Director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, Frank Cilluffo frequently advises senior decision-makers in the US government and various international organizations on cybersecurity policy and strategy. In our two-part interview with Mr. Cilluffo, he paints a vivid portrait of the cybersecurity threats that the country and private sector are currently facing, and what can (and can’t) be done about it.
This is the second part in a two-part interview with Frank Cilluffo. Read the first HERE.
Let’s get specific about some of these threats. You’ve said before that these “threat actors” exist on a spectrum of capability, and you put nation-states at the highest end of that spectrum. Let’s start with Russia. Most Americans by now know something about the Russians’ role in the 2016 election, but what else have they been up to that might surprise the average American?
I mean, Russia was arguably the first country to use cyber means against another state in an aggressive, offensive way, and that was against Estonia in 2007 [when several Estonian organizations, including parliament, banks, ministries and media outlets, were disrupted]. They also used cyber in the runup to their conflict with Georgia. And again in Crimea and Ukraine. In Ukraine a couple of years ago, Russia used cyber means to actually take down power, take down the grid in Ukraine. A threshold was crossed in that respect. They were able to demonstrate that a cyber event could have a real, physical, kinetic effect.
What makes the Russian threat unique?
I mean, they’ve been pretty active in the cyber arena. But not only the way we think of as cyber. We tend to mirror-image and think everyone treats it the same that we do. This is no surprise, given all the news surrounding the Mueller Report and so many others, but they’ve been also using cyber from a disinformation campaign perspective for a long time. Their definition of cyber is actually more of what we would historically have called “information warfare,” and cyber is just an enabler for their broader perception-management campaign.
From a capability standpoint, Russia would clearly be defined as a peer nation, meaning highly sophisticated, highly capable.
Right, the social media trolling -- yet another thing to fit under that big “cybersecurity” umbrella.
Yes. And I mean, they’ve had deep math, science and technical capabilities for many years. Another difference is that it’s not only run by their ministers of defense but also their internal security services. So it may be a little different than evaluating it [alongside] our own Cyber Command, which is very much a military instrument used in accordance with military strategy, doctrine and the like. And they’re home to arguably the most active and sophisticated criminals as well. And they have had a proclivity to even lean on some of those folks to do Mother Russia’s bidding.
It sounds like it gets pretty murky in terms of where the threat is coming from.
Who is the puppet and who is the master is not always immediately clear. It’s sort of this toxic blend of crime, business and politics. The reality is that some countries turn to proxies to do their bidding, partly to confuse the target as to who the perpetrator in fact is, and in other cases to just enhance some of their capacity and capability. And so it’s a multipronged issue. I think that Russia crossed a Rubicon, to one extent or another, with the grid attacks [in Ukraine]. It demonstrated their capability. And the truth is that I’m not sure that the target audience was just the Ukrainians. I think it was others as well, watching and observing. Including the United States. So from a capability standpoint, they would clearly be defined as a peer nation, meaning highly sophisticated, highly capable.
Traditionally organized crime tries to penetrate the state and influence the levers of power. In North Korea’s case, it’s almost the inverse.
Compare that to what China has been up to.
Just read any newspaper of late, or any indictment of late. The Chinese have been incredibly active in stealing intellectual property as well as political and military and economic secrets from the United States. They’ve had very little constraint to use cyber to achieve their espionage objectives. I use an example often where I say Russia uses Ukraine as their practice field to refine their tactics, tools and techniques that can come soon to a theater near you. Iran looks to UAE and Saudi Arabia to refine their tools and then take them to the United States potentially. North Korea uses South Korea and Japan as their practice fields. But China kind of looks to everyone as their practice field. Or maybe they don’t have practice fields, but just take it wherever they need to. And it’s a numbers game for them. They’ve just got a lot of people engaged.
And then you’ve got the other two big actors in this realm, Iran and North Korea.
Right. With North Korea, you know, traditionally organized crime tries to penetrate the state and influence the levers of power. In North Korea’s case, it’s almost the inverse. You’ve got a nation-state trying to penetrate organized crime. I refer to them as a state sponsor of crime, because that’s basically how they’ve been raising money. And so we’ve seen state-sponsored cyber crime, theft of intellectual property and the like. And obviously they turn to disruptive attacks like the Sony example [a malware attack and data breach against Sony Pictures] and others.
How do those two countries measure up in terms of cyber capability?
Iran and North Korea are not at the level of, say, Russia and China. But that shouldn’t make us rest on our laurels because what they may lack in capability, they make up for with intent. They're less constrained to use cyber to meet their objectives. Even less constrained than Russia or China.
And where does the U.S. fit in here with regard to capability? Like, if this were a traditional arms race, would we be winning?
When you think “cyber” and capabilities, you can't neatly organize it the way you could by counting ICBMs and submarines and tanks and everything else. But arguably we have the greatest capabilities from a cyber perspective. I think it’s fair to say we’re at the very top of the list, with a handful of peers. I think we’re much more constrained in how we use cyber, though, and to a large extent, that’s good. But you’ve got a lot of other actors who don’t necessarily adhere to the same legal structures as well as strategic intentions and objectives. Some countries are less constrained to use cyber to meet their objectives.
We’ve got some of the most sophisticated capabilities. But I believe we still lack a strategic framework for exactly how and when we’ll use cyber to achieve our objectives.
Still, out in front is a good place to be.
But we can’t be arrogant and assume that will always be the case. Because when you start looking out to the future, space, quantum, parallel processing, artificial intelligence, adversarial AI, these may seem like discrete areas, but collectively we’re not out in front in every category right now. And I think investing in our research and R&D capabilities is absolutely critical. When you look at issues that could be real game-changers, like quantum or hypersonic weapons, I think some could even argue [that we’re lagging]. So that’s a longwinded way of saying I think we’ve got some of the most sophisticated capabilities. But I believe we still lack a strategic framework for exactly how and when we’ll use cyber to achieve our objectives.
On that point, in 2010, the press reported that a computer virus called the Stuxnet Worm had infected some of the computers in Iran’s nuclear reactors and had disrupted its nuclear program. That attack is generally considered to have been a joint U.S.-Israeli effort. What are your thoughts on the U.S. taking offensive actions in the cyber realm?
You know, I think there are some very unique dimensions that transcend cyber as a discipline here. And I’m not suggesting that we always need to be thinking offensively. But the stark reality is that we’re never going to firewall our way out of this problem alone. And by that, I mean that the initiative continues to remain with the attacker. And to a large extent, the bad actors have been running without any real consequences for their bad behavior. So until you can start issuing cost and consequence, you're never going to see changes in behavior, if you want to induce changes in behavior. So at this stage, until we can build up our toolkits in such a way that you can start levying greater cost for some of the bad cyberactivity, it’s going to continue to run rampant. Take the meddling example. It’s not just about Russia. It’s everyone else who’s watching, learning and observing as to how we respond. And we need to flip that equation a little bit. Right now, the initiative is on the offensive side. And I feel from a national security imperative, we shouldn’t shy away from our own capabilities. I mean, I don’t want a bunch of cowboys shooting randomly at bad actors. But just like any other domain, you’ve got to be able to demonstrate your capabilities.
Speaking of bad actors, North Korea has used cyber to rob banks, hasn’t it?
Yes. They’ve also been behind a number of bitcoin heists, so not only traditional financial services and the like. I mean, there was a massive case, now it’s four years ago, where they were able to commit theft on the Central Bank of Bangladesh. I can't remember the exact figure, but they attempted to get $900 million and weren’t able to do that, honestly because of a stupid spelling mistake. But the big takeaway on that particular hack was not the theft, which was significant, but rather how it was perpetrated. They were able to demonstrate the vulnerability in our SWIFT system. With SWIFT, you’ve got a whole lot of money, and it’s the clearing house for all the world’s central banks. That’s genuinely what one would call a single-point failure. If we lost trust in SWIFT, we’d have a huge run on our confidence in the economy, which is highly significant should that occur.
We shouldn’t shy away from our own capabilities. I mean, I don’t want a bunch of cowboys shooting randomly at bad actors. But just like any other domain, you’ve got to be able to demonstrate your capabilities.
Do you think the intent there was just to get their hands on some money, or was it to make that threat felt?
I think it was honestly to make money. In this case, I think it was to make money. But the bigger takeaway, in my eyes, is the [question of] how they were able to compromise credentials in SWIFT. Our financial markets are largely dependent upon confidence in SWIFT. To me, when people talk cyber, I’m less worried about the big cyber event. People use “Cyber Pearl Harbor” or “Cyber 9/11.” That’s not to say that it’s impossible, but I think that doesn’t help with grappling and trying to understand these challenges. I’m more worried about loss of confidence. You don’t need a massive event, if you have death by lots of paper cuts and you start losing confidence in the systems. An erosion of trust or confidence is the biggest concern on my end. And you don’t need to be a massive cyber power to incur that cost.
And that point applies to the election meddling, right? I mean, the real point is not whether or not Russia put Donald Trump in office.
That’s what it was all about. You're absolutely right. I honestly don’t think any votes were changed. At all. There is nothing to suggest that. But it’s the confidence that we have in our electoral system and process. That’s exactly right. And you can make the same case with the economy and the financial services sector.
How would you assess the vulnerability or preparedness of our financial services sector?
The financial services sector is probably the most prepared of our critical infrastructures, of our lifeline sectors. I’d put the banks at the very, very, top of the list. They're spending tons of money, not just out of their good hearts, but because they need to. They see it as a cost to doing business. And also a responsibility to their shareholders and to their customers and to their clients and to their employees. I’d say that the financial services sector is at the very top of the list of the sectors actually spending the money, taking the time and trying to get their arms around this. I mean, even with as much as they spend, as we know, there have been incidents in that sector as well. So this is all about managing risk. They’ll never remove the threat. There’s no winning here. There’s staying ahead and ultimately minimizing the consequences should an event occur and ensuring that events that do occur don’t affect the most important jewels of the company.
A lot of our readers will be pleased to learn that financial services is the leader of the pack.
Well, outside of maybe nuclear. But that’s unique. Energy is probably catching up, but they still have a bit of a ways to go. Transportation has a long way to go. Agriculture. All of them are much earlier on in their cyber readiness.
I’m less worried about the big cyber event. ‘Cyber Pearl Harbor’ or ‘Cyber 9/11.’ You don’t need a massive event if you have death by lots of paper cuts and you start losing confidence in [our] systems.
It’s interesting just to even hear you say the word “agriculture.” That was a blind spot for me until you said it, but, yeah, that seems like a vulnerability. What a nightmare, trying to track all this stuff and make it your problem.
Yeah, that is true. You can go on and on forever if you look at it from a vulnerability perspective. But the reality is that if everything’s critical, nothing’s critical. Let’s at least focus initially on the greatest risks to our economy, to our national security and our public safety.
Let’s talk a little bit more about financial services, since many of our readers will be in that sector. How should people in banking and finance be thinking about cyber? Is there still a paradigm shift that they need to experience?
You know, my view is that this is a governance issue, too. So, how the C suite appreciates risk. I think that now, every board of directors will have a briefing that covers some of the cybersecurity risks. Five years ago, that was not the case. But at the end of the day, the financial services sector had to grapple with a whole host of different risk matters. And rather than get caught up in the black arts, the deep tech side of cyber, [they should] try to appreciate it and recognize it and understand it as you would any other risk to the fidelity and the success of your company. So, it’s a risk matter. And it’s a communications issue, both internal and external. I mean, CEOs have been losing their jobs, and not necessarily because the cybersecurity was bad. It’s how the executives communicated that risk publicly to media, shareholders, regulators and the like. So I think that this comes back to the point that cybersecurity is everyone’s business. What you do need is to enable and empower those that are doing the hard work for some of these firms, and for the senior executives to appreciate it as they would another risk and not treat it as a black magic but the way they would any of the other challenges facing their company. And you need the workforce as a whole to recognize that we keep building [more and more] new toys, and that expands the attack surface, which brings about new vulnerabilities into one’s company. So you need them to start becoming more cyber-savvy and more cyber-aware.
Earlier in the conversation, you talked about the problem of silos in trying to solve some of these problems, particularly in government. Do you see the same issue in the private sector and particularly in financial services?
When I helped set up one of the first Executive MBAs with a focus in cybersecurity, my tagline was that “beep and squeak need to meet talk and squawk.” So I’d have a bunch of cyber folks who had sort of never spoken beyond their peers. They spoke to the tribe of others in their community. But they're suddenly getting elevated and running P&Ls because their issues have become so important in the company. But they don’t fully understand how a business runs. They needed the ability to understand a number of the other management functions from a business perspective. And then the flipside is that you have executives who knew that cyber matters, but they didn’t know exactly where to start prioritizing some of their efforts. And my message to them would be, “Spend some time with your CSO, spend some time in terms of understanding the adversary.” There’s a lot of self-learning here. But then also once they sort of get a sense of the landscape, it’s not to try to become the CSO, it’s rather to see how cyber issues fit into the broader enterprise and organization or risk management structure. This may sound self-serving, but one thing I would suggest is that all boards of directors, if they don’t have a cyber or a risk committee, at least need a director who is at least cyber-savvy, knows who to call, knows how to make sense of events, to ensure that they're doing their oversight in the way they ought to.
We keep building [more and more] new toys, and that expands the attack surface, which brings about new vulnerabilities.
You’ve talked about financial services being ahead of the curve. Does it have any inherent weak points?
I do think that, especially if you take fintech out of the equation and look at the boards of directors of the big financial institutions, they tend to be a little older than the average age and not all of them are the most cyber-aware types of folks. So I do think that, from a governance standpoint, having a risk committee -- or cyber-risk committee, in an ideal situation – focused on all those matters, is a step in the right direction.
Since we’re talking about such critical infrastructure as banking and financial services, do you think there should be a regulatory component to establishing cybersecurity protections?
I’m not a huge fan of regulation in this domain, because technology outruns the ability to regulate it. And by and large, regulatory approaches create a check-the-box mentality: “It’s not my problem when I’ve done A, B and C.” And I’m not suggesting that there should be zero regulation. There probably ought to be. But the flipside is that I think that there’s some private-sector commercially driven initiatives that can be just as effective going forward, and arguably much more so as they gain traction.
What’s an example of that?
The other sector that has not fully figured out where they fit in in all this is the insurance sector and reinsurance sector. Part of it is because the actuarial data is hard to come by because it’s not a good story to tell. You can kind of map out natural disasters of a similar sort, map that out over years and try to get to a point where you can have some empirically based evidence on likelihood, consequences, and so on. But I do think the insurance sector can play a major role in at least raising all boats. I mean, I don’t think the way to think about cyber is to remove or avoid all risk. It’s to manage it. It’s to have a better sense of what you can do. And so with the insurance sector historically, you would get write-downs, or you can get certain insurance only if you meet certain criteria. So it would in essence raise the bar as a whole from what good practice would be. That Good Housekeeping seal of approval kind of equivalent. And there are fits and spurts of insurance companies jumping into the cyber space, but it really hasn’t gained the traction that I think many of us would like. To me, what the insurance sector can do is it can reward good behavior, raise bars for everyone, and obviously also penalize bad behavior: “If you’re not doing X, don’t expect Y when something bad happens.” There are real conversations between those two communities that work so well in other environments, so we ought to make sure that the cyber discussion is at the top of that list, as well.
Frank J. Cilluffo is the director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. Prior to that, he served in the Office of Homeland Security as a principal advisor to Director Tom Ridge. At George Washington University, Cilluffo established the Center for Cyber and Homeland Security and launched the university’s World Executive MBA in Cybersecurity program. He continues to serve as a member of the Department of Homeland Security’s Advisory Council, and routinely advises senior officials in the executive branch and the armed services on national and homeland security strategy and policy. Cilluffo works with U.S. allies and organizations such as NATO and Europol and has published extensively in academic, law, business and policy journals, as well as magazines and newspapers worldwide. He currently serves on the editorial advisory board for Military and Strategic Affairs, and previously served as an on-air consultant for CBS News.
Return to 74&W Exclusives.
Copyright 2018 74&WEST LLC All Rights Reserved.
Do not reproduce without written permission from 74&WEST LLC.