Cybersecurity is much more than a tech problem

[MUSIC PLAYING] DAN RICHARDS: From the Watson Institute for International and Public Affairs at Brown University, this is Trending Globally. I'm Dan Richards. Over the last few years, it seems like events that used to exist only in action and spy movies have become reality.

SPEAKER 1: Federal authorities are investigating a major cyberattack targeting America's energy infrastructure.

SPEAKER 2: Someone has hacked into Sony Pictures.

SPEAKER 3: Investigating a North Korean link to this hacking attack.

SPEAKER 4: Colonial Pipeline says it was hit by ransomware.

SPEAKER 5: Experts believe Russia was behind the hack of a company called SolarWinds, sending malware to 18,000 private and government organizations, including the US Departments of Justice, Treasury, State, and Homeland Security.

SPEAKER 6: Top executives from multiple cybersecurity firms telling the Senate Intel Committee that similar cyber attacks are likely occurring in the US right now.

DAN RICHARDS: You've seen it in headlines and maybe you felt it in your own life. Cyber attacks have become more frequent and more damaging. So just how big a threat are cyber attacks? And how do we protect ourselves from them as individuals and as a society?

According to our two guests on this episode, to answer these questions, you actually need to ask some deeper questions about the role of technology in society and about the relationship between governments, businesses, and individuals more broadly.

Congressman Jim Langevin represented Rhode Island in the House of Representatives from Two Thousand-One to Twenty Twenty-Three. Chris Inglis served as cyber director under the Biden administration until this past February. He also served as deputy director of the NSA from Two Thousand-Six to Twenty Fourteen. Under the Biden administration, they were part of a group tasked with re-envisioning what America's cybersecurity strategy should be. As Chris Inglis described it--

CHRIS INGLIS: The strategy is sometimes criticized as being perhaps too ambitious. I actually take that as a feature.

DAN RICHARDS: This spring, Jim Langevin is leading a study group at the Watson Institute on the issue of cybersecurity. And he recently brought Chris Inglis to campus to discuss the work they've done and what this new cybersecurity strategy might mean for all of us. On this episode, you'll hear from Chris and Jim about that strategy and about why so much of cybersecurity actually has very little to do with technology and a lot more to do with all of us.

[MUSIC PLAYING]

Jim Langevin and Chris Inglis, thank you so much for coming on to Trending Globally.

JIM LANGEVIN: Thank you for having us, Dan.

CHRIS INGLIS: Great to be here.

DAN RICHARDS: So I wonder if we could just start with a definition of cybersecurity. I think it's the type of thing a lot of people know it when they see it. But does it have any particular definition?

CHRIS INGLIS: I think you've asked exactly the right question. Most people start with, how do you do it? Which you get lost all of a sudden in all sorts of techniques and technologies and protocols. But you've asked the what question, which I think is the right question.

My simple definition of cybersecurity is having the confidence that the internet and all the things connected to it will meet your expectations, period. Pure and simple. Will it do what you want it to do? Do you have the confidence that when you reach for a light switch or you reach for your bank account or you try to do something using the internet as the means to do it that it will do that?

That's cybersecurity. There's a lot of detail in the how. But that question of what that you've asked motivates us to think of, why do we care about it? Why is it important to us?

DAN RICHARDS: Jim.

JIM LANGEVIN: Couldn't agree more. The internet was developed as this free and open architecture initially for communication. And it has evolved into something much broader that we all use now every day. It's an amazing tool that we've all come to rely on and appreciate.

The challenge is, of course, that there are those who have found vulnerabilities in this free and open architecture and have used it for nefarious intent or to disrupt that ability to have the internet do what you expect it to do as Director Inglis has outlined.

DAN RICHARDS: And speaking of those disruptions or those actors who are seeking to cause disruptions, what are the main types of risks we face when it comes to cybersecurity?

JIM LANGEVIN: Well, it range from nation states or cyber criminal enterprises, rogue hackers. Some do it perhaps either for fun but most often more likely for nefarious intent.

CHRIS INGLIS: Yeah, I wholeheartedly agree with that. It is a continuum. And there's no lack of imagination on the part of those who would hold these capabilities at risk.

DAN RICHARDS: As Chris described it, there are really two layers to cybersecurity. The first--

CHRIS INGLIS: At the foundation, there is data, there are computers, there are systems that connect us to that data and to those computers.

DAN RICHARDS: But the value of all that technology comes from, of course, what we use it for, which is the second layer.

CHRIS INGLIS: Ultimately, all of that data, all of those systems are useful to do something more to deliver critical functions, to deliver your ability to live the life that you want to live, whether it's to access your bank account, manage your personal affairs, manage a business that has to touch things in supply chains you'll never physically be able to reach. Those critical functions are something that live on top of that data and systems. And those are increasingly being held at risk by adversaries in this space.

DAN RICHARDS: Cybersecurity involves managing both of these layers, the technology itself and then the things we do with the tech. Those two layers are also exemplified by the two different paths Chris and Jim took into the field of cybersecurity. Here's Chris.

CHRIS INGLIS: I was a computer scientist in the mid-nineteen-eighties looking to make good use of my skills. I was hired by the National Security Agency. And my first job was to help them build what we called secure computers in the day, perfect computers, computers that would do exactly what they were supposed to do and nothing that they weren't supposed to do.

We realized over time that was not possible for one thing above all others, which is once it came into contact with a human being, they're being somewhat unpredictable and having some degree of initiative and discretion at their disposal.

At best, you could make defensible computers. And as those computers became increasingly networked, what resulted in those days is this field, this idea that we needed to actually attend to what we described in the day as information security that ultimately became cybersecurity.

DAN RICHARDS: Jim came less from the cyber side of this than from the security side of the equation. He was sworn into Congress in January Two Thousand-One just as both national security and the internet were about to become defining features of our society.

JIM LANGEVIN: You can imagine all of the horrors and the fears of what perhaps could come next after 911. We thought we'd be focusing on chemical, biological, radiological, and nuclear threats to the country, the real bad things that could happen.

DAN RICHARDS: But one day in Two Thousand-Seven, Jim realized we needed to be paying a lot more attention to a different type of threat.

JIM LANGEVIN: My staff director came in one day with his hair on fire and said, boss, you've got to get this briefing in a SCIF.

DAN RICHARDS: SCIF stands for Sensitive Compartmented Information Facility. Their place places used for discussing highly sensitive information. Jim went to the briefing.

JIM LANGEVIN: --from these two scientists out at Idaho National Labs who had found a remote way of attacking a turbine, we began by watching the video. This is a used turbine they had purchased. And the generator is operating normally. And then all of a sudden, you see the generators start to spin out of control. And it starts to smoke and shake. And basically, it shook itself apart.

These two scientists came up with a way through-- it's called the SCADA system, which stands for supervisory control and data acquisition system, that allows for the management of things like pumps and valves. These systems have brought great efficiencies to managing our electric grid or the flow of petroleum or water and sewage treatment systems, remote management with greater efficiencies.

But with it has also created avenues for nefarious things to happen, bad actors taking advantage of those remote systems. And that's exactly what they demonstrated. And that was what was the alarm bell to me that said we need to look into this further. If you could do it there on one turbine, you could do it at scale potentially. If some bad actor would do that in the dead of winter, you could imagine not only would it do great damage to our economy but could easily lead to loss of life as well.

DAN RICHARDS: Jim and his team started to look more closely into the security of the networks and computers that run America's critical infrastructure. What they found was not heartening.

JIM LANGEVIN: We spoke to the owners and operators, of course, of the electric grid. Many of them said, yes, it could happen. But we are prepared. But it became pretty evident as you did more and more research, peeling back the layers of an onion that they weren't prepared and more work needed to be done. And so that began my journey in cyber. And I guess I've never looked back. On the way, of course, I met deputy director of NSA, Director Inglis.

DAN RICHARDS: Jim and Chris in one way or another have been working together ever since to increase our country's investment in cybersecurity. And more than just investment, they're trying to promote a more holistic way of thinking about cybersecurity. And what does that more holistic view of cybersecurity look like?

One analogy for thinking about better cybersecurity actually comes from another piece of technology we all use and rely on, cars and automobile safety. You see, there isn't just one company safety feature or government law that makes driving cars safe. And if you stop to think about it, the amount of people, organizations, and businesses all working together and in different ways to make the act of driving reliable, useful, and safe, it's kind of mind boggling.

CHRIS INGLIS: If you're going to buy a car, someone has attended to what its safety features are. Somebody's actually built a road system and sustains that road system. Somebody polices that road system to make sure that we roll up folks who are driving drunk and so on and so forth.

We actually have very sophisticated systems to understand, do I have an expectation of what my role is and what other parties' role is in those other systems? We need to do the same thing in cyberspace. It's that system of systems that contains technologies but has a very significant time and attention given to who's accountable for what.

DAN RICHARDS: As Chris and Jim became more and more involved in the issue of national cybersecurity, crisis after crisis increasingly put cybersecurity and the roles of different groups involved in it into the national spotlight, the Sony Picture hack, the SolarWinds attack, the Colonial Pipeline attack. The list goes on and on. As Chris sees it, the biggest turning point might have come in Twenty Seventeen.

CHRIS INGLIS: In Twenty Seventeen, there was a series of attacks by nation states. In one case, it was the North Korean nation state did something called the WannaCry attack. Microsoft put out the code fix to say, if you simply do this update, you'll be fine. But many organizations hadn't done it. North Korean's attack that brought down the entire national health system of the United Kingdom.

Later that same year, the Russian government brought down the entirety of the Maersk shipping line worldwide, brought down a sizeable component of Fedex's European operations. And you can only imagine how many people and organizations depend upon the logistics both of them bring to bear.

All of a sudden, this thing that used to be isolated to an attack here, attack there, you thank your lucky stars that you weren't under that particular lightning bolt and became indiscriminate and impactful across a very broad area. I think that's when it really came to us that this is something that is not a similar problem one to another. It's the same problem. We all suffer the same problem.

DAN RICHARDS: These attacks and the realizations they led to along with advocacy from example like Jim and Chris led to the creation in Twenty Nineteen of something called the Cyberspace Solarium Commission.

CHRIS INGLIS: The Solarium Commission was created in the National Defense Authorization Act. And we were charged with developing an overarching strategy to better protect the United States against cyber attacks of significant consequence that we needed a master plan to how best to protect the country in cyberspace.

It was nonpartisan, bipartisan. We just rolled the rest. It was a great, robust, in-depth discussions on various aspects of what stronger cybersecurity looks like. In other words, how do we think about this, what should we do about this? And how do we actually deploy all of our resources? How do we have a whole of nation approach to get our arms around this?

DAN RICHARDS: The Solarium Commission made a number of proposals, one of which was to create a new role in government, the national cyber director. The first person to fill that role--

CHRIS INGLIS: I can remember along with Congressman Langevin and others strongly recommended that we have something called the US national cyber director. So we helped form that ball and then using a sports metaphor to hurl that ball into the air. I had no idea I was going to catch it.

DAN RICHARDS: Well, and I wanted to ask about that because, yeah, you began serving in that position in July Twenty Twenty-One. How did you think of that position when you took it on? Obviously, it hadn't existed before.

CHRIS INGLIS: The US national cyber director wasn't intended to create a vertical, somebody with a megaphone that would tell everybody what to do, but rather to form the horizontal. How do we form a coalition of the willing going forward? And so the job essentially entailed doing four things.

One, how do we create greater coherence and collaboration across the federal government? It turns out that in the day-- and we've discovered that most people in the private sector when they looked at the government, the US government in particular, and said, who's doing cyber? It needed a PhD to figure it out.

Second, how do we actually engender, facilitate private-public collaboration? Third responsibility that the national cyber director had was to take a look to the future, not just the present. Fourth responsibility is an inside the government play. But how do we account for the dollars and the resources that are being expended by the federal government, so between the executive branch and the legislative branch that there's a good relationship?

So the US national cyber director came into being as something that was nominated by the president, confirmed by the Senate, and therefore was a compact, an agreement between those two branches to serve the interest of the public to create coherence.

DAN RICHARDS: As national cyber director, Chris led the creation of a new national cyber strategy for the United States, which under the Biden administration was released in March of this year.

CHRIS INGLIS: The strategy is sometimes criticized as being perhaps too ambitious. I actually take that as a feature.

DAN RICHARDS: This strategy touches on just about every aspect of American society. It has recommendations for government, for private companies, for how the two should work together, for how individuals need to change their behavior. Chris said he wanted to make sure the strategy passed what he calls the, quote, "museum test."

CHRIS INGLIS: Ever been to a museum and there are people standing in the far left and the far right corners of the room, and they look at a portrait, and they both say, it's looking at me? That, I think, is what we tried to create in the National Cybersecurity Strategy.

DAN RICHARDS: This strategy has lots of components. But as Chris and Jim put it--

JIM LANGEVIN: The National Cyber Strategy proposes two fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.

DAN RICHARDS: The first major shift?

JIM LANGEVIN: Rebalancing the responsibility to mitigate risks away from end users and towards those entities most capable of accepting and addressing those risks.

DAN RICHARDS: In other words, expecting everyone to have optimal passwords to ardently follow their devices' security features. I mean, we should all do this. But let's face it, it hasn't really worked yet. And as they say, hope is not a strategy. The second major shift?

JIM LANGEVIN: Is to realign incentives in favor of long-term investments that make cyberspace more resilient and defensible.

DAN RICHARDS: So not just getting good at reacting to crises but reducing the number of crises that occur. As Chris put it--

CHRIS INGLIS: We're actually pretty good given our experience over the last 30, 40 years at responding to crises. And there was something about a year and a half ago, the Log4j crisis.

DAN RICHARDS: This was a cybersecurity breach that was relatively quickly resolved.

CHRIS INGLIS: And we did a really good job, which then misleads us to think that we can do that again and again and again. But if we did that perfectly every time, we just lose more slowly. How do we make it such that we build our software, we build our systems, we raise our children so that they're inherently resilient and robust against the threats that naturally occur in this space?

That requires us to double down on how do we go all the way back to the beginning of what are the role assignments? When you buy a car, there's an air safety bag. There's a seatbelt in it. When you buy a pound of the cloud-- I know of your audience, we don't buy it that way. But when you buy a pound of a cloud, there isn't today something that is atomically bound to it that would be the moral equivalent of an air safety bag or a seatbelt. We need to do that.

[MUSIC PLAYING]

And when it's all said and done, I think that we have, touchwood, passed that museum test where there are any number of parties that would look at this and say, that's my strategy. I'm in it. And I have a role to play in it.

DAN RICHARDS: Now, having a good strategy is essential. But of course, that's just the beginning. So what comes next?

CHRIS INGLIS: It's always the devil in the details. And so what lies ahead is actually moving off on the implementation of this.

DAN RICHARDS: I had assumed that Chris and Jim would say that for implementation of this strategy to work, we all need to put much, much more focus both publicly and privately on cybersecurity. But that's not really how they framed it.

CHRIS INGLIS: I would say, to get cyber right, we shouldn't elevate it in its priority. We should subordinate it.

DAN RICHARDS: Here's what he means by that.

CHRIS INGLIS: So this won't be about cyber for its own sake. Any more than bigger brakes on a fast car is about the brakes. It's about the fast car. I want to focus on the aspirations we have for the use of the internet cyberspace.

DAN RICHARDS: How do you envision working with these massive tech companies, which at this point are as big and influential as any auto company in terms of making sure that they are following rules, even if it might inhibit their growth somewhat? Is there tension there? Or do you get a sense there's an opening for more cooperation?

CHRIS INGLIS: I do see that there's an increasing desire for collaboration in this space. There is a certain degree of self enlightenment taking place at the moment. There are a number of companies that on their own volition are saying, I'm going to actually vouch, say, for the resilience and robustness of the products that I produce under all foreseeable conditions.

Market forces then take over at that point. You remember when Volvo started crashing cars into walls 20 years ago and people are like, what's that all about? That's market forces beginning to stand into automobile safety. And they sold more than a few cars based upon they had a better product in terms of the safety features associated with that.

But at that point, there will be the need to say that there's a further distance we need to go that we cannot leave this to market forces alone. And we'll have to stand in using our regulatory authorities. But that has to be done not as a blunt force tool but using the degree of consultation with the affected industry so that we understand what the real points of influence are.

Let's not regulate the wrong things and impose costs that have no benefit. So if we get that right, we can then achieve the degree of harmony that we today have. And again, you mentioned it, automobiles which don't exist alone.

JIM LANGEVIN: The way the ecosystem works right now is that there's this incentive to be first to market versus secure the market. And so we want to change that dynamic. And the question is, how do we do it? Some will happen on its own, good intentions, of course.

Others may require more regulation, or you can use market forces. For example, the government is a huge purchaser of software and hardware. And using that purchasing power to require certain things in software so that it is more secure, which will have positive effects, spillover effects in the private sector.

I often have used the analogy that we have the safest airline industry in the world, certainly both because of the good intentions of the airlines. They want to get their passengers safely from point A to point B. But those good intentions get us about 80% or 90% of the way down the field.

The rest of it, we are lucky that we have the FAA and the NTSB or the Congress that required certain things be done to ensure that we have the safest airline industry in the world. That's what we want to do with cybersecurity.

DAN RICHARDS: What worries you both most about the future of cybersecurity?

CHRIS INGLIS: The thing that keeps me awake at night is not the answer that's expected, which might be some rogue nation state or some criminal gang that's hiding in some sanctuary. It's our own complacency. It's our-- what I describe sometimes as proactive ambivalence.

We all know that there's a problem. We can smell the smoke, occasionally see a sliver of fire. And we assume somebody else is going to fix it. We're hoping that there's some group of champions, maybe people who have the word IT or cyber in their job title that they'll fix it for us. That is not going to happen. Those assignments have been made.

And each of us has to play a part in the defense-- in the creation of resilience and the defense of that resilience in this world in the same way that when I came to Brown University today, I drove a car. And I parked the car. I locked it. I didn't leave an iPad on the dash. I looked around to make sure when I crossed the street between the parking garage and the terminal that there wasn't a car coming, so on and so forth.

I actually participated in my own defense in a world where I had every expectation that somebody had actually engineered the roadways and the parking garage and the airport so that it was easily navigable, that somebody was taking care of the things that only they can do. We need the equivalent of that in cyberspace. Individuals have roles. Organizations have roles. Governments have roles. Once we get them largely defined, we'll sort it out as we go forward.

JIM LANGEVIN: Yeah, and I think Chris hit on something really, really important, that the one thing that still is left undone with a lot of work to do is instilling that sense of responsibility that we all have to be good stewards of our own safety and safe operation of the internet and use of the internet in cyberspace.

So practicing good cyber hygiene is essential. If everyone used strong passwords and two-factor authentication, make sure that you're operating the most up-to-date software, you're buying your security patches, not clicking on malicious links, all the basics, we'd go a long way toward having a much more secure experience and much more secure cyber ecosystem.

I've often said that we still need a Smokey the Bear campaign for cyber that you can prevent forest fires or you can prevent cyber attacks or cyber intrusions. It would go a long way if we can elevate that national conversation, starting hopefully in our system of education. It's a great place to start. I know there are some things that are going on already in that space. But we need more.

CHRIS INGLIS: And we have some great role models in the world.

DAN RICHARDS: Including one role model for whom the stakes of good cybersecurity could not be higher.

CHRIS INGLIS: But I would give a particularly sharp shout out to the Ukrainians for all the reasons your audience might appreciate and one thing more, which is I think they've done a masterful job at defending their cyber infrastructure. And it's not because they have the best technology in the world. It clearly is a moment in time when there are ragged edges under physical and cyber assault by the Russian onslaught.

And yet, they have built on top of that a degree of expertise on the part of their people, the professionals who do information technology and cyber work, but their are people as well, such that the Russians have been vexed beyond all measure trying to hold them at risk.

DAN RICHARDS: Another thing the Ukrainian government has done has been to keep their eye on what all of this cybersecurity is for. To go back to Chris's metaphor about why you put big brakes on a car--

CHRIS INGLIS: They've never lost sight of the end game. I was talking with the deputy prime minister of the Ukrainian government not long ago. And he talked through all of the things that they're doing that I've just briefly described. And he said, but one thing more. He said, we have to make sure that we continue to deliver the new innovative digital service to our citizens at the rate of at least one a month.

I said, like? He says, like being able to file their taxes online, being able to have digital identities that are easy and efficient to use broadly across the economy. And I just was thunderstruck that in the face of this onslaught, in the face of this perhaps propensity to look at your shoes as you're being beaten about the head and shoulders, that they have their eye on the horizon, and that they still have very positive and compelling positive aspirations about the use of digital infrastructure. That's a great example for us to follow.

JIM LANGEVIN: And to build on what Chris said, just two weeks ago, I was able to bring General Nakasone here who was the director of NSA and who had it as the four-star general in charge US Cyber Command. And he described our partnership with Ukrainians and how we have been defending forward, defending early, and helping them to identify the vulnerabilities in their own systems, which those are lessons learned for us as well, and again, helped the Ukrainians to be even more prepared to deal with the Russians.

And I'm convinced it's a major reason why the Russians have not been as successful as we thought they would be through use of cyber attacks either against Ukrainians or any blowback that we might have experienced here in the United States.

DAN RICHARDS: Incredible example. And yeah, heartening in the sense, too, of it's not exclusively about how much money you have or how much technical expertise you have. It's also about just the bigger societal commitment.

CHRIS INGLIS: Technology matters. Expertise matters more. And coalitions and collaborations matter all the more.

JIM LANGEVIN: Absolutely.

DAN RICHARDS: I think that's a wonderful and for me somewhat unexpected note to leave this amazing conversation on cybersecurity on. So thank you both so much for talking with us today on Trending Globally.

JIM LANGEVIN AND CHRIS LANGEVIN: Thank you, Dan.

[MUSIC PLAYING]

DAN RICHARDS: This episode of Trending Globally was produced by me, Dan Richards, with production assistance from Sam McKeever Holtzman. Our theme music is by Henry Bloomfield, additional music by the Blue Dot Sessions. If you want to learn more about the Biden administration's National Cyber Strategy, we'll put links to it in the show notes.

And if you like Trending Globally, please subscribe. And give us a review on rating wherever you listen to podcasts. And better yet, tell a friend about the show. If you have any questions, comments, or ideas for guests or topics, send us an email at trendingglobally@brown.edu. Again, that's all one word, trendingglobally@brown.edu. We'll be back in two weeks with another episode of Trending Globally. Thanks.

[MUSIC PLAYING]