National Cyber Director Chris Inglis on stemming cyber threats –
In this episode of Intelligence Matters, host Michael Morell speaks with the country’s first national cyber director, Chris Inglis, about his office’s mandate, its mission, and the top cyber threats facing the U.S. today. Inglis and Morell discuss the prevalence of ransomware and why countries like Russia and China might tolerate the presence of criminal hackers on their soil. Inglis also talks about why deterrence in cyberspace is difficult, and how the U.S. government is engaging the private sector to bolster cyber defenses. This episode was produced in partnership with the Michael V. Hayden Center for Intelligence, Policy, and International Security at George Mason University’s Schar School of Policy and Government
- Heightened cyber threat today: “What we’ve seen is that…transgressors, criminals to nation states, they’re brazen – [they] cross anybody’s definition of a red line. They’re indiscriminate. You don’t need to be the target to be the victim. And they’re impactful, having borderline existential effects on the conduct of national security functions, critical functions and the conduct of our daily lives. We’re not resilient and robust against that.”
- “Permissive” environment for hackers in China: China “is another place where we see a certain permissiveness in terms of the state – not so much looking the other way, but being tolerant of the criminals who are given harbor there. And so long as they don’t annoy or impose some friction or harm on the local economy or the local government, the government tolerates them.”
- Perils of “proactive ambivalence”: “What keeps me awake at night is our proactive ambivalence. By that, I mean that we’re generally aware as a society that something is amiss. You can’t miss this. You can’t stand there and watch the news reports and believe that nothing is amiss. Where the proactive ambivalence comes in is we all believe it’s somebody else’s problem. It’s not my problem to solve. And so we variously point to the folks that have Cyber or IT in their names and say, ‘You need to hold me safe from mistakes or risks that I take.’ That’s simply not a tenable proposition.”
Intelligence Matters: Chris Inglis
Producer: Olivia Gazis
MICHAEL MORELL: Chris, I want to start with the cyber threat facing the nation. You’ve said publicly that, and I want to quote here, “The threat is greater than I can ever remember.” And I’m wondering what led you to say that; I’m wondering what the context around that is. Is it because we’re more vulnerable? Is it because the number of adversaries are growing? Is it because they’re getting more sophisticated? Is it because they’re getting more aggressive? Is it all of that stuff or is it something else? What does the threat landscape look like to you?
CHRIS INGLIS: In a phrase, it’s all of that. I think we first began with what is our dependence on what most of us think of as the internet, what I describe as digital infrastructure. We have a massive dependence, whether it’s for our conduct of our personal lives, our business lives, our national security. Everything we do is fundamentally dependent upon that, to include a broad range of critical functions, critical to health and safety.
Second, having created that dependence over many, many years, transgressors, whether they’re criminals or geopolitical foes, have realized that dependence and they’re increasingly using that to hold us at risk. And in recent years, and I think that there was an inflection point in about 2017, what we’ve seen is that those transgressors, criminals to nation states, they’re brazen – cross anybody’s definition of a red line. They’re indiscriminate. You don’t need to be the target to be the victim. And they’re impactful, having borderline existential effects on the conduct of national security functions, critical functions and the conduct of our daily lives.
We’re not resilient and robust against that. We don’t have the basic resilience and robustness of technology, people, or, for that matter, doctrine – who is accountable for what, such that we can simply look the other way and assume that they simply can’t hurt us. We don’t actually defend these systems as a collaborative endeavor such that they have to beat all of us to beat one of us. They can pick us off one at a time. And we really don’t have a good range of remedies to align actions to consequences.
So in all of those facets, we’re falling further behind. It’s not to say we don’t have some very talented people and we don’t have some really great technology, but we’re not really joined up to solve this problem in a way that’s required. And a premise in the job that I have is we need to rethink how do we actually make it such that if you’re transgressor, you’ve got to beat all of us to beat one of us. We have not done that to date, and therefore we’re falling further behind
MICHAEL MORELL: Are ransomware attacks the biggest chunk of the attacks that we see?
CHRIS INGLIS: I think the most notorious, to be sure. I’m not sure that I could say with confidence that in quantity they’re the most numerous.
But they are a symptom of the larger problem, which is the ecosystem within which they operate essentially has low cost of entry; a set of transgressors – criminals, in most cases, but some nation states – who can syndicate, who can collaborate, to find someone who might find a weakness in a system of interest, someone that they could sell to, who would then prosecute that entry into that system, someone who might then take over – it’s a business – who might then take over to actually effect the actual extortion.
They ask for resources to essentially exfiltrate that ill-gotten gain in the form of cryptocurrency, which is hard to track. Many of them operate in safe havens in Russia, near and abroad, or other places where it’s hard for the reach of law to find them. And they operate against assets that are at once valuable and poorly defended. Those assets are information that companies find essential to the conduct of their business, or which they kind of hold as information on behalf of others, that is, personally identifiable information and/or health related information for which they would pay a pretty premium in order to get that back without some further disclosure.
It’s a perfect storm. Long in the making. We’re not going to turn that around in a fortnight. But given that I’ve described a systemic set of weaknesses, the way to address that is to take each of those systemic flaws on and address them one at a time, but in collaboration.
MICHAEL MORELL: Chris, I wanted to mention that we’ve learned of at least one tragic instance where human life, an infant, was perhaps lost as a result of a ransomware attack in 2019 in a hospital in Alabama. And I know you probably can’t comment on that particular case because there’s a lawsuit underway regarding the care of the infant. But what I want to ask you is that ransomware attacks aren’t just about money, right? I mean, there’s human lives at risk here. Is that a fair statement?
CHRIS INGLIS: That’s a very fair statement. I think there’s another incident that I think is in the public record in Germany, where a patient attempted to enter into a hospital, the hospital was down because of a cyber attack. That hospital diverted that patient to another hospital that could properly service them, could coordinate the arrangement of a room and a doctor, and the patient died en route. And so, you know, that is something that I think you could say is directly attributable to a cyber attack.
There are untold numbers of deferred appointments because health systems weren’t able to efficiently and effectively schedule the activities that were required. You really can’t say how far this problem has gone, but it is not an attack on data or systems or simply an attack on the critical functions that rely on those. It’s an attack on health, safety and confidence that relies on all of the above.
MICHAEL MORELL: Chris, you mentioned Russia as being a place where organized crime is able to conduct ransomware attacks. You testified that we’ve not seen yet a decline in attacks originating from Russia since President Biden pressed President Putin on this very issue at the summit in Geneva. Is China another place where organized crime is able to conduct ransomware attacks or not?
CHRIS INGLIS: It is another place where we see a certain permissiveness in terms of the state – not so much looking the other way, but being tolerant of the criminals who are given harbor there. And so long as they don’t…