Skip to main content

tv   NSA Director Discusses Cybersecurity Law  CSPAN  November 5, 2021 1:29am-2:29am EDT

1:29 am
a front row seat to democracy. >> coming up friday on c-span. the houses back at 8 a.m. eastern to take up the latest version of president biden's in social spending bill, and a $1.2 billion -- trillion dollar infrastructure bill. and on c-span2, a memorial service will be held for four-star general and secretary of state colin powell. you can watch both events on or our new video app, c-span out. >> next, a discussion on national cybersecurity with nsa director and commander of u.s. cyber command general paul nakasone. he addressed several topics, including election security and ransomware attack's. this is an hour long discussion. >> my name is raj de.
1:30 am
it is a total privilege to be here with general paul not get sony -- nakasone. please put them in the chat and i'll try to work them in our conversation. now, general paul nakasone serves as the commander of u.s. cyber command and director of the national security agency and he served in that capacity since may of 2018. he previously commanded u.s. army cyber command from october, 2016, until taking over this role. he's a native of white bear lake, minnesota, and a graduate of st. john's university in collegeville, minnesota, where he received his commission to the reserve officers training corps. he holds graduate degrees from the u.s. army war college, the national defense intelligence college, and the university of southern california. general nakasone has held
1:31 am
command and staff positions across all levels of the army with assignments in the united states, korea, iraq, and afghanistan. in fact, his last overseas posting was as a director of intelligence, j-2, at the international security assistance board joint command in kabul, afghanistan. general nakasone has commanded the cyber national mission force at u.s. cyber command previously. and he's commanded a company, battalion, and brigade and served as senior intelligence at the battalion, division, and corps level. i call him a friend. it's a total privilege to have you. welcome. gen. nakasone: hey, raj, thanks so much. thanks to american university, the technology, law, and security program that my good friend is running and also my great associate is the scholar and resident. it's nice to appear on this friday fireside. rajesh: you wear multiple hats
1:32 am
as director of n.s.a., commander of cyber command. for our audience, can you describe what those organizations do, how they relate with one another and cooperate with one another and what role each has in our -- the cyber mission for our nation? gen. nakasone: great question, raj. u.s. cyber command is one of the combat and commands, one of the 11 from the department of defense. i work in that role for the secretary of defense and the president. we're 11 years old. think of us as doing three things. first, we defend the department of defense's networks and data systems. we have about 4.5 million end points. about 3.5 million users. about 600,000 mobile devices spread across both the classified and unclassified networks. the second piece is that we work very, very closely with the federal bureau of investigation
1:33 am
and cisa to ensure the security of the nation in cyberspace. the final thing, we provide support to all of our combatant commanders. so whether or not you're deployed around the world, whether or not you're in europe or the pacific, if you need cyber support, it's going to come from u.s. cyber command. so that's my cyber command side. let me talk a little bit about the national security agency. next week we're 69 years old. we are far from a startup. but really i would tell you we're a global organization, as you well know. we're spread around the world. our focus is two-part. first, we do intelligence outside the united states, very, so if it's on a wire an email, , transitioning to cyberspace and we're trying to gain insight . second piece, we do cybersecurity. this is part of a mission that's not well-known about n.s.a. in that piece, we do really two very, very important things.
1:34 am
first of all, we do all the code making for our most critical and lethal weapon systems. so think of our most lethal weapon systems, we're doing the actual coding for that to make sure we have assurances of being able to communicate and being able to authenticate who's using those systems. the second piece is we're focused on the technical side. being able to identify and eradicate threats in cybersecurity with partners like u.s. cyber command. here's the big piece that i think this is important. most people just think, hey, you're all together at cyber comm and n.s.a. no, we are not. we have separate authorities. we have separate funding, separate oversight on both u.s. cyber command and n.s.a. there are two things in common. one, there's one person that leads them. that's me. the second thing is, we separate -- operate in cyberspace. so you say, why do you have one
1:35 am
person leading both of them? because if you want to get to speed and agility and effort, that's really what it leads to. rajesh: that's really helpful and lays the ground work for folks to appreciate the roles you fit in. now, you've had these hats for a few years now, since spring of 2018. what are those priorities and have they changed since you stepped into them? gen. nakasone: so i would imagine most of the speakers you talked to to say this, my first priority is talent. when you think about at the national security agency, we hire 1,500 this year. u.s. cyber command, 200 people this year. we're looking for top talent. we're looking for the best of the best to come and work in a mission that is so critical to our nation. and so people say, what do you think about a lot? i think about talent and i think
1:36 am
where do i get better talent. because the same talent that i'm trying to get is the same talent that is being wooed by private industry. this is an issue for us. i thought a lot about this in three years. i think the way that we approach it as a government is good but it has to get better if we're going to continue that high standard of talent. second piece, i think all about readiness. i think how we're going to do our missions better. let me give you an example. so i talked a little bit about n.s.a. and our foreign intelligence mission. you can well imagine that indications of warning is really important to us. how do we ensure we understand both, you know, the intent of an adversary and perhaps their capability? nsa has done this for, as i was saying, almost 70 years now and they do it extremely well. but that doesn't mean we can't get better at it. and it's the same way in the cyber, side -- cyber comm side,
1:37 am
we have teams across the globe in support of many customers. how do i get them to be at the peak readiness? how is it that readiness that we are so accustomed to seeing in special operations forces or our elite units, that's what i'm trying to drive at u.s. cyber command and n.s.a. the last piece is partnerships. chris amo's was on last week. no better person to talk about partner partnerships. i learned so much from him watching him prior to his role as deputy director and now as national director in terms of how do you bring the partnerships together? our partnership begins the partnership between n.s.a. and cyber command. when you operate in cyberspace and you asked me what's different over the past three years, operating in cyberspace today means operating with the private sector, operating with international partners, operating with academia. you know, this is a big piece of what we need to be able to do and there are a lot of contributing members to this. so how do you build really substantial partnerships?
1:38 am
rajesh: thank you for that. i do want to return to this topic of workforce and talent a little later. a question that comes to mind is you and anybody in this field could be burning a lot more money in the private sector. but what often attracts us many of us to public service is a sense of mission. maybe you can speak to that just from your own personal experience, the motivation of mission? gen. nakasone: one of the things i think you realize with age hopefully, and i have a lot of age now is the fact that there probably two important things about your job. the first important thing is you have to get up every morning and really enjoy what you do. ok. that ties to the piece of mission. that's exactly what you want to be doing every day. i get excited every day i get up, i'm going to work. i'm going to be working with incredibly talented people or working in the defense of the nation or thinking about this domain of cyberspace.
1:39 am
we're thinking about how we get better. here's the other piece of the equation i think is so important. who you work for and work with. i had the tremendous privilege over three decades to work with incredible leaders across the military and civilian sectors. a lot of them that have been residents here at cyber command and the national security agency. that motivates me. in terms of the compensation that i get, it's the compensation from the mission i work every single day and the people i get to work with and work for. this rajesh: that's really great to hear. i know a lot of young lawyers appreciate what motivates you and what could be motivating them. you talked a little bit about the landscapes for relationships you shaped. there's been a lot happening in the headlines, whether it's the solar winds events, the
1:40 am
microsoft server attacks, rans om wear. there's a lot happening out there. can you tell us from your perspective what the threat landscape looks like and how it's changed over time? gen. nakasone: the threat landscape. let me go back to when i first started working cyberspace exclusively which was about 2009. 2009, 2010, just in the -- as we were starting to think how do you stand up cyber command and what would it be, it was focused on this idea offess espionage. we were concerned about people coming into our classified networks and stealing secrets. and over a period of a couple years, we started to get very concerned about actors that started to do disruptive attacks against us, like that denial of service attacks against wall street. being able to use the cyberspace to then move into the information sphere. i think coupled in 2015 with the realization of the hack of the
1:41 am
office of personnel management that we lost so many records and so much data, we started to see kind of the trend of cyberspace going from just focused on espionage to disruption and what you talk about today, if you consider what our nation has been through in the past 10 months, we begin with solar winds, microsoft, colonial pipeline, r.b.s. we've seen data attacks, supply chain attacks. we've seen the scope and scale of our adversary. it's different. i think this is, you know, the key piece i bring today, even in three years, we have seen a tremendous effort by adversaries to come into the medium of cyberspace and obviously impact us. but i think that's one portion of it. i think that's an important portion we always have to be focused on. but the other thing, raj, i
1:42 am
would tell you, we have not been static as a nation either. the fact we watched this and this all occurred, remember, this is 2009, we stand up to u.s. cyber command, and we start to think about how do we build capacity. how do we build against partners like isis? how do we get to the security of our elections in 2018 and 2020? how do we build effective partnerships to get after ransomware? and the executive order. this has changed dramatically on our side as well. it's one of those things you have to look at both sides of the coin there. rajesh: and do your mind does it feel like we are at a turning point in any sense, an inflection point, big picture? gen. nakasone: i think that's an interesting question at good point. the american public is much more
1:43 am
aware today of cyberspace and we talked about it in 2010 and 2015 and a little bit with the elections. when a good portion of the gas pipeline on the east coast is being impacted by a cyber actor, i think there is a different feel in the nation that this is tremendously important. that we have to be able to get after it. it enter into people's consciousness who wasn't think about it before. now, many years before i worked on the 9/11 commission and one of the themes that came out of that was that terrorism, before 9/11, was viewed as a law enforcement problem. and really needed to be thought of holistically as a national security issue. you have said that ransomware used to be characterized as a criminal activity, but today you see it as a national security issue. your mind, what's the importance of that distinction from criminal activity to national
1:44 am
security priority, and to the extent you are thinking of a surge, what would that look like? gen. nakasone: if we would have had this friday fireside chat a year ago, i probably would say something like, yeah, i think law enforcement is working ransomware and what's changed over the past year, i come back to this idea of our adversaries in terms of scope, scale, sophistication what they're doing, ransomware is an event that effects so many. to your point of an inflection point. this is affecting the local level. this is affecting the private sector and national security. and so when i talk about ransomware, it has to be a -- if it is able to impact our critical infrastructure, i'm certain it has to be a national security issue. the next question, what does that mean? well, i think it means that the
1:45 am
nation brings all of its instruments of capability to bear on a problem like this. as i look at that and one of the things that we have said is if this is affecting the nation's security, n.s.a. and u.s. cyber command will be in the middle of it and we want to make sure whatever we're going to to assist law enforcement or assist law enforcement security or cisa, we want to be the best partner. to your point on surge. what does search mean? surge means that here for us, we bring our best people together. we focus on a singular problem. we look at different and creative ways to get at that problem. we think of how do we generate insights on it, how do we share information on that, how do we impact the nation? searches are -- surges are one
1:46 am
of those things that i think we do very well here, particularly on a very, very focused problem like ransomware. rajesh: and if you had in your mind's eye about vision, will this ever be over, and it's hard to imagine there being a moment when it's over, but how do you think we live long term with that threat out there? gen. nakasone: so i think, again, if this is a and develop -- national security issue, there are going to be a number of levels where we have to go after this. at the policy level, the national security agency is going to work on that and think about the right both within the policies united states and our adversaries. i think there is in the middle a huge effort going on between public and private. so how do we communicate better with private industry? how do we work with private industry coming back to us? what are the responsibilities of what we need to provide as the
1:47 am
public sector to the private industry, and similarly, what does the private industry have to provide a bag -- back to the public sector? a lot of it is about awareness. it's at that individual level of, are you aware of it? are we taking all the different necessary steps that protect our individuals and local businesses and local governments from what really has been a very difficult issue over the past 12 months. rajesh: you mentioned public-private corporation, so maybe that is a good topic to turn to. in particular, critical infrastructure, which is the core of our national security concern, seems like an area that is ripe for public-private cooperation, given that much of our infrastructure is owned by the private sector. maybe you could expand on how you think the public and private sector could work together in this space for the common good, and what role do the public
1:48 am
sector, particularly nsa, cyber command play in that regard, and what would you like to see? gen. nakasone: you hit the first point. about 90% of our critical infrastructure is in the private sector. within the public sector, that is fact number one. we have to understand, if we are going to ensure the defense of that critical infrastructure, we need to have a partnership with the private sector. the other piece is, for us at u.s. cyber command and national security agency we are focused on two different ways of doing this. how do we enable our partners and then act? enabling our partners. as i talk about nsa as an ability to garner foreign intelligence, provide technical intelligence and expertise on cybersecurity, why don't we enable our partners with it? i would perhaps amend one thing. what are we doing today?
1:49 am
let me give you an example. january 2010, nsa discovers a significant vulnerability in windows 10, and provides that to microsoft. one of the unique things is we took credit that we did that. you might say, why did you do that? i am sure that there were people telling you that you shouldn't do that. the reason that i decided to do that was because i think there is a certain importance that goes with our technical expertise, when we stand behind something and say, this is a vulnerability that we at the national security agency have found. we have taken that idea and also expanded it into, how do we do threat advisory? we have done a number of cybersecurity advisories with fbi, dhs, cisa, and we say these are the activities, tradecraft of what the chinese are doing, the top 25 issues with vulnerability, or this is what select russian actors have done. all at the unclassified level.
1:50 am
i think that is a really important piece of what we have done at the nsa. let me go to the cyber com side. much has been talked about, hunt forward operations. in 2018, we decided to send a series of teams to different parts of the world at the invitation of our friends and allies, to assist them to hunt on their networks with them. we were able to find a series of malware. when we found that malware, we provided it to a commercial cybersecurity provider that rapidly spread information to all other cybersecurity providers. think about that. you just inoculated a lot of networks based on malware that we were able to find that our adversaries were using. that is the type of work we have to do to enable and act in terms of being able to assist the private sector.
1:51 am
if i might, i know a little bit long-winded, let me talk about the private sector. a couple weeks ago, i was able to speak with kevin mandia at his conference. we highlighted the fact that during the solar winds intrusion, the tuesday before thanksgiving, kevin came into nsa to say i think we have a problem here. he came to nsa to have that discussion because the partnership was tight. he knew exactly what we could do, we had worked with him. then we were able to put the pieces of the puzzle together with kevin. think about that. someone with that type of expertise coming forward and working with us, and then much to kevin's credit, going public and talking about this intrusion. that is an example of really effective public-private
1:52 am
activity. rajesh: thank you. it sounds like a core theme is the collaboration happening, whether it is the tri field products going out to the government or the public and private cooperation. gen. nakasone: can i make one follow-up statement? because i think it is important, and really a credit to the work that kevin and so many did. if you are an adversary, the success of being an adversary is not being found. being able to expose something like solar winds, that was able to take down what had been a very broad attack against so many different sectors of our nation, and then being able to find it and expose it, that is a loss for our adversaries. that is credit to the private sector and some of the folks here working at nsa and other parts of the government to be able to expose them. rajesh: that's a really interesting point. we read a lot about exposures of campaigns that are out there,
1:53 am
and a pessimist might say, another thing is happening and we have now uncovered it. but exposure and attribution, calling adversaries out, can be viewed, and is viewed as a success, i take it. gen. nakasone: perfect world, we always want to be left of theft. that's where we need to be. to the point of, were you trying to drive the agency in command? we want to be that ready and able to do that. but we also have to put this in perspective as well. when you're able to uncover that, when you're able to inoculate so much of our cybersecurity end points against malware, we have to take that into equation as well.
1:54 am
rajesh: one theme we are referring to is collaboration, and there are a couple of relatively new centers at an essay and cyber command. the cybersecurity collaboration center, and then something at cyber command. could you tell the audience about what these efforts are, what they are really about? gen. nakasone: you asked me previously, what has changed in three years? when i came to the agency in the command in 2018, one of the things that was pointed out to me was the necessity to get the ideas outside of the agency and command into the agency and command. dreamport is a good example. u.s. cyber work closely with the maryland innovation security institute. we bring together both our developers and the private sector to talk about our most pressing problems. if we are talking about zero trust architectures, identity management, talking about how is the best way to architect the
1:55 am
networks of the future, it is done in a place like dreamport where you park your car, walk inside, have a discussion. it is different than coming to our headquarters where you cannot park your car and walk inside and have a discussion. that is the same idea that really motivated us to think about the cyberspace collaboration center for nsa. we wanted to have a place where we could bring private industry, people from academia, other partners to have a conversation, whether in person or virtually, to be able to do this. if you are thinking about cybersecurity, and so much of the talent and work being done is also being done on the private sector, we certainly don't have a monopoly on that. what we have found is working at the cyberspace collaboration center, which is less than two years old, our focus is the defense industrial base. the portion of our critical infrastructure that is really
1:56 am
fine tuned to providing us capabilities in the department of defense. we have over 100 partners, working day and night, doing two things. first of all, getting information, and then sharing information. that is the whole invaluable piece of having centers like this, to have the public-private partnership. rajesh: you referred to the ease of meeting with people, driving your car up to a building, and for folks on the outside, nsa and cyber command feel like impenetrable classified environments. these centers sound like great strides forward to have these kind of discussions. to my mind, it seems unimaginable a few years ago. can you talk about the challenges of breaking through that sense of secrecy at nsa, cyber command to facilitate something like this? gen. nakasone: i think, raj,
1:57 am
what you're really speaking to is culture. how do you change culture in terms of what is transpiring in the environment? i would offer a team effort. as we were operating in cyberspace for a number of years, the government didn't have the monopoly necessarily on great ideas. we saw so much being done in the private sector. we came to the realization pretty quickly that if we are going to be effective in being able to work with this series of partners, we had to have this capability. it's not easy and we had a lot of discussions, but at the end of the day, i get great credit to the leaders at the agencies and command to get these things done. and we have learned a lot. if you think about what is the private sector thinking of us? that is an interesting question. one of the things that i think they believe about us is, there are couple of really valuable things.
1:58 am
one, we bring the insight of foreign intelligence. the insight of foreign intelligence, that is the secret sauce that is really in the cyberspace collaboration center. secondly, we bring huge talent, whether on cyber command or nsa side, being able to talk to someone that has that level of expertise, that has looked at the development of a network, variations of malware, pretty powerful. the last thing is, there is a greater appreciation that our focus on getting to an outcome is as strong as anyone, any place, anywhere. rajesh:well said. i have a question from the audience. traditionally, the intelligence community's greater successes are closely guarded secrets.
1:59 am
how do you figure out how transparent the nsa can be when it succeeds in uncovering and adversaries cyber operation? how do you strike that balance between secrecy and being transparent with the public and partners? gen. nakasone: that is an excellent question. our agency has changed over the past several years. i would tell you that be there no doubt within the one in the -- anyone in the nation that our fundamental commitment to civil liberties and privacy and the fourth amendment is rocksolid. it is something that we swear an oath to and that we trained to, that we have oversight to, that we take extremely seriously. i think when we consider what is it exactly that we need to share, it does begin with the idea that is this going to the
2:00 am
able to have a positive impact on the security of the nation ? that is where i begin. certainly there is a number of different factors that play into that, the sources, methods, what might be the second quarter effects but it comes down to is this going to be the betterment of the security of the nation, so it is an easy way of saying that in a much more complex process as it plays out. [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit]
2:01 am
national cyber direction -- director? gen. nakasone: we are proud of chris and jen and ann. to be named to those positions that are in the leadership of what we are doing is great credit not only to them but to our agency and the weekly --work we have done for many years. chris could not have been a better choice in terms of being the national cyber director based upon his work on the commission. right now being able to bring together so many different players in how we defend the nation in cyberspace in the thought process of what are the unique values that each element of the government brings, so we as an element of the department of defense are very closely working with chris and in both our role as national security
2:02 am
agency and as u.s. cyber command. chris has done a great job to really start to bring together the key players of how we do this as we take a look at the vulnerabilities that our nation has. jenny has both the responsibility for our 16 sectors of infrastructure and defending the .gov and now with the program that she has put together and the partnership with the private sector, that ties closely to our cybersecurity director. being able to have the conversations where we have folks at cisa and cisa has folks here has been powerful. i would add another piece that we did not mention but that is really important, the fbi. under the direction of chris right we have worked closely with the fbi and since a
2:03 am
beginning with the elections, but the power of what they do and being able to bring their talent and their capabilities together with what we are doing has proven to be very effective. raj: thank you. i will ask a little bit about the cybersecurity director, but before i do, maybe a little inside baseball. i know that you and others were involved in standing up to cyber command and now could you tell us a little bit about your role back then in helping to set up cyber command? raj: in two thousand nine, in march, chris english had called down to my office and asked that i come out to talk with him. little did i know in march of 2009 that really what he was talking about was putting together an idea to stand up to this command that became known as u.s. cyber command. between myself and jenny and tj
2:04 am
and major general davis, we worked for about 13 months to put together the construct that became approved as u.s. cyber command. raj: that is fantastic. it is obviously a success, and you get to live with that, but any failures? let me ask you a little bit about the cyber security director. can you tell us what that is at nsa, the role, and why did you look to stand it up? gen. nakasone: as we talked about at the beginning, the national security agency has two missions, to forward intelligence and the other is cyber security. when i arrived, one of the things that i came to the realization is that we had lost a little bit of our way in cybersecurity, and i wanted to
2:05 am
reinvigorate what i felt was going to be an important mission for our agency. the best way that i knew how to do that was to put one person in charge, to give them the resources and also the mission, to make sure that they were successful. in the fall of 2019 we stood up the cybersecurity director under the leadership of ann newberger and from that, we decided that as we moved forward there were two elements that the director was responsible for. one was the prevention pizza, going back to making code, the encryption mission. the other piece was a new piece, the eradicate piece. people said eradicate? what we want to be is not reporting on threats, we went to get to the outcomes against
2:06 am
those threats. so that word was the second piece of what cybersecurity is responsible for. how do we look at an adversary and how to use a number of different partnerships, capabilities to be able to get after them, and hopefully with a true end state of being able to eradicate that threat. raj: maybe this would be a good time for a question from the audience. what are the nsa and the community doing to help eradicate the ransomware system? gen. nakasone: i think the first piece is generating insights paid one of the things that we have learned, particularly in the work in election security is you have to know the adversary better than the adversary sometimes knows himself who are the actors, why are they operating from, what are their capabilities?
2:07 am
and how do we bring more partners into what is a very difficult mission, so to the point of if you are looking to have an impact against ransomware, you need partners beyond nsa and cyber command. how do we be able to get dhs to co-sale aligned and what we are doing and work in collapse and --collaboration so rapidly? what we have found is speed matters when you're dealing with adversaries like this. so that is what we have really focused on and i would tell you that we continue to work that extremely hard because as quickly as we are moving, the adversary is moving as well. raj: that ties nicely into another question from the audience about speed of the threat. unlike some other military domain, you spoke about
2:08 am
readiness earlier. could you speak about how the mindset needs to be adjusted and mobilization needs to happen differently when it comes to cyber security as opposed to other traditional military domains? gen. nakasone: let me give you a story. this is important to illustrate perhaps as the question has alluded to this idea of new thought. in the fall of 2020, we worked closely with the connecticut national guard. that connecticut national guard was working with u.s. cyber command through a capability we call the cyber nine liner, the capability to provide information about activities that you might be seeing. identifying ransomware rapidly in connecticut, these guards were able to wring us information to cyber command and
2:09 am
able to search on it and working in partnership, and all credit to the connecticut national guard, they were able to be able to obviate a threat to public school system in a significant portion of connecticut. this is the fall of 2020, as kids are getting ready to go back to school. for me, in 2018, when someone would say put speed, i probably would not have thought speed like that. that is an example of that program where the capability was so quickly able to identify and then some capable people being able to address it. raj: a great way to relate it. thank you. i will turn to some other questions, but i wanted to return to this question of the workforce, since that was something we discussed earlier. what efforts are being done to develop this cyber work foss -- force, and are the things you
2:10 am
think we could be doing better at least from a government perspective? gen. nakasone: let me start from the latter portion. if someone would say explain to me about the ecosystem of talent management for both the command and the agency, i would say we do a tremendous job of being able to recruit people. we do not have a shortfall in trying to find people that want to work with us or for us. then we do an equally good job of training these people. retention, that is more difficult in terms of trying to retain someone. i will come back to that in just a second, but there is the area that we really are struggling with that i think we have to address, how do you allow them to rejoin you? if you leave the government sector and go to the private sector, coming back is
2:11 am
difficult, not something that is easily done, and it takes a long time. how do we do that more quickly, encourage people that perhaps are not like me, but want to leave and want to come back, i what those people back. i want them to come back rapidly with all of the insight of what they've done in the private sector and come back and be able to do what they want to do in our missions state street that is something that we just have to get after. i think we will, but it is something that your last point is a challenge. now back to the first point, what really matters is i heard bill mcraven just recently talk about the greatest national security threat to the nation. you would think you could name different things. what he said was k-12 education. interesting. i was thinking, one of the things that we work hard at nsa
2:12 am
is to develop these cyber generation caps -- camps with the national science foundation and others to be able to across the country encourage young people that science, technology, engineering, mathematics, is a great place, and the opportunities are unlimited. it is this idea that really gets the ill -- to bill's point, that coding is cool and the idea that you have a future at a place like cyber command or nsa, whatever it is, it is this population of the folks that we need in the future. see the numbers now. we are short. this is one of the ways that we are interested in and one of the ways that we hope to generate
2:13 am
interest. raj: that is well said. i have a 10 of questions from the audience and i will pose a few to you in the time that we have. the first has to do with -- are the things that you would like to see from congress? whether it has to do with approval, and i guess i would just ask you how do you view the bipartisan issue dynamic when it comes to cybersecurity? clearly washington is a pretty partisan place and cyber security may be one of those areas that lends itself to cooperation. i welcome your thoughts. gen. nakasone: in terms of the policy, i think this is best left to chris english and and newberger and those that deal with the policy framework. where i see it as an operational leader are some of the work that
2:14 am
has been done on both the senate committee and the committee on intelligence to generate new capabilities, that allows us to hire people more rapidly. we welcome those and those have been beneficial to what we have done. in terms of cybersecurity, no doubt, it is an issue that everyone is focused on. i think everyone agrees this is a critical piece, so in my role i see it as being able to not only report on a problem, but what we are doing about it in terms of my role as commander of u.s. cyber command. clearly a lot of interest on the hill and other places on cybersecurity. raj: another question has to do with international norms, and without getting into this the best civics -- specifics, but as an operational leader, you think
2:15 am
there any rules of the road out there when it comes to foreign threat actors or really have we not set any guardrails, and are you seeing at least operationally, people are willing to do almost anything? gen. nakasone: i can speak from where i sit as the director of nsa, we have norms that we abide by and we obviously abide by the laws and the rules of how we operate. i think that one of the things that we certainly have learned in the past several years is that persistent engagement, the ability to operate in cyberspace against adversaries is an important way in which our adversaries understand what is important to us. i think the work that we have done in events like security of elections is important to that. raj: you mentioned persistent engagement. we have a question about the defense department defend
2:16 am
forward strategy. could you explain that, the import of that way of thinking. gen. nakasone: in 2018 that dod released their strategy and one of the elements of the strategy was this idea of defense forward, how do we operate outside the united states and the department to be able to identify threats and counteract those threats and ensure those threats perhaps did not come to the homeland. from that idea of defend forward, we at that cyber command developed the idea of persistent engagement. persistent engagement is really two things, the ability to enable partners and also to act. so enable our partners, whether or not they are international or inter-agency or industry partners, and that is the ability to act, acting outside the united states. being able to disrupt the
2:17 am
infrastructure of perhaps an attack by an advertiser --adversary coming to the united states. that is the idea of persistent engagement, ensuring that we are operating within the construct of the defense forward missions. raj: thank you. another question is about deterrence, and the question really is about getting your thoughts on the value of deterrence in cyberspace, sort of the operational goal and how you think we are doing in terms of deterring foreign threat actors from taking action even more extreme than we are seeing? gen. nakasone: i began with the topic of deterrence, so that is not nuclear deterrence. they are obviously very unique things in their own right. i think, i talk about the domain
2:18 am
of cyberspace and we are still learning about how to apply deterrence. one of the things that the secretary of defense is integrating deterrence, to use the partners, how do we operate in a way that is different to be able to impact. we have done that now in a series of operations. one of the things that i have learned and operating in cyberspace is that it is something that needs to be continuous, to be an operation that is always ongoing, whether or not you are operating to build resilience or to give greater insights. it is something that you don't just stop and then in five weeks or five months or two years, decide to start operating again. this is a different domain. raj: thank you. i have a question about election
2:19 am
security. i think i will frame it this way, could you discuss a little bit about the efforts that have gone into election security, and it feels from the outside that we have made quite a bit of progress, but maybe just describe what it looks like from your spot. gen. nakasone: in 20 18, as we were getting ready for the midterm elections, one of the things we had done is we looked back and said what are our adversaries doing in previous elections, and one of the things that they were successful at, and what were their vulnerabilities, and one of the realizations we came to was if we were going to have success, we needed a strong series of partnerships. the first one we needed was between an essay and cyber command, the genesis of the birth of the --group, the best of the agency and the command underwent leader to be able to get after what was at the time
2:20 am
we thought a very dangerous election oncoming. we had a success. the things that we learned was that we had success not because just u.s. cyber command and an essay or working together, but because of our partners. we were focused on one threat in 20 18, and i think the follow on question is what changed in 2020. our partnerships got bigger. it was not only just nsa and fbi and cisa. it was broader partnerships within the federal and local and state government and also academia, being able to work with a series of good subject matter experts that understood the threat. and the big thing was a series of other threat actors that were operating, so again having that ability to work with partnerships and that ability to understand the threat and being able to have the ability to act i thought was instrumental in
2:21 am
the successes that we had. raj: a few questions related to this theme of partnership and one has to do with international partners. if you could speak to what have we learned from our international partnerships, and where do you see that succeeding? gen. nakasone: certainly we learned a lot from our international partnerships. whether or not it is a very small group or whether not a broader group like nato, one of the first things that we learned is that there is talent everywhere. when you go to a series of different countries, in europe or the pacific, the first lesson that we learned is that talent is not just here. we really have a series of insights that we garner from our partners that work in specific parts of the world. we learned this in our
2:22 am
counterterrorism efforts against isis, operating with a series of different foreign partners that were seeing different variants of isis, they provided us a texture to the threat that we just did not have. i think on the cybersecurity piece, this was the second thing, that localized understanding of the threat that we did not have. the third piece is that there is strength in numbers, so when you are looking at an adversary, in the terms of trying to impact them or whether it is ransomware, always better to have more than less partners. there is strength in numbers. raj: thank you. there are a couple of other questions about the theme of partnerships, and maybe i will boil it down to one question, if there is one thing you could ask for from the private sector, one way they could --with the
2:23 am
government, what would be the one thing you want to make sure a lot of the private sector would take away? gen. nakasone: the tremendous partnerships that we need to develop with the collaboration center, jc d.c. for other major elements working in the private sector, this outreach to organizations like that, that is what is going to give us strength, what is going to have impact, where we went to be able to get to scope and scale. if i might, in terms of our defense industrial base, we have tens of thousands of members of the base and being able to get to scope and scale is being able to work with key partners that have the ability to have so many. we want that same ability, and i am sure that jen feels the same way. the major partners being able to have those partners work with
2:24 am
others, that is the critical piece that i think gets us to success. raj: having spoken with you and chris and jen over the last couple of weeks, to my mind, there is a shift from information sharing to more operationally oriented collaboration, whatever that may mean. is that a fair way to think about it? is that a concerted effort among these partners to try to move forward from the old school days of just information sharing? gen. nakasone: i don't think --we are not going to information share out of the problems that we see today. we have to think innovatively. one of the things that we might be able to provide, whether or not it is being able to do
2:25 am
scanning against a series of partners, or whether or not there are other pilots that might be able to identify malware, or what we might be able to do in terms of domain name services, and ensure they are not impacted, these are all services that we have seen other foreign partners and allies do that have been able to be effective. i think moving from awareness to action, that is the key piece that we want to be at. raj: thank you. we are very mindful of your time so i went to close with one last question, which is cybersecurity is often a lot of doom and gloom. mere perspective, are you optimistic, and what is the best possibility about having some positive news in the future, maybe not tomorrow or the next day, but in the future in the cybersecurity space? gen. nakasone: i see a couple of things.
2:26 am
i see a definite momentum. you talked about an inflection point earlier my think there is an inflection point, not only the fact that we have awareness that we have action that is taking place. leadership, a focus on being able to outreach into the private sector. we have had successes in election security and ransomware, all good indicators that we moved from awareness to action. i think action, while it has not been perhaps as robust as all of us would like, it is momentum that i find heartening, and i think the last piece is that when i leave the store here and i walk outside and walk back to my office, i will pass a number of different offices that people are committed in working on a friday afternoon to be able to get to success. that is the spirit of what is being done here at nsa and cyber
2:27 am
command. i am sure it is shared in other places in our government. i really do look forward to the future. raj: that is a positive note to close on. given everything you have on your plate, we cannot thank you enough. a huge thank you, and i will turn the floor to you. gen. nakasone: thank you. i think this has been a great opportunity to have a discussion with someone that i have worked with and have eight tremendous amount of respect for. as we get ready to end cybersecurity awareness month, one of my great hopes for the future is that cybersecurity awareness becomes cybersecurity action. that is the key piece that we as a nation are moving towards and i look forward to having that discussion in the future. thank you.
2:28 am
raj: thank you thank you thank you, sir.


info Stream Only

Uploaded by TV Archive on