Skip to main content

tv   NSA Director Discusses Cybersecurity Law  CSPAN  December 7, 2021 11:12pm-12:12am EST

11:12 pm
>> and we see director and commander -- general paul nakasone talks about cybersecurity and national security joint up virtual event hosted by american university. >> my name is rajesh de. for those of you those of you who don't know me, i cheaper -- it's a total privilege to be here with general paul nakasone. i'll give you a little bit of
11:13 pm
background about the commander and then we'll get started. over the course of our discussion, i'd encourage you if you have questions, please put them in the chat and i'll try to work them into our conversation. >> now general paul nakasone serves as the commander of u.s. cyber command and director of the national security agency. and he served in that combat capacity since may of 2018. he previously commended u.s. army cyber command from october 2016 until taking over this role. he's a native of white bear lake, minnesota, and a graduate st. john's university, college of minnesota, where he received his commission to the reserve officers training. he holds graduate degrees from u.s. army war college, the national defense intelligence college and the university of southern california. general nakasone has held command and staff positions across all levels of the army, with assignments in the united states, korea, iraq and afghanistan.
11:14 pm
good fact, his last overseas visit post english as the director of intelligence at the international security assistance force joint command in kabul, afghanistan. general nakasone it's also commended the cyber national commissions force at the u.s. cyber command previously. he's commended a company, battalion and brigade and served as the senior intelligence officer at the battalion division in court level. pro to also say i consider him a mentor and friend, and it's a total privilege to have you. welcome. >> a, rod, thanks so much and thanks to american university that my good friend gary cornish is running. also, migrate associate who is a scholar and residents. it's really nice to appear on this friday fireside. sir, you wear multiple hats as the director of the nsa commander of cyber command. for our audience, could you describe what those
11:15 pm
organizations do? how they relate to one another and cooperate with another? and what role each has in the cyber machine for a or nation? >> great question, raj. let me begin with u.s. cyber command. u.s. cyber command is one of the combatant commands. one of 11 that is part of the department of defense. i work in that role for the secretary of defense and the president. we're 11 years old and we really do three things. think of us as doing three things. first of all, we defend the department of defense networks, data and weapons systems. you say well, how big is that? let me give you an example, we have about 4.5 million and points. about 3.5 million users. and about 600,000 mobile devices spread across both classified and unclassified networks. the second piece is that we work very, very closely with the federal bureau of investigation and cisa, to ensure the security of the nation's cyberspace. the final thing is that we provide support to all of our
11:16 pm
combatant commanders. so whether or not you're deployed around the world or in europe or the pacific, if you need cyber support is going to come from u.s. cyber command. so, that's my cyber command side. let me talk a little bit about the national security agency. next week, or 69 years old. we're far from a start of. but really i would tell you were a global organization, as you well know. for spread around the world. our focus is to. part first of all, we do foreign intelligence. outside the united states, very very focused on why or, email, transitioning in cyberspace. we're trying obviously to convene insight. the second piece is, we do cybersecurity. i think this is part of the mission that is not really well-known about the nsc. and that, piece do two very important things. first of all, we do all of the code making for our most critical and lethal weapons systems. okay? think of our most lethal weapon
11:17 pm
systems. we're doing the actual coding for that to make sure we have assurances of being able to communicate and being able to acknowledge and authenticate who is using those systems. the second piece is, we're very, very focused on the technical side. being able to identify and eradicate threats in cybersecurity, with partners like u.s. cyber command. here is the big piece that i think is important. most people just think you're just altogether in cyber command and nsa. no, we're not. we have separate authorities, we have separate funding, separate oversight and separate visions on both u.s. cyber command and nsc. but there are two things in common. one, one person that leads them, that's me. a second thing is, we operate inside our space. we operate in the domain of cyberspace. so you say, well, why do you have one person leading both of them? because if you want to get speed, agility and unity of effort, that's really what you
11:18 pm
need. >> that's really helpful and lays the groundwork for folks to appreciate the roles you see it. now you've had these hats for three years now, since the spring of 2018. what are your priorities in each of those rules? and had they changed since you stepped into them? >> i would begin -- and i think i would imagine most of the speakers you talked to would say this is well -- my first priority is talent. when you think about the national security agency, will probably hire well over 1500 people this year. and u.s. cyber command, over 300 people. we're looking for a top talent. we're looking for the best of the best, to come and work it a mission set that is so critical to our nation. people say hey, what do you think about law? i think about tell it and where do i get better tell it, because guess what? the same talent i'm trying to get is the same talent that is being wooed by private industry. as being wooed by other parts
11:19 pm
of our government. this is a big issue for us and i'm sure we'll talk a little bit more about it, but i felt a lot about this in three years. i think the way we approach it as a government is good, but it has to get better if we're going to continue to maintain the high standard of color. second piece, i think all about readiness. i think our going to do our missions better. let me give you an example. i talk a little bit about the and nsa our forward intelligence mission. you can well imagine that indications and warnings are really important to us. how do we ensure we understand both the intent of an adversary perhaps their capability. and if he has done this for as i was seeing, as an almost 70 years now. and they do extremely well. but that doesn't mean we can't get better at it. and that's the same way in cyber command. we have 133 different teams that operate across the globe in support of many customers. how do i get that to be at the peak readiness? how is that readiness that we're so accustomed to seeing
11:20 pm
in special operations forces or other very, very elite units. that's what i'm trying to drive here at u.s. cyber command and nsa. well last piece is partnerships. chris angus was on the street. no better person to talk about partnerships. i learned so much from him, watching him. prior in his role was deputy director, now in his role as cyber security national director. how do you bring partnerships together? our partnerships here begins between the partnership between nsa and cyber command. but when you opery in cyberspace, you ask me what is different over the past three years. operating in cyberspace today means operating with the private sector, operating with international partners, operating with academia. this is a big piece of what we need to be able to do and there are a lot of contributing members to this. so, how do you build really slip central partnerships? >> thank you for that. i do want to return to this topic of workforce and tell it
11:21 pm
a little later. but one question comes to mind is, you and anybody in this field could be earning a lot more money in the private sector. but will often attracts us, many of us to public service, is a sense of mission. maybe you could speak to that just from your own personal experience. the most motivation and sense of mission? >> one of the things that i think you realize with each, hopefully, i have a lot of age for now, is the fact that there are probably really two important things about your job. the first important thing is, you have to get up every morning i really enjoy what you do. okay? and that ties to the piece of mission. right? that is exactly what you want to be doing every day. i get excited every day i get up. going into work. i'm going to be working with incredibly talented people. we're working in the defense of the nation. we're thinking about this domain of cyberspace. we're trying to figure out how we get better. here is the other piece of the equation i think is so important. who you for work for and work with. i've had the tremendous
11:22 pm
privilege over three decades to work with incredible leaders across the military and the civilian sectors. a lot of them that have been resident here at u.s. cyber command and the national security agencies. that motivates me. that in terms of the compensation that i get, it's a compensation for the mission i work every single day and the people i get to work with, and work for. what moti>> that's really great here. and i know a lot of the young lawyers appreciate hearing what motivates you and what could be motivating them. you've talked a little bit about the landscape that's out there and partnerships that you're working on as the director of nsa and the commander of cyber command. there's been a lot going on, even in the last year. even for folks just reading the headlights. whether it's the solar winds events, the microsoft server exchange attacks, so there's a lot happening out there. could you tell us from your perspective what the threat let's keep looks like and how it's changed overtime? >> the threat landscape --
11:23 pm
let me go back to what i first started working cyberspace exclusively, which is about 2009. 2009, 2010, just as we are starting to think about how do you stand up cybercrime and what would it be, let's focus on the idea of espionage. right? we were very concerned about people coming into our classified networks and stealing secrets. and over a period of a couple years, that morphed to, we were starting to get very concerned about threat actors that we're starting to do disruptive attacks against us. like denial of service attacks against wall street. being able to utilize the medium of cyberspace to not only do these type of attacks but also move into the information sphere. i think coupled in 2015 with the realization of the hack of the office of personnel management, that we had lost so many records and so much data. we started to see the trend of
11:24 pm
cyberspace going from just focused on espionage, disruption, to then the information sphere. once you talk about today, if you consider what our nation has been through the past ten months. we begin with solar winds, microsoft hacking, colonial pipeline, jbs, zero data tax, supply chain attacks. we've seen the scope and sophistication of our adversaries. it's different and i think that this is the key piece that i bring today is that even in three years, we have seen a tremendous effort by adversaries to come in to the medium of cyberspace and to obviously impact us. i think that is one portion of it. that is an important portion. we always have to be focused on it. but the other thing, raj, i will tell you, is we haven't been static as a nation either. this is the fact that we watch this and they all occurred. remember, this is 2009.
11:25 pm
we start u.s. cyber command. we start to think about how we build capacity. how do we partner together against targets like isis. how do we get into the security of our elections in 2018, 2020. how do we go after the building affective partnerships to get after ransomware. and of course, the executive order that the administration has worked on. this has changed dramatically on our side as well. so, i think it is one of those things that you have to look at both sides of the coin here. gen. nak asone:>> to your mind, does it l like it were at a turning point, inflection point, just big picture? >> that's a really interesting question and a good point. i think that the american public is much more aware today of what's going on in cyberspace. when we talked about cyberspace in 2010, and even in 2012 or 2050, and a little bit with the elections, i don't think it's
11:26 pm
-- a good portion of the gas pipeline on the east coast has been impacted by a cyber actor, i think there's a different feel in the nation. this is tremendously important we have to be able to get after it. >> yes, it's definitely entered many peoples consciousness who weren't thinking about this before. many years ago, i worked on the 9/11 commission and one of the themes that came out of that was that terrorism before 9/11 was used as a law enforcement problem. and really continue to be thought of as a national security issue. you have said that ransom were used to beat characterize as kind of a criminal activity, in a similar analogy. but today, you see as a national security issue. that our country should really surge to. to your mind, what's the importance of that distinction from criminal activity to national security priority? to the extent you're thinking of a surge, what would that look like? >> if we would have had this
11:27 pm
friday fireside chat a year ago, i would've probably said something like yes, i think law enforcement has this well in hand. they're working ransomware. what's changed over the past year is again, i come back to this idea of our adversaries -- in terms of scope, scale, sophistication -- what they're doing. ransomware is an event that affect so many. right? to your point of an inflection point, this is affecting the local level. this is affecting government. this is affecting private sector. this is affecting national security. when i talk about ransomware and i think about it today, it's to the point of, if it has that broader of an impact, if it's able to impact our critical infrastructure, they certainly it has to be a national security issue. to your point, i think the next question, what does that mean? i think it means the nation brings all of its instruments of keep ability to bear on a problem like this.
11:28 pm
as i look at that, one of the things that we've said that if this is affecting the nation's security, and say and u.s. are cyber command going to be in the middle of it. we want to make sure whatever we can do to assist law enforcement or the department of homeland security or cisa, we want to be the best partner to. to your point on surge, what does surge mean? surge means that here for us, when we search we bring our best people to get. up to be focused on a singular problem. we look at different and creative ways to get at that problem. we think that about how we generate insights on it. how do we share information on that. how do we perhaps impact that tooth betterment of the nation. surges are one of those things that i think we do very, very well here. particularly on a very focused probably ransomware. >> if you had in your mind's eye efficient, where do you think we head with ransomware? i have lots of clients that say is, this ever going to be over? it's hard to imagine there
11:29 pm
being a moment when it's over. how do you think we lived long term with this threat out there? f di fferent levels we >> i think again, if a national security issue, they're going to be a number of different levels we're going to operate and be able to go after this. certainly there's going to be a policy level, in terms of what we need to do. i think the national security council is working that very, very hard and developing what are the right policies that we have developed both within the united states and with our adversaries. i think there is in the medulla huge effort going on between public and private. so how do we talk better and communicate better with private industry? how do we work with private industry coming back to us? one of the responsibilities of what we need to provide as the public sector to the private industry? and similarly, what is the private sector have to provide back? the last part of it -- i think a lot of it is about
11:30 pm
awareness. are you aware of it? are we taking all of the different steps that protect our individuals and local businesses? and local governments from what really has been a very, very difficult issue over the past 12 months? >> yeah. you mentioned public private cooperations. maybe that's a good topic to turn to. particularly critical infrastructure, which as you said is the core of our national security concern. and it seems like an area that is ripe for public private cooperation, given that much critical infrastructure is owned by the private sector. maybe you can expand on how you think the public and private sector could worked together in this space and what role the public sector, in particular, nsa and cyber command, and what you'd like to see from the public sector.
11:31 pm
>> the first point i would offer, about 90% of the critical infrastructure is in the private sector. and so, within the public sector that is, i think, fact number one. we have to understand that if we are going to be able to ensure the defense of that critical infrastructure, we have to have a partnership with the private sector. the other piece i would say is that for us here at u.s. cyber command and the national security agency, we are really focused on two different ways of doing this. how do we enable our partners and then how do we act? enable our partners, or does that mean? as i talk about nsa as its ability to garner foreign intelligence and to provide technical expertise on cyber security, why don't we enable our partners with it? i would just perhaps amend one thing that you said. what are we doing today? let me give you examples. january 2010, and they say discovers a vulnerability in window dan, provides that to
11:32 pm
microsoft. and one of the unique things is that we took attribution and credit that we did. that and you say, well, why did you do that? i'm sure there are people who would say that you shouldn't do that. i would say, the reason that we did it and decided to do that is that, i think there is a certain importance that goes with our technical expertise when we stand behind something and say, hey, this is a vulnerability that we have found. we've taken that idea, raj, and also expanded to thread advisories. we've got a number of advisories with dhs and cisa an fbi, doing a tri-seal project and these are the select russian or chinese actors, all at the unclassified level, their activities. so i think that's an important piece of what we've done at the nsa. but let me go to the cyber
11:33 pm
command side. much has been talked about -- operations. in 2018, we decided to send a series of teams to different parts of the world at the invitation of our friends and allies to assist them, too go on their networks with them. we were able to find a series of malware, and we found that malware and provided it to a commercial cybersecurity provider that rapidly spread information to all other cybersecurity providers. think about that. you are just inoculated, a lot of networks, based upon mel where we were able to find, malware our adversaries were using. >> that's the type of work that we have to do to enable and act and this is the private sector. if i, might i know i'm a little long winded here, but let me talk about the private sector. a couple of weeks ago i was
11:34 pm
able to speak with kevin -- at his conference. and we highlighted the fact that during the solar winds intrusion, the tuesday before thanksgiving, kevin came into an essay to say, hey, i think we have a problem here. and he came into an essay to have that discussion because that partnership with was tight. he knew exactly what we can do. and we were able to put the pieces of the puzzle together with kevin. think about that. that type of expertise, coming forward and working with us and then much to kevin's credit, he then went public and talked about this intrusion. that's an example of really important and effective public private activity. >> thank you, sir. it sounds like a core theme there, collaboration that is happening. the tri-seal products that are going out from the government with collaboration and --
11:35 pm
>> can i make one follow-up statement on that, raj? because i think this is so important. and this is a credit that so many did. if you are an adversary, the success of being an adversary is not being found. so being able to expose something like solar winds, that was able to take down what may have been a very broad attack against so many different sectors of our nation. and being able to find it and expose it, that's a loss for our adversaries. and that's credit to the private sector and to some of the folks here that work with nsa and other parts of our government, to be able to expose. that is >> a really interesting point. i think we've learned a lot about exposures to campaigns that are out there. a pessimist might say, oh, another thing is happening and we've now uncovered it. but to your point, exposure and
11:36 pm
attribution and calling adversaries out can be viewed and should be viewed as a success. >> i think that if -- first of, all we want to be left of theft, right? that's where we need to be. to the point of, well, we are you trying to dry the agency? we want to be ready and able to do that. but also, we have to put this in perspective as well. when you are able to uncover that unable to do, you know, the ability to an ocular so much of our cybersecurity against this type of malware, i think we have to take that into account in terms of our equation as well. >> one theme referred to is the theme of collaboration. and there's a couple of new centers, relatively new, at an essay in cyber command. and essays is called the cyber collaboration -- and -- called dream core.
11:37 pm
[inaudible] tell our audience about what these efforts are. >> i think that this is -- so, you asked me previously, what has changed in two years? to the agency and the command in 2018. one thing pointed out to me was to get outside of the agency, into the command and agency. and so our -- is really good as an example. the nsa worked with the marilyn innovation and security institute. it's a place where we bring together our developers to talk about our most pressing problems. so if we are talking about zero trust architecture, are we talking about management? are we talking about -- how is the best way to do the networks of the future? it's done at a place like
11:38 pm
greenport where you have the discussion and it's different from coming to our headquarters, where you are not going to be able to park your car and just walk in the door and have a discussion. and that's the same idea, that really motivated us to think about the cyberspace collaboration center for and say. we wanted to have a place where we can have people from academia and other partners to have a conversation, whether it is in person or virtual, to be able to do this. because, again, if you are thinking about cybersecurity, and so much of the talent and so much of the work that is being done is also being done in the private sector, we certainly don't have a monopoly on that. what we have found is that working at the cyberspace collaboration center, which is less than two years old, our focus is on the defense industrial base. the portion of our critical infrastructure that really is fine-tuned to provide capabilities in the department of defense. we have over 100 partners now.
11:39 pm
we are working day and night to do two things. first of all, get information. but also share information. right? that is the whole invaluable piece of having centers like this, to be able to have a public private partnership. >> you referred to the ease of meeting with people. literally driving your car up to the building. for folks on the outside, and say in cyber command, they feel like impenetrable, classified environments. these sorts of centers, they sound like great strides forward, to be able to have these sorts of discussions. to my, mind it seems unimaginable, even a few years ago. could you talk a little bit about the challenges of breaking through that sense of secrecy at nsa? at cyber command? to facilitate something like this? >> i think what you are speaking, of raj, is difficult. and how do you change culture in terms of what is transpiring in the environment? you know, it's really kind of a
11:40 pm
-- i would offer a team effort. most of us view, as we would be operating in cyberspace for a number of years, that the government didn't have a monopoly necessarily on great ideas. we saw so much that was being done in the private sector. i think we came to the realization quickly that if we are going to be effective at being able to work with a series of partners, you had to have this type of capability. it's not easy and it's not -- i mean, we had a lot of discussions. but at the end of the day i give great credit to the leaders here at both of the agencies. to move out and get these things done. we've learned a lot from it as well. if you think about, you know, what is the private sector thinking of us? that is -- i mean, that's an interesting question. and one of the things i think that they believe about houses that, really, there is a couple, really valuable things. the inside of foreign intelligence. the insight of foreign intelligence, that's the secret
11:41 pm
sauce that really is in the cyberspace collaboration center. secondly, we bring huge talent, whether it's on cyber command or nsa side. being able to talk to someone, that has that level of expertise, to look at that development of a network or the variations of -- , that's pretty powerful. and i think the last thing is that there is a greater appreciation, a greater appreciation of our focus on getting to an outcome. it is strong. and anyone, anyplace, anywhere. >> well said. i have a question from the audience that's a bit related to what we are talking about. i will read it to you. traditionally, the intelligence community's greatest successes are also its most closely guarded secrets. so how do you approach this challenge of figuring out how transparent the nsa can be when it succeeds in -- adversaries cyber operations?
11:42 pm
so a similar question around secrecy in the cyber attribution space and being transparent with the public and partners. >> i think it's an excellent -- first of all, i think it's an excellent question. our agency has changed over the last several years. i think, first of, all i will tell you that make it no doubt, be there no doubt, within anyone in the nation that our fundamental commitment to civil liberties and privacy and the fourth amendment is rock-solid. and it's something that we swear an oath to. that we train to that we have oversight to. and that we take extremely seriously. i think when we consider, what is it exactly that we need to be able to share, it does begin with the idea of, you know, is this going to be able to have a positive impact on the security of the nation? that's where i begin with it.
11:43 pm
certainly, you know, there is a number of factors at play, sources and methods. and what is it that might be the second order defense. but it comes down to think for me, is this going to be to the security of the nation? that's an easy way of saying that but it's a much more complicated process as it plays out. >> i'm sure you are living it every day. earlier we talked about -- serving as the first national cyber director. and obviously he is an alum of an essay, previously serving as director. we also have other alums of an essay in the cyber ecosystem. heading cisa, for example. and the deputy national security adviser for cyber. can you tell us a bit about how nsa interacts with, for example, the office of the national cyber director?
11:44 pm
>> we are really intensely proud of our office and jim and and. we've all worked with them for many years. and so to be named to those positions in the leadership of what we are doing in cyberspace, i think it's great credit to them. but also the work that we've done for many years. chris english's could not be a better choice for the national cyber director based on his work in the solarium commission. and bringing together so many players in terms of how we defend the nation in cyber space, and the thought process, one of the unique values and advantage that each element of government brings? so we as a department of defense, we clearly are working very closely with chris in both our role as the national security agency and as u.s. cyber command. chris has done an incredible job in just the several months he has been in their, to really start to bring in the key
11:45 pm
players of how do we do this as we take a look at, you know, the vulnerabilities. jim easterly, at cisa, she has the responsibility for critical infrastructure. and defending and defending the joint cyber collaborative development program that she has put together, and the partnership with the private sector, you know, that ties very closely with our cybersecurity director. and i think that being able to have that continual conversations, with folks at cisa, and cisa has folks here, that has been incredibly powerful. i would add another piece that you didn't mention but is really important. and that's the fbi. so, under the direction of curious wray we've worked closely with the fbi and cisa, beginning with elections. but the power of what they do in different field offices, and being able to bring their
11:46 pm
technical talent and capabilities together with what we are doing at the nsa and cyber command, that has proven very effective. >> thank you. i will ask you a bit about the federal security directorate you mentioned. but before i do, maybe i can ask you a bit inside baseball. i know that you and jen easterly were both have cyber command. now you are the head of cyber command. can you tell us a bit about your role than? just for our audience? hat>> in 2009, in march, chris inglis had called down to my office and asked that i talked to him. little did i know that in march 2000, and really what he was talking to about was putting together an idea, to stand up this command that became known as u.s. cyber command. so between myself and jen easterly and p.j. white, a retired admiral, and sl davis,
11:47 pm
we put together the construct that became cyber command. >> that's fantastic. it's obviously a success and you get to live with that success. any failures, you have the origin story. >> correct. >> let me ask you a bit about the cyber security directorate. can you tell us what that is at an essay? what is its role? and why did you look to stand it up? >> as we talked about in the beginning, the national security agency has two missions. one is foreign intelligence and the other cyber security. when i arrived at the agency in 2018, one of the things that i came to the realization of is that we had lost a bit of our way in cybersecurity. one of the things that i wanted to do was to reinvigorate what i thought was going to be incredibly important missions for our agency in the future.
11:48 pm
the best way that i knew how to do that was to put one person in charge, to give them the resources and then also the mission to make sure that their success moved forward. in the fall of 2019, we stood up the cybersecurity director under the leadership of -- and we decided there would be two elements moving forward for responsibility. one is the encryption mission that nsa has had for so many years and does so well. the other piece was a new piece. and that's the eradicate piece. people said, eradicate? i said, yes, eradicate. what we want to do is not report on threats. we want to impact and get to the outcomes against those threats. so the word eradicate was an accepted piece of what cyber security is responsible for. again, how do we look at an adversary?
11:49 pm
how do we use a number of different partnerships, authorities and capabilities to, at an end state, be able to get after them? and a true instate of being able to eradicate that threat to our nation. >> maybe this is a good time for me to relay a question from the audience. this eradicate question, it relates to that. would our nsa in cyber command doing to help eradicate the ransomware attacks? >> well, the first piece is generating insights. one of the things that we learn here, particularly in our work on election security, is that you have to know the adversary better than the adversary knows themselves. who are the actors? what trade craft are they using? why are they operating from? one of their capabilities? the second piece is, how do we bring more partners into what is a very difficult issue. again, to the point of, if you are looking to have an impact or an outcome against
11:50 pm
ransomware, you need partners beyond nsa and cyber command. tohow does the private sector r fbi play this? how are we able to give dhs, closely aligned, with what we are doing and collaboration? what we have found here is that speed matters. speed and agility matters when you are dealing with adversaries like this. and so that is what we have really focused on. i will tell you that, you know, we continue to work that extremely hard. because as quickly as we move, the adversary moves quickly as well. >> that ties very nicely into another question that has come from the audience about speed of threat. unlike some other military domains, the threat landscape here moves a lot faster. and you spoke about readiness earlier. can you speak a bit about this mindset needs to be addressed? and how mobilization needs to
11:51 pm
happen differently when it comes to cybersecurity as opposed to some other traditional military domains? >> let me talk a little bit -- let me give a story here. because i think the story is important to illustrate, perhaps, as the question has alluded to this idea. in the fall of 2020, we were very, very closely with the connecticut national guard. in fact, the connecticut national guard was working with u.s. cyber command through a capability we call the cyber -- item. which is an unclassified ability to provide information back and forth about threats lane. identifying this more rapidly in connecticut, these guards were rapidly able to bring us information at cyber command. and working in partnership -- and all credit to the connecticut national guard -- they were able to be able to
11:52 pm
obviate the threat, a threat to a public school system in a pretty significant portion of connecticut. and this is the fall of 2020, kids are getting ready to go back to school. that is, for me, when someone says in 2018, well, speed -- i probably wouldn't have thought of speed like that. speed is this example of cyber nine line program, where we are able to work in partnership and address it. >> that is a great way to think about it. thank you. i will turn to some other questions but first i wanted to return to this question about workforce, since that is something we discussed earlier. whatever it's are being done to develop a set of workforce and retain the workforce? and are there things you think we could be doing better at least from a government perspective? >> let me start from the latter portion.
11:53 pm
if someone was going to say, hey, explain to me about the ecosystem of talent management for the command in the agency, i would say something like this. we do a tremendous job of being able to recruit people. we do not have a shortfall in trying to find people that want to come and work with us or work for us. then we do an equally good job in training people. retention? i would say that that is more difficult. in terms of trying to retain someone. i will come back to that idea in just a second. but here is the area that we really struggle with right now that i think we should address. and that, is how do you allow them to rejoin? it's, recruit retain, rejoin. so, if you leave the government sector, if you leave and go to the private sector, coming back to work under agency and command, it's difficult. it's not something easily done. it takes a long time. how do we do that more quickly? how do we urge people who,
11:54 pm
perhaps, are not, like me, going to spend two decades of service in the military? but who want to leave and perhaps at one time want to come back? i want those people back. i want them to come back rapidly. i want them to have all the insights of what they've done in the private sector to come back and be able to do what they want to do in our mission space. that's something, raj, that we have to get after. and i think we will. but it's something that, to your last point, is a challenge. let me come back to the first point. what's really matters here -- i heard bill mcraven, the admiral bill mcraven talk about, you know, what is the biggest security threat to the nation and he could name many. but what he said is k-12 education. k-12 education. interesting. i was thinking to myself, one of the things that we've worked hard at at nsa is to develop this cyber generation, this cyber gen camps with the
11:55 pm
national science foundation and elsewhere, to encourage people that science, engineering and mathematics is a great thing to be a part of. and the opportunities are unlimited. it's this idea, i think, that really gets to bill's mcraven's point. we need to be able to encourage people that coding is cool. the idea that you have a future in a place like cyber command at an ha nsa or dhs. it's a supply population of folks we need in the future. we see the numbers now. we are short. we are short folks that could be working in our sector today, across all different phases. raj:this is one of the ways thae are very into. and we hope it will -- >> that's well said. i have a ton of questions from the audience. i'm going to pose a few of them
11:56 pm
to you in the time that we have. the first has to do with congress. and big picture, are there things you would like to see from congress? when it comes to cybersecurity? that's the specific question, whether it has to do with authorities or other approvals. and i guess i would just ask you, how do you view the bipartisan issue dynamic, let's say, when it comes to cybersecurity? clearly, washington is a partisan, polarized place. cybersecurity may be one of those areas that lends itself to cooperation. so i'd like to hear about that. >> in terms of the policy, i think this is perhaps best left to chris inglis and those that really deal within the policy framework of what the nation needs. and where i see it as an operational leader in both cyber command and nsa, it's some of the work that has been done both on the senate armed services committee and the
11:57 pm
senate select committee, to address new capabilities. and allows us to hire people more rapidly. we welcome that, that dedication to what we've done. in terms of cybersecurity, yes, it is no doubt, it is an issue that everyone is focused on. i think everyone agrees that this is a critical piece and so in my role, i see it as being able to not only report on it from the perspective of leading the national security agency. but what we are doing in terms of u.s. cyber command. clearly, there is a lot of interest on the hill in cybersecurity. >> another question has to do with international norms. without getting into specifics of your view on particular norms, as an operational leader, do you think there are any rules of the road out they were in cyberspace when it comes to foreign threat actors? or really have we not set any guardrails?
11:58 pm
and are you seeing, operationally at least, people willing to do almost anything? >> again, i can speak from where i sit as the commander of u.s. cyber command, the director of nsa. we clearly have norms we abide by. and obviously, you know, we abide by the laws and the rules of how we operate out there. i think that one of the things that we certainly have learned in the past several years is that, persistent engagement and the ability to operate in cyberspace is an important way upon which adversaries understand what isn't and it is important to us. so that's been very important. >> you mentioned persistent engagement. we have another question about the defense departments defend forward strategy. maybe you can explain that and the way of thinking behind it.
11:59 pm
>> in 2018, the department of defense released their cybersecurity strategy. one of the elements of the cybersecurity strategy with this idea of defend forward. how do we operate outside the united states as a department to be able to identify threats? to be able to counteract those threats and be able to make sure that those threats perhaps did not come to the homeland? from that idea of defend forward, outside the united states, we at cyber command developed the idea of persistent engagement. what is that? persistent engagement is really two things. it's the ability to enable our partners and also to act. enable our partners, whether our partners are international or whether they are inter agency partners, whether they are, you know, industry partners -- and that's the ability to act. outside the united states. sending forward teams. being able to disrupt the infrastructure of an attack by an adversary come into the united states. that's the idea of persistent engagement and being able to
12:00 am
ensure that we are operating within the construct of what the department has said are there defend forward missions. >> thank you. another question in this vein is about deterrence generally. the question really is about -- are doing in terms of deterring foreign threat actors from taking action even more extreme than we are seeing? gen. nakasone: i began with the topic of deterrence, so that is not nuclear deterrence. they are obviously very unique things in their own right. i think, i talk about the domain of cyberspace and we are still learning about how to apply deterrence. one of the things that the secretary of defense is integrating deterrence, to use the partners, how do we operate in a way that is different to be able to impact.
12:01 am
we have done that now in a series of operations. one of the things that i have learned and operating in cyberspace is that it is something that needs to be continuous, to be an operation that is always ongoing, whether or not you are operating to build resilience or to give greater insights. it is something that you don't just stop and then in five weeks or five months or two years, decide to start operating again. this is a different domain. raj: thank you. i have a question about election security. i think i will frame it this way, could you discuss a little bit about the efforts that have gone into election security, and it feels from the outside that we have made quite a bit of progress, but maybe just
12:02 am
describe what it looks like from your spot. gen. nakasone: in 20 18, as we were getting ready for the midterm elections, one of the things we had done is we looked back and said what are our adversaries doing in previous elections, and one of the things that they were successful at, and what were their vulnerabilities, and one of the realizations we came to was if we were going to have success, we needed a strong series of partnerships. the first one we needed was between an essay and cyber command, the genesis of the birth of the --group, the best of the agency and the command underwent leader to be able to get after what was at the time we thought a very dangerous election oncoming. we had a success. the things that we learned was that we had success not because just u.s. cyber command and an
12:03 am
essay or working together, but because of our partners. we were focused on one threat in 20 18, and i think the follow on question is what changed in 2020. our partnerships got bigger. it was not only just nsa and fbi and cisa. it was broader partnerships within the federal and local and state government and also academia, being able to work with a series of good subject matter experts that understood the threat. and the big thing was a series of other threat actors that were operating, so again having that ability to work with partnerships and that ability to understand the threat and being able to have the ability to act i thought was instrumental in the successes that we had. raj: a few questions related to this theme of partnership and one has to do with international partners. if you could speak to what have we learned from our international partnerships, and
12:04 am
where do you see that succeeding? gen. nakasone: certainly we learned a lot from our international partnerships. whether or not it is a very small group or whether not a broader group like nato, one of the first things that we learned is that there is talent everywhere. when you go to a series of different countries, in europe or the pacific, the first lesson that we learned is that talent is not just here. we really have a series of insights that we garner from our partners that work in specific parts of the world. we learned this in our counterterrorism efforts against isis, operating with a series of different foreign partners that were seeing different variants of isis, they provided us a texture to the threat that we just did not have. i think on the cybersecurity
12:05 am
piece, this was the second thing, that localized understanding of the threat that we did not have. the third piece is that there is strength in numbers, so when you are looking at an adversary, in the terms of trying to impact them or whether it is ransomware, always better to have more than less partners. there is strength in numbers. raj: thank you. there are a couple of other questions about the theme of partnerships, and maybe i will boil it down to one question, if there is one thing you could ask for from the private sector, one way they could --with the government, what would be the one thing you want to make sure a lot of the private sector would take away? gen. nakasone: the tremendous partnerships that we need to develop with the collaboration center, jc d.c. for other major
12:06 am
elements working in the private sector, this outreach to organizations like that, that is what is going to give us strength, what is going to have impact, where we went to be able to get to scope and scale. if i might, in terms of our defense industrial base, we have tens of thousands of members of the base and being able to get to scope and scale is being able to work with key partners that have the ability to have so many. we want that same ability, and i am sure that jen feels the same way. the major partners being able to have those partners work with others, that is the critical piece that i think gets us to success. raj: having spoken with you and chris and jen over the last couple of weeks, to my mind,
12:07 am
there is a shift from information sharing to more operationally oriented collaboration, whatever that may mean. is that a fair way to think about it? is that a concerted effort among these partners to try to move forward from the old school days of just information sharing? gen. nakasone: i don't think --we are not going to information share out of the problems that we see today. we have to think innovatively. one of the things that we might be able to provide, whether or not it is being able to do scanning against a series of partners, or whether or not there are other pilots that might be able to identify malware, or what we might be able to do in terms of domain name services, and ensure they are not impacted, these are all
12:08 am
services that we have seen other foreign partners and allies do that have been able to be effective. i think moving from awareness to action, that is the key piece that we want to be at. raj: thank you. we are very mindful of your time so i went to close with one last question, which is cybersecurity is often a lot of doom and gloom. mere perspective, are you optimistic, and what is the best possibility about having some positive news in the future, maybe not tomorrow or the next day, but in the future in the cybersecurity space? gen. nakasone: i see a couple of things. i see a definite momentum. you talked about an inflection point earlier my think there is an inflection point, not only the fact that we have awareness that we have action that is taking place.
12:09 am
leadership, a focus on being able to outreach into the private sector. we have had successes in election security and ransomware, all good indicators that we moved from awareness to action. i think action, while it has not been perhaps as robust as all of us would like, it is momentum that i find heartening, and i think the last piece is that when i leave the store here and i walk outside and walk back to my office, i will pass a number of different offices that people are committed in working on a friday afternoon to be able to get to success. that is the spirit of what is being done here at nsa and cyber command. i am sure it is shared in other places in our government. i really do look forward to the future. raj: that is a positive note to close on. given everything you have on your plate, we cannot thank you
12:10 am
enough. a huge thank you, and i will turn the floor to you. gen. nakasone: thank you. i think this has been a great opportunity to have a discussion with someone that i have worked with and have eight tremendous amount of respect for. as we get ready to end cybersecurity awareness month, one of my great hopes for the future is that cybersecurity awareness becomes cybersecurity action. that is the key piece that we as a nation are moving towards and i look forward to having that discussion in the future. thank you. raj: thank you thank you thank you, sir.
12:11 am


info Stream Only

Uploaded by TV Archive on