00:10:50] we’re expecting at the time. What do you think is the most important structural change recommended in the report that will help the government execute on some of the recommendations in the report?

Chris Inglis:

Two, I think. I’ll give them in the order that I think they’re important. The first structural change was to no longer, well, would be to no longer think about defending things that are of value in cyberspace as a set of individual tasks that are lined up side by side by side such that every kind of owner of some patch or territory defends their stuff. That’s what I would describe as a division of effort. We move away from that, which is where we are today, toward something that I would describe as a true collaboration where we see that that territory is actually common space and that the threats to that are in fact racing across the perceived boundaries between us being they jurisdictional or financial or territorial and that if we affect a true collaboration, as opposed to a division of effort, we’ll have a meaningful impact. We’ll crowdsource the adversaries, whether they’re criminals or nation states, in ways that they’ve been crowdsourcing us. I can say more about what distinguishes a collaboration environment from a division of effort, but I’ll leave that there.

Chris Inglis:

The second point I think is that we need some degree of built in coherence. We call out for the need for leadership, which would not so much be accountable for determining what the script is for all the rest to follow, but be essentially the join-on point that we can take all of these aspirations, expectations, perspectives, and essentially form a strategy that gives meaning, context, leverage to all of the individual efforts.

Chris Inglis:

As we speak, that there is no national cyber coordinator that the private sector could turn to say what does the government think about cyberspace, what are your current lines of effort, how can I help, how can I attach myself? If you’re in the private sector, you have to run pillar to post, organization by organization, trying to determine by osmosis or synthesis at the end of the day what the US government policy or position might be. I think we need one. That person shouldn’t dictate to the private sector, but rather be a coherent point of leadership within the federal enterprise for the private sector to deal with, such that we might then, as a private/public partnership achieve something approaching collaboration where every part, every contribution makes a difference because it’s actually consistent with the overall strategy and the roles and responsibilities have ensured there are no gaps and that there are no inappropriate overlaps.

Chris Inglis:

I couldn’t emphasize enough that that aspect of leadership just about everywhere we went in the private sector, they said, “The federal government are simply not joined up and coherent enough for us to know how we deal with you as a single creature.”

John Carlin:

Kind of hard to believe, given the importance and for years now, the intelligence community has said the top threat to our country is through cyber enabled means and, yeah, we don’t have a person in that position. Do you have a view as to, there’s been some debate whether that should be a senate-confirmed post and, if so, where should it sit, and then others who say it’d be good to have a cyber czar type position in the White House, and if you do, better that that not be senate-confirmed and that way, that position, like the National Security Advisor, can have the trust and confidence and authority and clout of the President and speaking for the President without worrying about confidential deliberations being turned over? Do you have a view of whether it should be confirmed or not and where it should sit in government?

Chris Inglis:

I don’t think that those two attributes that you pointed out, one that might have the confidence and support of the Senate by virtue of being senate-confirmed, and two, that this position have the trust and confidence of the President by being close or in the White House, I don’t think that they’re at odds with one another, but they can be made to conflict with one another. I don’t think that they’re inherently naturally at odds with one another.

Chris Inglis:

Think about the United States trade representative, think about the Chairman of the Joint Chiefs of Staff. Both of those have the full faith and confidence of the Senate because they’re confirmed, both of those serve at the pleasure of the President, and therefore, have the trust and confidence of the President, and both of those effect a very strategic role within our federal enterprise of trying to determine at a high level what is our strategy, how do we connect those capabilities to that purpose and we, on the Solarium Commission look at the National Cyber Director in much the same way.

Chris Inglis:

We believe it’s important that because most of the actions that would be taken by the federal enterprise are executive nature, that this person have a role that is within the Executive Office of the President and that this stand not above, but outside the fray of the line operations that exist within the various agencies and departments. That this person has the full faith and confidence of the President by virtue of their positioning with the Executive Office of the President, but at the same time, have the support of the Congress by being senate-confirmed.

Chris Inglis:

There’s a second piece to that, not simply the confidence of two branches, but we don’t want those to be left to the discretion of succeeding administrations. We think cyber is too important that it should endure across administrations and it’s more likely to do that if it’s institutionalized in the way that we have framed, senate-confirmed within the Executive Office of the President.

John Carlin:

I guess in that sense informed, when you say you want to make sure it endures, I think we were all surprised, given the level of the threat that in this administration that they’ve decided to get rid of the position in the White House that formally served as the so-called Cyber Czar that was there in both President Bush’s and Obama’s administration. Also, that they reorganized Homeland.

Chris Inglis:

Yeah, it’s surprising and it’s not. It’s surprising to someone perhaps like you or I or others who spent a lifetime trying to figure cyber out. That’s a surprise that you would think so little of it that you would say, “I can take that as another additional duty,” so the National Security Advisors, presumably other people within the White House can say, “I’ll handle that in addition to my other full-time job,” that that’s not a reasonable expectation and nor is it reasonable to think that you can essentially push that down the staff chain, such that it has little influence in being able to call a meeting, let along show up at a meeting. It’s not a surprise given that cyber so often is seen as a commodity, cyberspace, the internet is seen as a commodity, a pile of technology that you can simply direct or specify to behave in a certain way and you think it then shall.

Chris Inglis:

Of course, the technology’s only a piece of this. There are people that are involved, people making choices about how the technology works, about what flows where, what’s stored where, what services exist where, and the two of those, those people and the technology always exist in the presence of an advisory. Whether that advisory is nature, whether it’s human error, or whether that advisory’s a nation state, as we began this conversation with, cyber is ever challenged because people are involved and because advisories are involved. That means that if you don’t have somebody wearing this full-time, no matter the size of your organization, then at some point it’s going to surprise you. At the level of a nation state, if you let any issues surprise you, you’re going to wind up ruing the day and if you had a time machine, you’d go back and say, “I should have actually prepared for this. I should have thought my way through this, I should have developed the muscle memory for this.”

Chris Inglis:

This leader that we proposed from the Solarium Commission, this National Cyber Director, is really focused on what do you do to prepare? What do you do to create the muscle memory as opposed do you lay back, wait for some untoward event to occur and address and deal with that? That’s a flawed strategy.

John Carlin:

Your report begins, and you’ve mentioned it as one of the events that really expresses how important it is that we tackle these issues, the so-called not NotPetya attacks, and to your point, ones that are attributed to a nation state, to Russian cyber operators in June of 2007 and NotPetya attacks were a ransom worm, so this is a self-propagating piece of code that locks up or encrypts computer networks so they’re not accessible to the people who want to use them. Yet, unlike some ransomware attacks, there was no real ransom associated with it, so there was no way to get back access to your systems. It did an enormous amount of damage. Estimates hitting businesses, because it kept propagating all across the world with losses estimated as high as $10 billion. Why did you start with that event?

Chris Inglis:

One, it was one that was easily inserted into the mind’s eye of that’s a big deal, that’s impactful, that’s brazen, that’s indiscriminate and therefore, to make real what we’ve been describing as a sometimes perceived as a theoretical threat just to actually turn that into a degree of reality to say this is not a national exercise. This is not a theoretical exercise, this is real. Two, to in the aftermath of that, this study began only two years after that event. In the aftermath of that to say and there’s been no consequence imposed on the aggressor. We now know that that was the Russian nation state likely trying to impose some consequence on the Ukraine nation state, but because it was so indiscriminately done, it then flowed into the rest of the world’s ecosystem, cyber ecosystem, and had this enormous global impact. Yet, nothing. Nothing has happened to the Russians or the Russian government for having done that.

Chris Inglis:

Therefore, our view is that if you see those two moments, you can then go with us the rest of the way to say unless we do something different, unless we change the course of this lifeline, that the only thing that lies before us is escalation. With no consequences and a sense of pros versus cons on the part of these aggressor nation states, that this situation will get worse. We thought that was a natural place to start.

John Carlin:

Couldn’t agree with you more as we discussed that we need to move towards a regime where there are calibrated consequences when you do something bad in the space and that the alternative is going to be inadvertent escalation, but it’s not quite true that nothing was done. Right? It’s that nothing was done that was effective because there were… and maybe you could walk through a little bit, there were some actions taken ranging from sanctions to partial attribution of moves against diplomats that were linked to the attack, but they seem not to have been effective.

Chris Inglis:

I think that’s fair. I think that there were actions taken, probably took a year or so for many of those to be imposed, but calling out and noting who we believe was specifically involved, imposing some financial sanctions, and further, giving a field guide to the people who were affected by this, the innocents of the world, how they perhaps can detect this crowd or this particular threat coming at them again. Having said that, my point was, and probably inelegantly stated, is that the Russians involved in this, in the Russian government, experienced no consequences, suffered no consequences, they’re therefore un-chastened. There’s no doubt in my mind that if that condition continues, they’ll simply operate with what they think is impunity, so you’re right. Something was done. It was kind of in the ineffective category, but commendable. At the end of the day, it’s simply not enough.

Chris Inglis:

Our premise, from the Solarium Commission, is that we do have the tools as a society that if we apply a whole of nation, whole of society approach and we make it such that we bring to bear every capability, every authority, every perspective, that we can in fact push back on this. We nominated three ways which we think interact with one another to do that. One, to be clear in our signaling. Two, to improve our resilience and robustness such that we’re a harder target. It’s not that easy in the future to essentially do what you’ve done in the past and that requires some degree of investment, hopefully some incentives to that investment, and three, make it very clear through those first two parts that if you don’t buy our signaling and if you still try to get past our robust defenses, that if you do something, there will be a cost to pay and we’re going to bring to bear all the remedies available to us, not just a cyber remedy where we go after you, chase you in and through cyberspace. We’re going to bring our legal system to bear, our diplomatic system to bear, we’re going to bring financial sanctions to bear and we’re going to do that in an international context such that you will be the lone wolf, but you’ll be hunted. No matter what you’ve done, there will be a consequence.

John Carlin:

Because Russia’s not maybe the worst or one of the worst, but they’re not the only country out there that has a cyber-attack posture tilted against the United States and really against the Western World. There are four named countries that are attributed as the top threats to the US and the West: China, Russia, Iran, and North Korea. What is it about these countries to your mind that puts them on that list and are there any others that should be joining them on that list?

Chris Inglis:

What puts them on the list is their behavior. What motivates them to get on the list, that might be the question that you’ve asked. I think several things. One, each of these states doesn’t want to have a head to head contest with the United States or its allies. A head to head contest for them, military on military, economy on economy, you pick the institution, is a remedy for loss and disappointment and, therefore, they’re trying to find ways to either compete or to, in some cases, conflict, but more often compete with us. Trying to find ways where they might have a natural advantage or perhaps, they might perhaps be able to diminish our strategic advantage in those other lanes. Cyber’s a natural. The cost of entry is low, the ability to understand what an adversary is doing when they use cyber, it’s harder, so the idea that you might be able to effect something, sneak up, do it, and walk away with some degree of anonymity, there’s a higher proposition to that.

Chris Inglis:

These nation states, Russia, China, North Korea, Iran, tend to have a closer relationship with whatever might constitute a private sector in those countries and the public sector, such that there’s a joined up nature between them that they can actually bring to bear, the powers of cyber and effect government purposes in ways that are clean or crisper than the United States can. That’s not to underestimate what the United States could do from an offensive perspective, but this really is about the mismatch between somebody else’s offense and our defense.

Chris Inglis:

The last thing I would say that makes them different, different in kind is that at this moment in time, the United States is not engaged in international effort to the extent that it might have been in times past, and therefore, this gives a greater opportunity for rogue nations to essentially find the seams and to dance through those. These foreign nations I wouldn’t say had operated with total impunity, but they’ve done a lot more harm than they have suffered in appropriate [inaudible 00:27:26] consequence and you’ve named the right four. I put a fifth on the list not so much because it’s like the first four, but whether it’s ISIS, ISIL, Al-Qaeda, they don’t do the same things as those four nation states, they don’t really try to effect harm by disruption or destruction, but the radicalization that they use in and across the internet, that’s a real and material harm as well and we have to think our way through what do we do about that, how do we compete with that message and make it such that they don’t accrue the benefits from an ungoverned space the way the other four do.

John Carlin:

I always get the question, I’m sure you have, too. Are you kidding me that North Korea is considered one of the most capable cyber adversaries to countries like the United States? How can that be? They’re an isolated country, they barely have any bandwidth. What’s your answer to that?

Chris Inglis:

Yeah. I was quoted some time ago, so I’ll bring this back on this matter. I’m not sure I was proud of it at the time, but it still makes sense, which was that if cyberspace and the activities that happen back and forth inside of it were the game of soccer or the European game of football, we’d be a few minutes into the game because it’s early days, it’s a relatively new domain of interest, and the score would be 450 to 442. Just a few minutes in the game, meaning that nobody’s got a defense that really is holding up and any offense will do. We’re just kicking one goal after another into the nets.

Chris Inglis:

You don’t have to be great. You can just be the North Koreans in order to achieve some significant effect in cyberspace. Think about what the North Korean modus operandi is. For the most part, they’re trying to figure out how to take advantage not of the technology deficiencies in this space. Occasionally they do, WannaCry was one of those, but rather with the human errors in this space. Whether it’s convincing Bangladesh to make a financial transfer based upon some human operation, on some influence operation using traditional instruments like telephones and messaging and something sent across the internet, but by getting a human to make an error. Phishing attacks where they send you an email that purportedly comes from someone you know, it’s not. It’s just a Trojan Horse. It wants you to click on a link because there’s some interesting video behind that and the code that you then execute is the code of the person who sent it to you, it’s the North Koreans. It’s game on.

Chris Inglis:

They have mastered the ability to take advantage of the human dimension of cyberspace amplified by some continuing weakness in the technology and it doesn’t cost much in order to do that, so the North Koreans are eminently capable of that. Why aren’t there more North Korea’s? Well, there aren’t more clusters of people who have that mediocre technology that are willing to transgress the societal norms. It’s an open door for them.

John Carlin:

Moving from nation states, where I think you can make a similar point is around cyber criminals and the move towards a crime as a service model where threat groups are… I know I’m seeing this every day in practice of getting victims from companies and estimates now say that businesses across the globe could lose $5.2 trillion, trillion dollars, $5.2 trillion to criminal enterprises by 2024, which is just astounding. You’re seeing a particular growth in ransomware incidents, over 300%. Now, you come from a national security background and deep one, and you’ve talked about terrorist groups, ISIS, so non-state actors, state actors, how do you rank cyber criminals and how do we think about them as a national security threat?

Chris Inglis:

Yeah, so there’s a quantity argument and a quality argument. If you ranked the miscreants in cyberspace according to quantity, criminals win hands down. I think by most recent thing I’ve read, 85% of events that are consequential, bad events in cyberspace, it’s criminals behind it. That kind of desire to reconcile disparities in wealth, treasure, continues the pace in cyberspace as much as it has across the extent of human history that we’re aware of. Coming in second, nation states or maybe something taking up the majority of the remaining 15%, so just shy of 15%. While they’re smaller in number, the quality factor comes in, they’re hugely consequential in terms of the impact. Then, third on the list would be ideologues, hacktivists, those parties like Wikileaks, they’re trying to operate according to some particular ideology to use weaknesses in cyberspace to advance that ideology. Then, maybe kind of in the very marginal contours of what’s remaining, the odd experimenter… the 16-year-old up after curfew who has nothing better to do that does something that’s destructive in nature. That’s the quantity.

Chris Inglis:

I’ve implied what the quality is. Nation states clear and away are having a fairly dramatic impact and that inflection point occurred on or about the election of 2016 where the Russian nation state attempted to use the internet as a primary means of delivering an influence campaign. Regardless of whether they were helping one candidate or another, what they were really aiming to do was to reduce our confidence in a democracy that has served us well for 240 years. Then, in 2017, as we’ve already discussed, the WannaCry and the NotPetya attacks attributable to North Korea and Russia. Those are three events undertaken by nation states that swamp the huge number of criminal events.

Chris Inglis:

If you will permit, I’d like to talk a little bit about this phenomenon that you described of ransomware attacks and now something that’s creeping in, distributive denial of service attacks.

John Carlin:

Yeah. That would be great.

Chris Inglis:

There are a series of ransomware attacks you might have heard that whether it was the City of Baltimore or some number of other municipalities that they wake up one day and they find that all of their data, perhaps their servers, are removed from their access because they’ve been encrypted. Somebody’s found a weakness or seam in their system, come in and mathematically scrambled all their stuff and they had the ability to unscramble it, the adversary has the ability to unscramble it, but they’ll do so at a cost. They’ll charge you a million dollars, $2 million. This has been enormously successful on the part of the adversaries in this case. It’s probably a criminal enterprise. In some cases, this may in fact be a nation state that also happens to have a criminal enterprise, think North Korea, but it’s been enormously successful.

Chris Inglis:

Why is that? Why, if we’ve seen this play out once or twice or three times, why does it get to move from town to town and continue to succeed? Now, back to the point I made earlier in the conversation that we have approached this in some way shape or form as a division of effort. Baltimore needs to defend themselves, Pittsburgh needs to defend themselves, Houston needs to defend themselves, while the rest of us will lean in and help if we have the time, energy, if at that moment in time we can see our way through to help you solve your problem, but we don’t see this as a shared problem. We actually know something, quite a lot about some of these ransomware groups.

Chris Inglis:

We know what their modus operandi is, we know what’s going to happen when the first play is revealed, where they say, “I’ve encrypted your stuff.” The FBI can tell you chapter and verse about what’s coming because we can say we know who this group is, we know what they do second and third and fourth. We know whether they’re trustworthy and, essentially, if you pay the ransom, that they’ll decrypt your stuff. We know what nations harbor them. We know what kind of legal systems essentially give them quarter. We have a sense as to what the character of their next victim looks like and yet, collectively, there’s no sin on the part of anyone, but there’s a sin on the part of all of us, yet collectively, we sit back and we allow that to happen. We pretend that we simply wait for it to arrive in the next town that we can bring the fire brigade and put the fire out, but we wait until it’s a one or two alarm fire. I think that’s just crazy.

Chris Inglis:

We should essentially try to figure out how if those things are inappropriate and they have violated our collective sense of what’s right and appropriate, they violate the rule of law, we should go after them and we should essentially ensure that we bring them to justice in the same way that we would a bank robber, a literal bank robber. We wouldn’t wait until they show up at the next town and advise how you pay them off and save lives or perhaps minimal treasure. We’d go after them. The things that we do at our best moments in terms of reacting to a crisis, we ought to do in the times of peace and tranquility when we know we can see that this threat is emerging.

Chris Inglis:

As we speak, here’s a new phenomenon, which are massive distributed denial of service attacks that are being conducted and the modus operandi as described in the FBI bulletin released last week I think on or about the 28th of August, describes that this is a group that claims to be Lazarus, that might be attributable, say, to the North Koreans, is more likely a group of criminals that are hiding out in some country that tolerates it.

John Carlin:

Let me jump in for one second, have you explain just for our audience what is a distributed denial of service attack.

Chris Inglis:

In the realm of cyberspace, as a user of your data or your services, you want to have access to it when you want I. You’re annoyed when you try to log onto your bank account and it doesn’t immediately take your ID, your password, and give you access to what your accounts are. If that is slowed down to the point where you can’t get access to it in a timely way, then you’ve suffered individually a denial of service. There are attacks that can do that for massive numbers of customer at the same time because what they do is essentially they try to show up at those front doors of those virtual establishments, they present credentials that are bogus, but that they consume the time and energy of the system while it tries to figure out, is this the legitimate ID, is this the legitimate password. Now, imagine you do that trillions of times a second. That’s a denial of service attack.

Chris Inglis:

It doesn’t destroy anything, it doesn’t harm your bank account, but it annoys the [begones 00:38:05] out of you because the stuff that you want is simply not available to you in the time that you want it. There’s a reputational harm to the institutions who suffer these attacks, there’s an opportunity cost harm suffered by the persons who are trying to get access legitimately to their accounts, so it is a real problem in today’s society. It was, in fact, something that the Iranian government did to US financial institutions, 2012-2013, more than 200 different days and while the literal cost associated in that was probably in the tens of millions. How do you actually shed those denial of service attacks, how do you build extra capacity? The opportunity cost was incalculable. No one knows what financial transactions could not occur at the moments that they needed to in order to seize an opportunity.

John Carlin:

Let’s talk a little bit about the… or at least an elephant in the room, which is there’s a reason this hasn’t been done before even though everyone says we need this greater public/private partnership. You and I were in government when we had the Snowden disclosures and there was real change, I think, in the way I know that you started attracting the public. For instance, I’m not sure you’d ever be doing a podcast if that hadn’t happened and you’ve told the story a little bit about how, for someone whose career had largely been at the National Security Agency, how different it was to go from no such agency to talking publicly about what you do. Talk a little bit about that experience and how you overcome that trust issue in order to get the authorities where people could sit in a room and share information, so you could respond at scale and speed through these types of threats.

Chris Inglis:

I could talk for hours about this, so you need to throttle me a little bit, but I’m just saying that one of the great surprises for me when Edward Snowden came out, besides in alleging what he did, I have to distinguish between allegations and revelations, one of the great surprises to me was the almost immediate response by the American public in some kind of even components of our elective representatives that just believed it. Just without any question, believed what he said was true. I had to imagine that it wasn’t because he’d given such a compelling case, because much of it falls away when you begin to look at what he doesn’t have in terms of evidence to support his thesis that it must have been that there was an inherent natural suspicion on the part of that private sector or the legislative representatives that they naturally suspected that NSA would essentially be a rogue entity or would do things that were grossly inappropriate.

Chris Inglis:

That causes you to think about maybe we haven’t said enough about what our true purpose is and what we actually do. Maybe we’re not transparent enough, so that there is a competing story, not that chases Edward Snowden’s story, but he has to compete with it because it’s already filled the vacuum, it’s already out there. I also came to a second conclusion, which was it might be that even if we went chapter and verse in telling our story, we bear our soul about here’s what we do, here’s why we do it, here’s how we do it, but it might be that we’re not doing enough or enough of the right things.

Chris Inglis:

The examples that we’ve been walking through where we can with great clarity, using an intelligence apparatus that’s the envy of the world, determine who’s who in this zoo of cyberspace, determine where perhaps some of these threats not simply are coming from, but where they’re likely to come from. I don’t think that we’ve yet fought our way through how we place that at the full disposal of the American people, how we place that at the full disposal of the private sector such that some of those things that we have discovered using public money don’t need to be discovered again. We place them at the disposal of people who can act on them.

Chris Inglis:

Now, there are many excuses as to why that is not as rich a sharing relationship as it should be. Classified sources and methods are at risk if you share too richly. Your adversaries find out how you know what they’re up to. Therefore, they foreclose your future opportunities. You might not have the authority. It might be that the, when NSA was constituted, it’s rule was to provide information to the formal decision makers who live in policy entities, like the Department of State, the White House, those who serve in harm’s way who had no responsibility to serve the intelligence needs of the larger private sector. That made sense in 1947, 1952 when many of these constructs were put in place, but it makes a lot less sense today when the threats that an NSA would see are threat in common to his cyberspace that lives well outside the federal enterprise.

Chris Inglis:

All of those things, I think, we can take as perhaps insights, lessons learned from the Snowden era and I think that acting on those we must be more transparent about what we’re doing and we must be more proactive about pushing capabilities, insights, authorities we have, pushing to place those at the disposal more directly of the private sector.

John Carlin:

Just to tell a story about that, it helps explain a little bit. You talked about a tradeoff and a tradeoff that’s real, so if you’re sitting at a natural security agency and collecting information about bad guys, nation states, crooks, terrorists, if you tell… make public what you’ve found and certainly if you make public how you found it, the bad guys get better. They read what you did. I was always struck when we were in government and we were pushing at the time to try something new at the Department of Justice and FBI, which is to bring a public criminal case, at that point, the first one related to Chinese theft of intellectual property. This was in roughly 2014, and we went to you, I remember in your role at National Security Agency and said, “We can do this,” but we were going to lay out in detail how we knew what they were doing, and remember you saying that it would make your job harder, but you thought it was the right thing to do and that General Alexander agreed with you and actually, Mike Morell at the CIA.

John Carlin:

Tell me a little bit, because that must have been an important moment for you. What brought you to that state of thinking that laying out this detail, even though it makes collection a lot harder, it’s the right time and place to do it and is necessary to share with the public?

Chris Inglis:

Two things. The Department of Defense had been coming out of an extended period where it had been in various combat theaters, places like Iraq and Afghanistan, and they’re big consumers of the NSA product. I won’t say a lot about how that works. Just say that that’s probably a self-evident fact to NSA being a combat support organization. What we’ve discovered yet again, this is one of these timeless things that’s rediscovered every five, 10 years, what we discovered yet again was that if we push a lot of actionable information to the people who are in harm’s way, that it did hold sources and methods at risk, the adversary might figure out, oh my goodness, they know where I am, they know what I’m up to, this improvised explosive device didn’t go off and therefore, they might get a sense as to how they beat you the next time out, but in essentially mobilizing your ability to hold them at risk, you place them in a moment where they’re less careful. Where they’re a bit more on the run. Where they’re not actually going to perform perfectly.

Chris Inglis:

Using your information to disrupt their operations might make it such that you really haven’t placed the sources and methods at risk to the extent that you would have thought. You might, in fact, have made them less careful about their own activity, such that they’re more exposed. It might have the opposite effect. That plays into this. If we disrupt some of these cyber criminal networks, they’re going to make mistakes. They’ll make more mistakes. They’ll be on their back foot and, at the end of the day, if we don’t disrupt them, they get all the stronger.

Chris Inglis:

I think that you have to actually turn that proposition around to say, yes, there is the theoretical possibility that we’ll harm sources and methods and there is some logical limit that you kind of say, absolutely, I can’t go beyond that line, but that line is further upstream than you know and, in fact, there are some advantages to using information beyond simply disrupting the thing that is of interest to you. You actually create more intelligence because it becomes noisier.

John Carlin:

Let me ask you, in terms of your recommendations of the Solarium Commission, two of the critical initiatives you discussed would be placed at the Department of Homeland Security and that would be the place where the public/private sharing was occurring. Yet, the collection of some of the most valuable information is actually through NSA, the National Security Agency, or FBI, some combination. Why put the place for the partnership in a different place than where the expertise on collection resides?

Chris Inglis:

The American way of creating public/private partnerships has been strained since I think about 1783.

John Carlin:

That’s a long time.

Chris Inglis:

It’s just been inherently difficult and therefore, the inherent distrust that is by design built into our DNA as a citizenry, we all have it. It’s actually a quite a good thing in order to say I’m going to distrust my government, not because I know it will do wrong, but because if I’m not holding it accountable, it will do wrong. That that power will ultimately be applied in ways that are injurious to my individual liberties. That’s just a natural kind of relationship.

Chris Inglis:

Recognizing that, you need to make the lines of connection as clean as possible and if NSA is, at the end of the day, a foreign intelligence organization whose job it is to spy on those foreign threats to the nation, that is something that is a clean boundary, people can understand that, but if you begin to then mix that to say that NSA has a very direct relationship with the propagation of domestic security, it’s really hard to build the trust necessary to say I understand that you, internal to NSA, know how to keep those things separate. You, internal to NSA, know how to get that exactly right. I have high confidence that they could. I just don’t know that 315 million Americans would have similar confidence.

John Carlin:

They move a little bit towards… It’s… well, they did in a way, but the struggle to attract and retain top cyber talent, I know you recently wrote a piece on this advocating for cybersecurity clinics, so one concern is that the best and the brightest at cyber are going to choose more lucrative jobs in the private sector and there certainly is more money to be made. I know there was concern after Snowden that the reputation of the agencies would decrease, would cause a decrease in those applying to join and then, simultaneously you’ve had this economic boom, so there’s so much money to be made in the private sector. At least at the time, though, it seems like the government’s still actually doing a great job, depending on the agency, at getting top talent. Do you agree with that? Is it doing a good job and, if so, why?

Chris Inglis:

Is it doing a good job? I think it’s because while money is important and the benefits that attend to a job, the tangible benefits are important, but they’re not the end all, be all, and in many cases, they’re not the most important thing. When people sign up for work, they want to make sure that it’s going to be able to support their material needs and perhaps their families in a similar way, but they want meaningful work, they want meaningful activity to do, they thrive like any person does to be a part of something that helps them matter, that helps them make a difference. If you can appeal to that, that latter instinct, while not being grossly unfair on the former, the financial remuneration, that’s a winning proposition.

Chris Inglis:

NSA tries to do just that, which is we’re going to give you meaningful work, we’ll respect that work, and we will accelerate you if you’ve got merit, we will accelerate you through a career where you can do that time and time and time again such that you won’t think about the money as often as you think about, well, I just love what I do and I love the purpose for which I do it.

Chris Inglis:

The other thing NSA, and not alone, but I’ll just use the NSA example, has done, which is to recognize that those sharp and deep skills, maybe it’s computer scientists or these less commonly taught languages, don’t exist in sufficient number for us to wait until the next graduating class turns out this year’s crop of bachelors or PhD students. We have to actually participate in building the pipeline, so we work very hard, speak in the present tense, but NSA works very hard to try to invest in the places where these pipelines emerge. Literally in sponsoring curricula for kindergarten through 12th grade that would have widespread benefit, but not least of which a benefit to create more of the sorts of skills that we hope one day will show up at NSA. We invest in any number of programs, whether it’s cooperative programs, whether it’s the equivalent of apprentices, apprenticeships, whether it’s scholarships that might give somebody a bachelor’s degree.

John Carlin:

Let me turn a little bit to you, Chris. How did you end up in this field and I’ve noticed you have one or two degrees out there? I think you’ve got the BS in engineering mechanics; you have an MS in mechanical engineering, an MS in computer science and engineering, and this is from the US Air Force Academy, from Columbia University, from John Hopkins University. A professional degree in computer science in GW and you graduated from the Air War College. I have a feeling I’m leaving out four or five other degrees that somehow, you’ve managed to pick up, to pick up along the line. Do you need all that to go into this field?

Chris Inglis:

You don’t need much of that at all. For me, all of those were opportunities to perhaps transform myself. As an engineer mechanics major, I realized that while that was kind of intellectually interesting, not as exciting. I thought maybe it’s in the execution of some applied engineering, so I went and got a master’s in mechanical engineering. I found that that wasn’t perhaps the end all, be all, so I turned to computer science and so on and so forth. Each of those was an opportunity to get a get out of jail free card to essentially open another door and to enter into that new space. Just trying to get perhaps a card that would let me have a visiting pass into some other tribe.

Chris Inglis:

When I got into NSA, and therefore into this business in the 1980s was at the time, and I say this half tongue in cheek, is at the time NSA was hiring anybody with a computer science degree and it turns out that I was anybody with a computer science degree. I just had some kind of minimal ticket that they said, “You’re interesting to us and therefore, we’ll give you an opportunity, a low level opportunity to come in, make a difference,” and then the promise beyond that was if you have gained, meaning if you’ve got a work ethic, a desire to make a difference, hopefully a desire to make a contribution to something that’s bigger than yourself, it’s not a statement of Chris Inglis, but a statement about the NSA proposition. If you’ve got that, then we’ve got the career field for you, which will let you do many thing across an extended period of time, but in each case, it’s really your work ethic, it’s kind of your public service mentality, that’s I think the essentially ingredient.

Chris Inglis:

You’ll find any number of people in places like NSA. NSA is not unique in the world, but any number of places like NSA that essentially hire for attitude and then they’ll train to skills. They’ll just say, “Look, we want your heart, we want your commitment, we want to know that you’ll be faithful in your service, and if that’s what you can do and what you’re prepared to do, we’ll take care of the rest.” An education at a place like NSA, again, not alone, is given a high premium. I got my masters and my professional degree, which essentially is called the dissertation, I got those essentially while I was at NSA. I’m essentially trying to turn my intellectual capacity to some new angle and fully with the support of the National Security Agency.

Chris Inglis:

I just think that if you’re an organization that wants to have operational success, you need to make sure you’re hiring as much the attitude, the hearts of your people as much as the discrete skills. Both matter, but you have to hire the former and is much quantity as the latter, and then invest in them. Invest in them by giving them feedback about what they do, why that matters, invest in them in terms of saying I want you to be more and more capable if that’s your aspiration. I’m going to help you do that. Then, they will not worry about money to the degree that they might otherwise if you leave them no choice.

John Carlin:

What’s your advice to the kid in Baltimore today like you or elsewhere, starting out their career who wants to follow your path? What should they do?

Chris Inglis:

I would say find a way to make a difference to something, anything, whether if you’re in school, find a way to make a difference to that school. Don’t just sit back, take your lessons, study, get your Bs, your As, but try to figure out in an extracurricular fashion what’s happening in that school? Maybe it’s a National Honor Society, maybe it’s a food bank society, maybe it’s a sport’s team, but join every network that you can, not to extract benefit from that network, but to make a contribution to that network. What will happen is, almost certainly what will happen is those networks will figure that out about you and figure out, here’s a person who’s joined us in order to make a difference to us and the network will respond in kind.

Chris Inglis:

Just about every one of my opportunities has come from something like that, where I’ve joined and said, “I want to make a difference, I want to contribute, I find this interesting, stimulating,” and almost always somewhere down that track, some event or some kind of relationship fires and some opportunity that would not otherwise have occurred comes to me. If you look at my career track, it might look like I couldn’t figure out what I wanted to do. That’s because at every juncture I didn’t have a 10-year plan or a 20-year plan. I had a two or a three-year plan. Now, that might be counterintuitive, but at every step of my career I essentially asked three questions about the next thing that I was going to do.

Chris Inglis:

First question was, is this interesting, stimulating, fulfilling such that I’d get out of bed in the morning and go do it, because I’ve got choices, I’ve got family, I’ve got friends, I’ve got aspirations, so is this professional activity something that I find worth my time. Can I make a difference to it? Second, do I get to work with/around interesting, stimulating people? Hopefully, people that are smarter than me, people that will challenge me, people to help me to continue to grow. Now, that’s never been a problem for me. The third thing I always asked about a job, perspective job, was is this a cul de sac or a gate? Is there an after this, which if I undertake this experience, it will be valuable in terms of expanding into something beyond that. If you get a yes, yes, yes, to those three questions, then that thing that’s been offered to you is a great job.

Chris Inglis:

It doesn’t matter whether the straight line from it extends into some [inaudible 00:57:58] or some gray space ahead. They all do. Take that job. That’s a great job.

John Carlin:

Chris, it’s been great talking to you today. I hope folks listening get a sense of why it was such a privilege to serve with you in government. I think you saw through my excuse sometimes. I think I called you sometimes just to pick your brain and would make up a problem for why I was calling over to NSA. As I hear your three criteria for going into government, I can’t help but think if there’s a new administration, that maybe we’ll be lucky enough to lure you back into public service. We’d be lucky to have you back there. Thanks again for joining us.

Chris Inglis:

Thank you, John. If I might just say in closing that it’s been my great treasure to work with you. When you were at the Department of Justice, you were both my lawyer and my lawyer. Meaning, on occasion you would hold us accountable, on occasion you would be our advocate, and you never failed to try to figure out which of those was the right remedy at the moment, so in all cases, made us a better organization and me perhaps a more polished professional. Thanks for all that.

John Carlin:

Thank you, Chris.

John Carlin:

Cyber Space is presented by CAFE. Your host is John Carlin. The executive producer is Tamara Sepper. The senior producer is Adam Waller. The senior audio producer is David Tatasciore and the CAFE team is Matthew Billy, Nat Weiner, Sam Ozer-Staton, David Kurlander, Noa Azulai, Jake Kaplan, Calvin Lord, Geoff Isenman, Chris Boylan, Sean Walsh, and Margot Maley The music is by Breakmaster Cylinder. Today’s episode was brought to you in collaboration with Brooklyn Law School’s BLIP Clinic. Special thanks to Amanda Kadish and Isabella Augusta.