[02:15] Cyberattack Response at a New Level
Rachael: Joining us today is Dr. Samantha Ravich. She's the chairman of the Foundation for Defense of Democracy Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab. She is also the principal instigator on the Foundation Cyber Enabled Economic Warfare Project. I want to mention that she's the author of the book 'Marketization and Democracy: East Asian Experiences' published in January 2000. According to one reviewer, it has carried the analysis of the relationship between economic progress and democracy to a new level.
Samantha: It's a pleasure to be here.
Eric: Did you say principal instigator?
Samantha: I like that. I’m the principal instigator as people that know me will assert.
Eric: I think she was thinking of me though, as I shot out a very large chandelier. You should have seen it, Dr. Ravich. The t-shirt just took off and went up instead of straight and right into the glass chandelier. It was perfect timing. Anyway, principal instigator, we can go with that.
Rachael: Sam, I'm fascinated by your book. I know it was a little bit ago, but it's like a required reading for graduate level students in many universities.
Samantha: It is. We were talking 21 years ago when it was published. The core thesis, which was my dissertation a few years prior, was that as countries marketized, meaning they own the capital, they own the reason that they're making money, they want more of a say in their government. Basically it's no taxation without representation taken to a big level, but we're going to talk about cyber and cyber security.
Economics and Democracy
Samantha: My work has evolved since 2000, whereas 2000, it was on economics and democracy. Each one of those things is being undermined by adversaries using cyber means. Where my thesis was, once you have greater ownership over economic means, you want a voice in your government. Well, what happens when the adversary is both undermining those economic means as well as the democracy? It would not be the same book if I were writing it now.
Eric: Now one might argue, and I don't think I fit in this camp, that because of social media and the growth of technology, we actually have easier communication to spread the democratic concepts and give people more of a voice within the country. I'm not talking about nation states speaking on our behalf. Well, maybe I am right. Maybe that's part of it because they are skewing public perception within the company and the country more easily also. What do you think about that?
Samantha: I think it's a race between being able to give people the means to communicate. The means to understand and see what is occurring in the world, how to get their voices heard, and how to reach Congress. Before you either had to show up at a member's office or write a letter or pick up the phone. Now you can log either congratulations or your complaint, mostly, probably, the complaint on their website. Then they can count how many of the constituents think one way or the other. Opening that kind of communication pathway can be fantastic for democracy, but democracy isn't free for all. It's not a cacophony.
A Real Issue in the Cyberattack Response
Samantha: So, both in terms of just the sheer noise, getting the signal through the noise is a real issue in expanding information and communication. But then you have the adversary and others that just want to cause harm. They’re subverting and manipulating all of both the platforms to convey a message and the message themselves. It's a very crowded space and I think the race is on. Not to be too dorky and wonky, but the cause-benefit analysis of this expansion is not yet tallied.
Eric: I think it's one of the greatest risks we have to our democracy. We'll see over time just the ability for other nation states to reach into, in this case, the United States of America. But really, most countries change the narrative or at least impact the narrative.
Samantha: Well, we see it happening in real-time with Russia, trying to change the narrative on Ukraine, and of course, China. My think tank back in 2018 released a report on cyber-enabled economic warfare, which we can get to more in-depth. It looks at how adversaries use cyber means to undermine key components of an economy in order to weaken that country politically, diplomatically, and strategically. Think about it. If you can't get money from the ATM, the bank is down, the power is down, and the water is down.
Now, a country needs to have some overseas contingency, and needs to do something on Taiwan or on Ukraine. The people of, let's say the United States, would say, we're a little bit busy right now. We can't get money out of our ATMs. The power is off and we can't get our water using cyber means against economic components.
Information and Communication Technologies
Samantha: All those things in the private sector can constrain the choices of a government, the same with information and communication technologies. When we wrote this report in 2018, we looked at Russia, China, North Korea, and Iran. We're coming out with a new version within the next few months, and we're going to look at an update.
On the China side, and others as well, but particularly on the China side, there's been a real noticeable uptick in going after information and communication technologies. Why? Both to gather data, to be able to control the narrative by manipulating it or controlling the narrative because you can't get your narrative out. If you want to go on Chinese government or influence networks and they don't like your narrative, it's not getting out there.
Eric: It's interesting it's the same four players. That has been pretty constant.
Samantha: You mean China, Russia and North Korea, Iran, the four big ones. Different capabilities and different things that they're going after and how they're going after them. Yes, they're the big four no doubt.
Eric: I was speaking with a friend last week and we were talking about Ukraine, lots happening. The podcast will probably come out in a couple of weeks, but as of now, Russia has not moved into Ukraine. As of now, I think the United States’ position is basically, if Russia does decide to advance into the Ukraine, we will focus more on sanctions than active conflict. I think it’s a roughly fair statement. But if we sanction Russian banks in the process, they really can't sanction the United States of America. They don't have that leverage. But there's nothing to stop them, and this is where the discussion, I felt, got real.
[09:49] Cyberattack Response on US Banks Attacks
Eric: I was arguing there's nothing to stop a cyberattack on US banks. That is their recourse and it's relatively easy. The concern I have is an escalation at that point.
Samantha: Why would it stop at banks? Or why would it start at banks? I mean, it could start at banks but you're absolutely right. It's going back to what we were talking about in terms of cyber-enabled economic warfare. The Russians have gas, nuclear weapons, and some other weaponry, but they know that our strength is our vulnerability. In the United States, we are only the strongest military in the world because we're the strongest economy in the world. It is our economic might that creates our innovation, our weaponry, the ability to gather and assess information and intelligence and then use it.
So go after the planks, the platform of our strength, which is our economy and you can strain, weaken and certainly demoralize the American people, which could be coming to a theater near you with what's going on in Ukraine. It is why the Cyber Solarium Commission, one of the key recommendations was for the administration to create a continuity of the economy plan. It’s similar to back in the Cold War and still exercising today, continuity of operations and continuity of government.
If the Soviets back then launched a major strike against the US, even including a nuclear strike, there were plans in place to reconstitute the government so that we could respond. That was a layer of deterrence, that was a plank of deterrence. The Soviets knew we had the capability to come back and impose costs.
Our Greatest Strength
Samantha: The Cyberspace Solarium Commission said, we need something like that in the economy since again, that is our greatest strength. Continuity of the economy planning helps think about what gets up and running first. How do you do it? We don't have one of them yet.
Eric: To your point, it's our greatest strength, but it's also our greatest weakness. It's the soft underbelly if you ask me. The countries you mentioned really aren't going to effectively sanction us, maybe China. But cyber-wise, certainly Russia and China have the ability to attack us and destabilize the economy at a minimum.
Samantha: We saw North Korea against South Korea starting 2012. Likewise, very similar, but they start to sow fear into another country by shutting off lights. It's hitting food and distribution supply chains. You're going to send your soldiers off to war when their family, their mothers, sisters, fathers, and brothers can't get baby food or can't withdraw money from an ATM where the power goes out.
It constrains options very quickly. Having a plan to reconstitute and what gets online first, the order of recovery is essential. It's astounding to know we don't have it, and not even the beginnings of that plan. It has been a year plus since it became legislation in the National Defense Authorization Act.
As far as we know, the Biden administration has not yet taken the steps that they need to take. The Congress required that in two years, the administration come back with the beginnings of a plan. A plan for a plan. It's going to take a lot of work. It was never that it was going to be finished in two years, but it was going to be started.
A Cyber Pandemic
Samantha: There was going to be a plan for a plan. We're a year plus in, and there is no indication that there is even a real beginning to affect that planning process.
Eric: Does that scare you, Rachael?
Rachael: I always struggle with these things. We talk about cyber pandemics. I think you wrote a byline earlier in the year, Sam, of looking at the next pandemic to be a cyber pandemic. We're always waiting for the next shoe to drop, but it seems like in the last few years, it's changing so quickly the geopolitical landscape and how to navigate that forward. It almost seems like you could create a plan last year and it's already out of date by the time you get to the next year. So, how do you create a plan for a plan when it's so dynamic and constantly shifting that you're never going to get ahead of it? I guess that's where I struggle.
Eric: Is it better to not have a plan then?
Rachael: No, that's not what I'm saying.
Eric: Plans are not outdated, we just don't have one.
Rachael: Well, there's that too, but it's so much of what we do. I think the government and a lot of times, you need a lot of people to be vested in this and to move it forward. You absolutely need a plan, but how do you create a plan that is forward-thinking enough to get ahead of things instead of continuously trying to catch up? I don't have the answer for that. But I think it's always such a fascinating story when it comes to cyber because there's no easy answer.
The Order of Priority in the Cyberattack Response
Samantha: I'll give you a small, quick pushback on where to at least start. There's 50 states, there's tens and thousands of localities, whatever, but there are certain critical ones. You could say New York for finance or whatever, oil and gas, okay fine. Then you start to narrow down these are the things upon which our economy really rests. All right. Now there's power, there's water, there's telecommunications. There's a limited number of resources. What's the order of priority to start to get them to flow quickly?
Now do those actors, Verizon or AT& T know which is the priority? Are they working in collaboration with the power and water in certain states and localities? I got your point, I agree with it, but there are definite ways to start this that will not change very quickly.
Eric: I was reading the 2021 Cyberspace Solarium Commission's annual report on implementation over the weekend in preparation for this meeting. Section five one talks about systemic important critical infrastructure. We know that in the US, there are 16 designated critical infrastructure sectors. They're trying to codify the concept of systemically important critical infrastructure. I'm going to assume, Samantha, waters probably in there, bankings.
There are a couple of things in there, but it's an orange or yellow status depending on your monitor color calibration and their intent, and its legislation proposed. We've identified there's a need, I think, but we really haven't done a whole lot to advance that. To really prioritize our areas of importance or weakness depending on how you look at it. But the Cyberspace Solarium Commission at least laid that framework. The plan for the plan, in my opinion, is an outstanding document.
[17:42] Things You Should Consider in Our Cyberattack Response
Eric: We haven't progressed very quickly against it, with the recommendations. But they did put what I considered to be a pretty good plan for the plan in place. Hey, these are the things you should consider. These are the things you should do. Samantha, I don't know if you agree or disagree with that.
Samantha: I completely agree. We haven't been able to get it through Congress yet. There was some pushback from frankly some of the sectors that haven't been regulated as much in the past. They got very concerned that this means there's going to be another layer of regulation. The sectors that have been regulated in the past know how to work with the government. In fact, one of our great commissioners, Tom Fanning, who's CEO of Southern Company was really the driving force behind SICI, Systemically Important Critical Infrastructure.
These are the things that need to still get across the line with the announcement of the retirement of the phenomenal Congressman Jim Langevin, as well as Congressman Katko. We're really losing a couple of people that know the cyber issue inside and out. We all need to make sure that there are folks that can take up the torch from these fantastic individuals that know the issue. These are folks that care about the issue and can work across the lines to get things done. The Solarium Commission has wrapped up as a .gov organization, but it has reconstituted as a .org. We are going to be focused on, so it's non-profit. It's funded by American philanthropies and philanthropists to continue the work of Solarium.
Disagreement on the Committee
Rachael: That needs to happen. It's amazing the work that's been done through the Cyber Solarium, I'm glad it's continuing.
Samantha: I also need to give it a shout out. If you didn't know who came to that commission appointed by a Democrat or appointed by a Republican, you would not know. It was for two years, and there were 50 meetings. 52-hour meetings with at least three members of Congress, every meeting. While there was some disagreement on the committee about how to get things done, it was nonpartisan, bipartisan, whatever you want to call it. It was really phenomenal.
Eric: Let's just hope we carry on the work. We advance against it and increase the velocity because we're not moving at the speed of their adversarial competitors. As I like to say in sales, you have X amount of time in the day, where are you spending your time? Because that's what you care about. Is it the right place? I don't know, but it certainly doesn't seem like we care enough about some of the topics in here. We're not moving fast enough is what I'm trying to say.
Rachael: What will it take? You've been on the frontline, Sam, for a really long time. You understand the landscaping very intimately. How can we start moving forward a little bit more with more speed? It's our adversaries, we call it malicious innovation. Innovating quite quickly, although they don't have a lot of the constraints that governments and others do. I feel like we figured a lot of things out though, too. I’d love your perspective there on how we get things pushed a little bit more forward quickly?
Creating a Cyberattack Response to Avoid Strategic Surprise
Samantha: There are a number of components on this. I mean, STEM, starting with perhaps, do we know enough about what the adversary is creating and planning to do? There's this phrase in the intelligence community to avoid strategic surprise. In fact, that's basically the main thing our US intelligence community is structured to do to help the government avoid strategic surprise. But in terms of cyber, do we know enough about what the plans and capabilities are of our major or adversaries on cyber, both on technology and on the will and means to launch a cyberattack? I would probably say no, that we don't.
Eric: Really, I would've said yes.
Samantha: Well I hope you're right.
Eric: We know what the targets are.
Samantha: I hope you're right, I hope I'm wrong.
Eric: Well, I don't know that being right helps. We know what the targets are, we know what we can do, we know that our, I guess we'll call them near-peer adversaries, at least China and Russia are pretty close to us. So we know we have a lot to lose.
Samantha: You think we know that? I don't think we know their explanatory ladder.
Eric: That I would agree on.
Samantha: I don’t think that we understand what would be the triggering point. Do they actually know what the rules of the road are, the lines they can cross.
Eric: No, because we haven't defined lines. This isn't mutually shared destruction where you can watch demonstration videos of nuclear weapons. You know exactly based on the kiloton of the weapon, the impact. This is something we've seen over and over. Now where we'll get out, you can't control it necessarily.
Eric: There can be unintended consequences well beyond what you wanted. Honestly, from my perspective, we haven't drawn clear lines, certainly in the United States to date. Those boundaries keep getting tested. I could see a situation with Ukraine where things get out of control and escalate very quickly.
Samantha: I think that that's absolutely right. I would say, that's one component, really understanding how strategic surprise could evolve and what we need to do about it. A second component is who's on the front line? We had just talked about this. I think the private sector is on the frontline as much as anything, but who is in the private sector? How can they defend themselves?
I saw that the Senate Homeland Security Committee just pushed forth bipartisan legislation to have SICI really help small, medium-size enterprises. Because when you're talking about lifeblood, if you're a small, medium-sized enterprise, how are you supposed to know what you're really supposed to do to protect yourself against a nation state actor? Okay, fine. Change your passwords.
You got to do things to not have your door wide open for the bad guys, but it's just too much. It's too difficult. How are we not having secure hardware and software and communications, and yet we all rely on this thing? It's nuts and it's too much.
Eric: Well, it's very decentralized. No one organization's really in charge.
Samantha: Some of the things we didn't get passed at the Cyber Solarium Commission because frankly, they were too hard. Do we need an underwriters lab for software? We didn't focus enough.
[25:25] Who’s Completely Vulnerable
Samantha: Looking back, I think that if we were starting now for Solarium, we'd focus much more on hardware and software supply chains, especially information and communication technology supply chains. I really feel the small and medium-size enterprises of this country. They're out there on their own, completely vulnerable with not a lot of help and assistance to protect themselves.
The information that they're getting to do this, do that, these things weren't created for them. The guidance is created for companies that have a chief information security officer and a chief technical officer, but most of our businesses don't have those things.
Eric: That includes water, sewer treatment facilities, power at the local level, regional level. They typically don't. I mean, Colonial Pipeline barely had capabilities. We saw the impact from them.
Samantha: They probably didn't have an excuse. But Admiral Mark Montgomery and I had a piece in the Washington post a couple of weeks ago, an op-ed on water and cyber. There are something like 77,000 water utilities around the country. A lot of them are small, and a lot of them 10 years ago said, oh yes, I can buy this internet of things. Or at that point, it was a connected device, and put it in. Then fire a couple of people and be able to check what's going on in the water utility from afar. Not thinking, oh, by the way that thing was made in China, it's completely vulnerable. I don't have the staff to download patches, and I wouldn't know what to do anyway. It's created a real vulnerability. You can live in the dark maybe, for a couple of days, but try living without water.
Eric: I think Ted Koppel wrote about that in his book, 'Lights Out.' I think he modeled the breakdown in Manhattan after two days of no water and sewer. People think about power, you don't think about water. You turn the faucet and it's on, you plug something in and you have power. What happens with two days when you have millions of people in a tight area without water? It's catastrophic.
Samantha: It is. There are things that can be done at different points for different parts of our population. I think those in more rural, semi-rural areas can become more hardened. Now, I live in a rural area. So maybe I'm doing it for myself, but they can become more hardened to not have to rely on the federal government or their state and locality if something happens. That's where we should also be focused, how to make, at the smallest level possible, resilient?
Whether it's the individual in a rural area, a locality, a state, how do you build resiliency at the smallest level so you can recover more quickly? If anything from Katrina on, you start to look at the federal government for help and assistance to get back up and running. You can be waiting quite a while.
Eric: I feel Katrina's a great example. I feel with natural disasters, with COVID, we've taken more rapid action. People may stockpile water or at least containers, or they meet by iodine tablets or a drop of bleach to help purify bleach. Not recommending any techniques here on the show, by the way. But even with COVID, we've seen action. Intel's now building a fab in Ohio. We're bringing more things back into the country because we had a massive event.
Cyberattack Response on Mutually Assured Destruction
Eric: But those physical events are almost akin to the nuclear era with MAD, mutually assured destruction, where one can tangibly see the impact. With cyber, I would argue the common citizen, pretty much anywhere in the world, doesn't understand the potential impact. It's not real, it's not tangible for them and they don't prepare for it. Fortunately, we do have natural disasters, pandemics, and things that somewhat better prepare us for events that could come about of a cyber nature.
Lack of water from cyberattack or lack of water from power going out because of a storm, same end result. It could be a lot worse if power starts to go out across the country. The US federal government FEMA will be rapidly overwhelmed. Maybe the scale is different, but the end result is similar.
Samantha: Yes, and quoting Tom Fanning, my co-commissioner, he was very intent on making sure that Southern Company had ways to go back to analog on certain of their systems. Again, how do you build serious resiliency?
What the government needs to do is not just teach its population and its businesses, but to show them the path for these products. This is how you can replicate systems, this is how you can make sure your data is stored away. Just in case you're taken down from any type of cyberattack or ransom attack, you can reconstitute because your data is held somewhere else to have water supplies. It's to build resiliency and not to think that the government's going to come riding in to save you.
What if There’s No Resiliency
Eric: I think we're used to it. Natural disaster, governors declare a state of emergency, FEMA comes in. We start helping everybody out and we get back online. I think the interconnectedness of the economic systems, I don't know Southern companies very well. I'm assuming they're power generation primarily.
Samantha: Grid operator, yes.
Eric: What if the transmission operators don't have resiliency? Now they're generating all this power and they can't do anything. What if they're running on natural gas and they can't get gas to their generation facilities? They're not generating power even though they did everything right.
Samantha: It’s the interconnectedness, and that goes to how do you build a continuity economy plan. What comes up first, because they‘re all going to be looking at the same couple of nodes. I ran this tabletop exercise a few years ago. We had representatives from the financial sector, Telecom, water, power, and gas.
The banker said, if everything goes down, we have to get online first because we're the banks. At which point the telecommunication said, yes. You won’t be able to get online unless we get online because you won’t be able to communicate.
Eric: Unless we have lines. There's no online without us.
Samantha: Exactly. The electricity company said yes, well try running a telecommunications company without power. The oil and gas said yes, at that point, 60% of our power was oil and gas. It showed that they're all going to be looking at the same in terms of dependencies. But we can work through this and at least have, for our most essential and critical functions in the most critical places in our country, the order of battle to recover.
[33:01] Cyberattack Response for National Security
Samantha: Not everyone's going to be happy. In fact, most people won't, but Verizon or AT & T needs to know in advance you know what? You have to get place A up in line before place B because for our national security, that's the most important. I believe it shouldn't be left to AT & T or Verizon or what else to make those decisions, that has to be decided beforehand. It has to be decided in conjunction with the other critical services so that it works in tandem to recover.
Eric: The last three, four minutes or so of the show here, how do we get there? Who's going to drive that? What's it going to take? Rachael's looking at me like Eric, give me some hope. Give me something. Don't just shoot out the chandelier and walk out of the building, is what Rachael's thinking right now.
Samantha: Well, the law on continuity of the economy, we didn't direct. We said to the White House, you pick. Pick the head of DHS, pick Chris Inglis' national cyber director to lead the interagency. They have yet to really say this is the way, this is who's going to lead it. But that's a start. I am a big fan of the states as laboratories. And so, I've been on a mission talking to governors, talking to certain districts down in Texas and Arizona and New Jersey.
You know what? Create your own continuity of the economy plan for states and local areas. Make sure you are as hardened as possible. Bring those plans to DHS. There'll be a number of different plans, we can see which one works, and exercise them.
Pushing It Down to the States and Localities
Samantha: I would again, push it down to states and localities to see how it can work at that level before just waiting to rely on a federal agency to do all the planning.
Eric: If you wait on the feds, I don't know that they'll ever be able to pull it together across all the 50 states and territories.
Samantha: It's different.
Eric: Like you mentioned, we have Chris Inglis, the National Cyber Director.
Samantha: He's fantastic.
Eric: Last I heard, their budget was 250K. I think they had 75 heads. There was no appropriation for them. Chris is pulling staff from SICI and elsewhere to the extent that he can and people will help out, but we haven't. It takes a long time to move the federal government. It's a very large steamship.
Samantha: Start at the state and locales. If you need to give them authorities or some money and test it out, there are certain joint bases, DoD bases, that have power, water, and telecom coming from outside the base. That's a great place to start, just start there. There are steps to take that are bite size, that don't make you want to put your head down and hide under the covers. Which okay, we want to do anyway, but there are certainly things that we can take and do.
Rachael: Can we wrap up a little optimism, Sam?
Eric: I think states and localities can take affirmative action on behalf of their constituents.
Rachael: I forget the law or whatever it is where you make these incremental changes. Over time, they add up to be very significant. I think sports teams embrace that thinking and I love these states taking the power for themselves, and sharing knowledge.
Rachael: I think one of the things that you'd also recently written is information sharing. It’s critical for folks to be able to respond in the right way. I think it's all heading in the right direction. Cyber's finally the top conversation that everyone seems to be having. I don't know if that's where you're seeing from where you sit Samantha, but that's my sense these days. The tide has finally turned to where this is a little bit more of an important national, international discussion.
Samantha: People are recognizing that for the cybersecurity field, we don't just need more engineers. The conversation is also broadening in terms of, we need visual artists. We need people that can actually talk to other people, and we need a diverse community. The tools that are being developed have to go to a diverse community and there is movement on that. That's hopeful as well.
Eric: We need to go faster. We are making great progress bringing people into the industry compared to where we were five years ago.
Rachael: Dr. Samantha Ravich, thank you for joining us. I learned so much in this conversation too. Do you have another book coming out? I would love to track any publications that you might have coming.
Samantha: At this point, two-page memos, op-eds, but there'll be a book there somewhere. Our new monograph on cyber-enabled economic warfare from the Foundation for Defense of Democracies should be coming out in the next couple of months.
Rachael: We look forward to that. Thanks to our listeners for joining us this weekend. Don't forget to smash the subscribe button. You’ll get a fresh episode, including this one, in your email inbox every Tuesday. Until next time, stay safe.
About Our Guest
Dr. Samantha Ravich
Dr. Samantha Ravich is the chairman of FDD’s Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab and the principal investigator on FDD’s Cyber-Enabled Economic Warfare project. She is also a senior advisor at FDD, serving on the advisory boards of FDD’s Center on Economic and Financial Power (CEFP) and Center on Military and Political Power (CMPP). Samantha serves as a commissioner on the congressionally mandated Cyberspace Solarium Commission and as a member of the U.S. Secret Service’s Cyber Investigation Advisory Board. Samantha served as deputy national security advisor for Vice President Cheney, focusing on Asian and Middle East Affairs as well as on counter-terrorism and counter-proliferation. Following her time at the White House, Samantha was the Republican co-chair of the congressionally mandated National Commission for Review of Research and Development Programs in the United States Intelligence Community. Most recently, she served as vice chair of the President’s Intelligence Advisory Board (PIAB) and co-chair of the Artificial Intelligence Working Group of the Secretary of Energy Advisory Board. She is advisor on cyber and geo-political threats and trends to numerous technology, manufacturing, and services companies; a managing partner of A2P, a social data analytics firm; and on the board of directors for International Game Technology (NYSE:IGT).
Her book, Marketization and Democracy: East Asian Experiences (Cambridge University Press) is used as a basic textbook in international economics, political science, and Asian studies college courses. Samantha is a member of the Council on Foreign Relations and advises the U.S. Intelligence Community and the Department of Defense. She is a frequent keynote speaker on: What Corporate Boards need to know about Cyber Security and Warfare; The Longer-Term Trends in International Security; and the Future of Intelligence Collection and Analysis. Samantha received her PhD in Policy Analysis from the RAND Graduate School and her MCP/BSE from the Wharton School at the University of Pennsylvania.