Cybersecurity as National Security

[Music]

here. Um, I appreciate the opportunity. So, thanks to Bside's Charm and um thanks to you all for getting up uh up and out on the Saturday morning. I can tell you I wouldn't be up and out on a Saturday morning were it not for my good friend Jeff um who extended the invitation. I appreciate that. But, uh glad to be here in Baltimore. Wow. And this is a great crowd. Um Baltimore got a special affinity for it for a number of reasons. Um my um my almost 10-year-old granddaughter was born here and this does have something to do with what we're doing. Um she was born very early uh at St. Agnes Hospital in Baltimore. Uh 1 pound 13 ounces and

Yeah. Yeah. She literally spent her first 100 days uh in the NICU at St. uh St. Agnes and at John's Hopkins. And there were um a lot of uh there's a lot of consternation, a lot of prayer, a lot of challenges. Uh but she came up to visit me uh Sunday and she is what we'd expect a 10-year-old uh girl to be with her old grandfather full of energy, vibrance, idea, and talking. Uh so it was not a good prospect when she was born at 1 pound 13 ounces, but she is more than on track now. And I'm hoping that will be an analogy for where we are uh in cyber security. Um because we are not in a

good place. And hopefully Jeff told you all I don't have any good news. I don't bring good news. Um that's just not my personality. And and actually I I had a um a very relevant quote that somebody passed along yesterday right out here in Talson actually at Talson University. you know, it was the president of Talson University and he quoted um Winston Churchill and he said um success never is final. Success never is final. But I get the sense that uh we America thought in many ways that success was final. Um the 20th century uh was an American century. Now we're a quarter of the way through the 21st century and um I think we've got

complacent, some might say arrogant uh but uh there's a challenge in making the 21st century and American century uh overall yes but uh when it comes to cyber security um as well and that's uh part of what we all need to focus on. Uh so that's what Churchill said and I agree with that. That's my perspective. success never is final. Even if we're number one, I'm always going to want to increase that delta between uh number one and two. Um and part of the challenge from my perspective, I'll just give another quote from a um a fellow that I admire, John Wooden. I don't think many people in here uh go that far back, but uh All right. All right. Um

one of the most successful men's basketball coaches in the history of the NCAA. And he had something that was similar to Winston Churchill. Again, it relates um Wooden said uh success is never final. And here's the part I disagree with when it comes to our line of business. Uh failure is never fatal. I disagree with that when it comes to cyber security and what we're doing because it poses a significant threat to our nation. And then he ended up with a part that I do agree with. Uh it's courage that counts and uh right now uh the United States and all of us need to um be courageous in taking on the challenges that we

have and um there's a lot to do uh awful lot to do and so I'll I I'll just start out my last um position as the national cyber director I I I had insight not much more than what you that um but I I evolved in my thinking. I saw uh I learned how connected uh our digital foundation is to our economic prosperity and how connected our economic prosperity is to our national security. I grew up in uniform um 20 years in the Navy um 20 years with CIA and NSA and then uh a little over a year at the White House as national cyber director. And when I started out um in the Navy,

uh the general thinking was that national security was all about uh the kinetic aspects. Um bombs, bullets, uh aircraft carriers, tanks. We have evolved, I think appropriately so, and we have redefined the definition of national security from that kinetic-based focus to include economic prosperity. Um, we don't we are not secure as a nation uh unless there is economic prosperity uh in this country. Uh we have a heck of a national debt. That bill is going to come come due one day. Um and and It's not going to be a pretty picture. We have to take that on. So, economic prosperity, national security are connected and this digital foundation uh that we live, work and play in uh is a

key to the economic prosperity. Hence, it is a key to our national security. Um so, that's the um foundation for the bad news I'll be talking about. Um, and it's bad news, but it's reality from my perspective anyway. Uh, so to me, that's good news. Baltimore. Um, in addition to my granddaughter having been born here, um, have an affinity uh, for the city, for the region. When I was at NSA in my last assignment as a executive director, I remember coming up to um, Martin Luther King Elementary School and teaching those third and fourth graders how to do a level of uh, decryption um, and encryption with some games. CNSA does a fabulous job of working with the

community and it was um it was delightful to see those young inner city kids uh light up when they were able to decrypt messages and then um actually encrypt some of the messages they passed during the class to their friends and the teacher couldn't break those codes. Um but it it it shined a light on uh a talent pool that uh number one that we need uh number two that can be enthused and and number three that uh we have to incentivize and motivate. And then in my last job uh national cyber director, my first uh public appearance was purposefully here in Maryland at the community college of Baltimore County in Dundoc, but it was there that uh we

talked about uh a number of challenges and solutions. I don't like to talk about challenges uh without proposing feasible solutions. Um we have we have more than enough problem identifiers. uh we don't have nearly enough um solution identifiers but uh there at CCBC uh we talked about about uh this hiring village that I hope uh you all take advantage of you know in this great nation of ours roughly 500,000 open uh positions in cyber um I think 31,000 at least a year or so ago open uh cyber positions in um in Maryland and I think 1,600 100 or so open cyber uh positions in the Baltimore uh region. Um those are open and they need to be filled. Uh those are those

are gaps uh in our nation's security that we have to take advantage of. But one of the things we talked about there at CCBC um was um pathways uh to careers in cyber. And I'm just going to touch on this because um typically we had been saying we the big we um you had to have these four-year college degrees uh to make a contribution to cyber and that could not be further from the truth. But that's where we were at the time. Uh it was it was that day that uh myself and uh my friend the then acting director of officer personnel management OPM uh agreed to go to a skills-based approach to hiring. The private sector had been

doing it in a number of areas not fully enough in cyber security but they were leading the way and the government federal government uh participated in that. Uh too often um college degrees are used as proxies for knowledge. Uh matter of fact, I have a uh piece of paper on my wall from I think 40 years ago now uh that says master science and computer science. Uh it's worth whatever this thing here is worth. Uh so that's proxy. It's it's all about uh knowledge. Um and and that's what we had to get get to. But it was purposeful that we're there at CCBC. Surprisingly uh some of our federal partners had not been uh to

CCBC. uh we're not aware of uh some of the excellent programs uh they have there uh to get folks ready to contribute to our our nation's economic prosperity and and um national security. So, back to that. Excuse me. Uh, back to to that uh point. Excuse me. That's good bourbon. Thanks, Jeff. Um, I think one reason that our nation is challenged, again, back to this traditional uh definition of national security. Um, I'll talk a lot about the good old days and and I'll say that sarcastically, but in the good old days when I was growing up, it was the United States and our Western allies versus the Soviet Union. And it was it was all uh

kineticbased uh national security. Um about the only thing that uh folks that were not in uniform did to to on our national security front was vote and pay taxes. Otherwise, there was not much of a role in national security uh for civilians. That has changed so much. I dare say that you all are part of the national security apparatus now. Uh like it or not, uh you are. Uh I I was down in um Atlanta number of months ago at a um security operations center for a major transportation hub and private sector and uh fortunately they get it. Uh those those folks that were working in that sock uh I started talking about how they are part of

national security. The heads were nodding and I said you all are being targeted by our adversaries and by uh malicious criminals. They rogered up. They understand uh that uh nation state and non-nation state actors consider all of us part of the national security apparatus. We all need to recognize that and and guide ourselves accordingly. But back to that definition of national security and used to be vote tax but now every time you touch this digital foundation you are frankly we are touching on uh opportunities um for our adversaries and malicious criminals to do us ill. We need to recognize that. But it's also incumbent upon u the formal national security leadership down in Washington and elsewhere to recognize

that that definition has evolved appropriately and that it is no longer just the domain of these multi-billion dollar aircraft carriers, multi-billion dollar submarines jet aircraft, tanks, landbased missiles. That's not just it. As a matter of fact, uh those marvelous weapon systems, they are marvelous. They don't get built without cyber security. Uh they don't get designed without cyber security, let alone operated without cyber security. And those platforms that I mentioned and even our special forces, you know, those knuckle draggers, those snake eaters, they cannot operate as effectively as they need to without cyber security. That's fact. That's fact. But uh our nation is as great as it is, our nation has not recognized and prioritized cyber

security to where it needs to be. Again, that kinetic stuff does not happen uh without cyber security. Period. And frankly, I challenge anyone to um to take that on. It it just doesn't happen. Now, um I I did hear on the radio one day when I was making that hour and a half drive from Baltimore to Washington, uh a a US Senator Opining um accurately enough to where he has never heard a proposed solution uh that didn't require resources. And and I get it. Um you know, you all know how challenging our nation's economy is right now. Uh but we have to figure out how to put a solid foundation in again for everything we

do. Um it's going to take uh time. It's going to take money. It's going to take focus. And um and that's, you know, that's part of my bad news message. I don't know that our great nation is willing to stay focused for as long as it's going to take uh for us to get it right. And it's going to take years. Uh that's why Besides Charm and and other besides and all of you are so important uh to helping us get it right. Uh and that's what we need to do. We need to get it right. In in many ways it's as though our nation and our our leaders and I'm not talking about this

administration. I'm talking about the last two handfuls of administrations since we've been aware of this challenge. uh we we we are operating similar to the way we're treating the national debt, you know, with our heads in the sand, hoping it'll go away one day. It's not. It is not going to go away. Um America's century might go away in terms of the uh the 21st century, and I sure hope that's not the case, but we have to take action. We have to recognize uh where we are. That's why I was pleased uh 31 January 2024 when I had the u the high honor of testifying in front of a House subcommittee on the uh cyber threats

posed by the People's Republic of China uh to the United States and it was a subcommittee chaired by Senator now excuse me now former Representative Mike Gallagher from uh Wisconsin and uh during that day uh the four panel members Uh the three in addition to me are great Americans. Uh former director of SISA Jen Easterly, uh the then uh director of NSA and commander of US Cyber Command, General Nakason, and the then director of FBI, Chris Ray. And um Director Ray made the first um public announcement of a threat to uh to our nation in cyerspace. and uh he talked about and then we all talked about how the people's republic of China had penetrated our critical

infrastructure and not for espionage purposes and you know that's one thing uh we all need to recognize that nations spy uh nations will continue to spy nations should spy so we need to get over that PRC spies on us we spy on them that's the world we live and it's not going to change. So, espionage, we get it. But, uh, the PRC was not on America's critical infrastructure for espionage purposes. The PRC was on our critical infrastructure um to disrupt and destroy America's ability to mobilize in case of a conflict. That's why they were there. It was not for financial gain. It was not for espionage. It was my words and I can speak my words now since I'm no longer

part of the federal government and I don't have a speech writer. It was preparation of the battlefield. That's what it was. Um and uh Director Ray called it what he should have called it and he said it was unacceptable risk. Such a key phrase that needs to be more than words but he called it unacceptable risk. That's what it was. And sadly, that's what it is because again, like the national debt, our heads are in the sand hoping it'll go away. It's not going to go away. Um, not going to go away, that threat. But it again, unacceptable risk. and critical infrastructure. Those 16 sectors, uh they're called critical infrastructure because we have to have

them in order for America, uh to h Americans and citizens and residents to have the quality of life uh that we all deserve. That's why it's called critical infrastructure. Well, our critical infrastructure was and I dare say is at unacceptable risk. What do we do about it? goes back to prioritizing the importance of cyber security and this digital foundation prioritizing it and that means resourcing it that means taking action on it uh that's the challenge that we face that unacceptable risk and then I think last uh late last this past summer early fall um we uh we announced another p penetration of America's telecommunication systems um 40 some odd years in national security. I have not been aware of any

penetration as significant as that. Uh I'm not going to tell you I know everything, but I've seen a lot, but not been made aware of anything um that significant more unacceptable risk. And that is um that advanced persistent threat uh impacts the traditional definition of uh national security. It impacts the more evolved definition our economic prosperity and it impacts again the quality of life that each of us has. um part of what we have to do is redefine um cyerspace and what it means to engage in cyerspace. You look at the national security strategy that we had been operating on. I think it will I think it was a fine strategy to help guide the

national defense strategy uh as well. It talked about great power competition and it talked about phases. uh the first phase manage the competition that's uh that's acknowledging reality to an extent manage the competition um in our major competitor in the world is the people's republic of China far lesser extent Russia and again back in the good old days it was um the Soviet Union versus the west and although the Soviet Union had um had weaponry that that uh that could destroy our nation. We had weaponry that could destroy their nation as well. The concept the deterrent con concept of mutually assured destruction mad mutually assured destruction served a purpose after World War II uh we went uh

generations Yeah. uh without in today to still not having had a nuclear weapon used uh in anger. That deterrent worked and continues to work. We don't have that in cyerspace. Um so this this conflict this um competition phase needs to be redefined uh with regards to cyber um those three phases competition crisis and conflict competition crisis and conflict. We said that we want to manage the competition to minimize the opportunity to go into crisis and then we want to manage the heck out of crisis so that we can avoid conflict essentially at all costs. Almost at all costs but manage the competition, minimize crisis and avoid conflict. Well, in cyerspace that does not fit does not fit every moment of every day.

Um, America is under assault in cyerspace under assault. Um, so we're past that managing competition. Some might say we're in a crisis zone. Um, when it comes to cyerspace, my perspective with no speech writer and not needing approval from anybody, uh, we're in conflict every day. Uh and and we need to address that that unacceptable risk that the FBI director said we're in. We're in conflict. And it's not just the traditional war fighters, if you will. Again, back in those good old days. The federal government protected every American citizen and every American resident from nation state actors. Think about it. every American citizen, every resident knew that the federal government was going to protect us from a nation state

actor. That's not the case in cyerspace. Um, you look at what's going on. My small hometown and rural Kansas is under assault every day from nation state actors and malicious cyber criminals. Um they're going after the local hospital, the local school system, the local financial systems. And no one uh especially our our our government should expect my rural hometown to be able to defend itself against a nation state actor. We got to figure it out. Um because the federal government, one of the jobs of the federal government, and again, I'm not talking about this administration. I'm talking about that many administrations. The federal government has to figure out uh how we protect again all of us. You all are

probably fine. You know what you're doing. Um but across this great nation, uh we need help. Um identifying the problem, what's the solution, there's there's a number, but again, first is recognizing the problem, the significance of it, and prioritizing resourcing and taking action appropriately. We got to do it. um right now, well, I'll even go to the um critical back to the critical infrastructure sectors. Uh we updated that I think last summer and there was a discussion about what should be included and we kept essentially the same 16 critical infrastructure sectors. Well, one area was left off. Um that area was space. space was left off of the formal list of critical infrastructure. And what I had to say

back then was it's not formally documented as critical infrastructure, but we treat it as such. Uh well, it needs to be documented and we need to treat it as such. Uh because we don't right now, but just imagine uh what our lives would be like if we did not have the capabilities that we have in space. If you imagine it and shouldn't take long, you would easily come to the conclusion that space is part of America's critical infrastructure and again needs to be treated as such. Um so we got we got to do that. Other things we have to do are are some some basics. Uh we've known about uh internet security. Uh we we know that you know

the the internet was um was built decades and decades ago. Oops. For um for convenience and for communications, it was not built with security in mind. It was not built for security in mind, but we've operated on it in it uh as though it still is. Um border gateway protocol is a step in the right direction. We've known about that for decades. BGP uh we've known about it for decades. For some reason, we haven't done much about it at all. And I I I don't have an answer on that, but that's part of the solution to this complaining I'm doing. Implement BGP. Another one is um liability. Liability. Uh we've got uh great technical developers, systems

developers, capability developers. Um but we don't have uh sufficient liability. Yeah, that's overhead that's going to increase the cost. Yeah, it will and maybe it should. Um but on that cost front, I I can recall um a major American industry few generations ago talking about if you put liability in play, you're going to drive us out of business. That was the automobile industry. Now, we we put seat belts and airbags in and we're all better and safer for it. Those are the things we got to do get right. Uh so liability, we need to hold manufacturers, developers to a higher standard. Not that they're doing anything malicious, but the focus in too many instances on

being first to market with the capability as opposed to being secure to market and we need everyone that's contributing to this foundational uh cyerspace to be secure to market. Got to have it. So we know things like that that we we have to do. Uh another one would be uh regulatory reform and regulatory reform is an opportunity to decrease the cost of doing business and increase our security. What's not to like about that other than it's hard to to make it happen. But if we're going to decrease the cost of doing business and increase cyber security, we ought to do it. uh and why our um our businesses have to answer to multiple regulators. Just look at the financial

services sector. They've got at least a handful of different regulators at the federal level, let alone state, let alone international. And many times, most times, almost all times, those regulators don't coordinate their tasking to in this case financial services sector. And those folks are spending uh more time doing audits and compliance checks than they are focusing on operational cyber security threats. I think most of us know that compliance does not equal security and we need to recognize that. So what do we do on the regulatory reform front? First step, we ought to have a degree of reciprocity. If I'm bank A and if financial regulator X is coming to me and saying, "All right, your numbers up.

Time for an audit. Uh, time for your compliance check." And then, uh, regulator Z comes up two months later. Well, what I do for financial regulator X ought to be applicable to financial regulator Z. That needs to be a degree of reciprocity between uh those federal uh um regulators. That's not the case today. Uh we need to take that on. Another potential solution to the complaining that I'm doing. Um back to serving our uh local uh communities, uh municipalities, counties, and even states. They don't have the resources to take care of all the cyber security measures that they should. They don't. That's again the federal government's job. So, how do we do it? It's got to be some

level of shared services. I I do believe again my small hometown doesn't have the resources. That includes funding, but it also includes talent. Um we need to figure out how to have the shared resources uh to to help our municipalities get to the right cyber security posture. uh I think two days ago I was in in Washington participating in in a discussion on this topic and um you know the moderator said hey we got to be pro provocative and he did say don't just complain Koker have some proposed solutions and and uh so one of the things I threw out for consideration and I said and I was knocking on wood I was in Washington DC said I'm sitting here

in this building and I see police cars go by um for public safety said but I'm I'm in this building and I am less concerned about threats to me from a public safety traditional public safety perspective because I don't think a cr a criminal is going to come in and get me right now do do me any harm but sitting there in that wellprotected venue I'm under cyber threat every moment of every day but there are no local police looking out for my cyber well-being. So why don't we have something like that? Um because we haven't uh prioritized and resourced recognize prioritized and resource the foundational nature of our our digital enterprise. But we we we

um I think and now I'll throw out a statement that I can't support with data yet, but I'll get on the Google machine later. I think we have more people victimized in the cyber space than we do in physical space. Um and so why not treat it um similarly in terms of the protection there. Another um potential um area to focus on again back to that uh national security um you know the the nuclear triad. I think the the the the new triad has to include today's and tomorrow's threats. Again, that's what you all are taking a look at. uh tomorrow's threats. So instead of bombers, tanks and uh aircraft, the the triad now includes

artificial intelligence, quantum and uncrrewed platforms. Uh those are the threats that the military um and frankly other parts of our uh economic prosperity uh ecosystem need to take a look at AI, quantum and uncrude platforms. Uh that's a cultural change that I I frankly think we need to to address and um and resource part of that uh again proposed potential solution is cyber force a cyber force. Um yeah the um was it you Kim? No sir that was not me. Okay. All right. All right. um during the first Trump administration came up with the space force and there was a lot of push back on that from us traditional people. Um a lot of push back on it. I think um

I I frankly doesn't matter what I thought. Uh I think it's working out well and and that's that's a challenge that um this is not political. message, but I some people might take it as that uh folks have have said that uh uh Trump one and Trump two administrations are are disruptors and uh I don't disagree with that. But what I agree with is that disruption is not always bad. Um and frankly disrupting the Army, Navy, Air Force, Marine Corps, and putting that uh space force in place um I think that was a positive disruption. Um, I suspect that the current administration will take a look at a cyber force. I know they are. Um, that's

more disruption that I don't think is necessarily bad. So, we'll see what's happening. And I I put that out there because again, I want to emphasize disruption is not always bad. And we ought to think about whatever uh whatever the idea is that's coming forward uh before we just write it off. So that's something we ought to take a look at. And then um in in closing, I'm going to wind down now. Um some of the challenges uh that the US has has tried to address via a state department policy last year was this thing called digital solidarity. It was was and is in recognition of the fact that the United States cannot um win cyerspace by

itself. We need our partners. That's number one on digital solidarity. The other part I'll add on that is that I was pleased and maybe this is my my one one positive thing. I was pleased that the federal government also recognizes that America does not win in cyerspace without the private sector. Uh without security researchers, without um big tech, we don't. um we are partners in uh defending cyerspace and advancing the positive aspects of the opportunities that are there. Again, that's a big shift. When know again, when I was growing up, it was all about those in uniform, but we realize that we have to have uh the private sector. We realize that we have to have our our allies on

our side fighting the fight. Um I was uh surprised and a bit disappointed when I would go out and talk to some of our allies about um defending cyerspace and initially too many of those partners would view cyber security as a western problem as a US problem all this typhoon site typhoon that's America's problem and um didn't take much explanation uh to show him that no there's no borders there and trust me if they're doing it uh because uh they're doing it to you. But a digital solidarity is getting like-minded nations uh to work together. Um for example, ransomware um there's um you know there are refues uh where these cyber criminals are able to go and stay and be beyond uh the

touch of law enforcement, be beyond the the touch of u of traditional diplomacy. But we have to work together on that front. A tough spot again to speak frankly for the US and we talk we talk to our allies about the western tech stack. Uh use buy implement the western text and and one of the um the points that was appropriately thrown thrown in my face uh by uh a counterpart in from Western Europe was hey we can't trust you. you know, we buy this Western tech stack. Uh, how do we know that you haven't already um put put some of your American magic in the systems that you want us to put on our our

networks? Valid point. That's a valid point. Um, another one along those lines, uh, when we've talked to some of our international partners about what we know about threats to their digital foundation, they've, uh, they said, "Well, how do you know that? Is it because your analysis shows the United States that my nation's network is infiltrated or is it because the United States is on my network and sees others? That's a a tough space, but it's a real space and um we have to figure it out. Uh don't have a solution, but I'll throw one out. uh I talked about you know we're going to spy nations spy they'll continue to do that but we have

five eyes um US Canada Australia New Zealand UK we have five eyes and part of that uh agreement is amongst those five nations we don't spy on each other um in my experience is that uh that's that holds true um since I have to propose a solution to that that wine uh maybe we ought to expand that concept in cyerspace. tough to implement. Um, tough to confirm, but you know, that's that's one I want to put out there. And, um, going to wrap up now, but I I do just want to, um, say on top of all that, uh, bad news, it's, um, a perspective of reality that I think all of us and our loved ones are faced with

and need to address. And uh we need to we need to go to the folks that make decisions on uh priorities and resources for this nation. And they're right down the road in Washington. They're in state capitals across across the globe. Um we we can't we can't uh be foolishly hopeful and think that that ticking time bomb won't go off on our digital foundation. Similarly, we can't think that that terrible, embarrassing national debt is going to solve itself on its own. Those are debts that all of us are faced with that matter where we live, where we're from, what we're doing, uh it impacts us all. A lot to do. Um well question u that that I I won't try to answer is um

does America have um the focus to address that that powerful challenge that we are faced with? Uh do we have the focus to apply the priorities and resources um and the time and it will take years and it will take plenty of zeros after the dollar sign to to address it. uh my perspective it's an imperative that we have to take on and the the last quote that I'll I'll wrap up with Ruth Gator Bader Ginsburg said uh real change enduring change happens one step at a time um we got to start stepping in the right direction um long uneasy uneven journey but uh we need to start taking steps counting on you all uh to help on that front so thank you

for your time thanks for coming out Saturday morning and [Applause] [Music]