The Evolution of Cybersecurity from 1980 to Today w/ Former CIA Executive Mark Kelton - Ep. 15
Since the early beginnings of the internet in the 1980's, viruses and malware attacks have become far more aggressive. As a result, cybersecurity has had to greatly (and quickly) evolve to keep up with new and emerging threats. This week former CIA Executive Mark Kelton joins the podcast to discuss the differences between the 1980s-1990s and today as it relates to espionage, cyber, the adversaries, etc.
Back from our holiday break
Arika Pierce: Hi, and welcome back to To The Point Cybersecurity. This is your host, Arika appears along with my cohost, Eric Trexler. How you doing, Eric?
Eric Trexler: Doing great, Arika. I'm excited about this one.
Arika Pierce: Yeah, no, I'm excited too. And also excited, we took a little bit of a holiday break from the podcast, so we're excited to be back in the new year and with some new topics. So, Eric, why don't you tell our listeners about our guest today? This is a good one.
Introducing Mark Kelton, a 34 year veteran of the CIA
Eric Trexler: Yeah. So let me tell you why I'm excited. We have Mark Kelton joining us today, a 34 year veteran of the CIA, counter intelligence. His last assignment was directing the CIA's counterintelligence and counter espionage program. So, a lot of times we talk about insider threat, we talk about the evolution of the insider espionage nation state activity. Mark has lived this the majority of his life. So welcome, Mark.
Mark Kelton: Yeah. I'm pleased used to be here. Thank you very much.
A brief history of American counterintelligence
Eric Trexler: No problem. And I also understand you're in, you're an assistant professor at Georgetown University, correct?
Mark Kelton: That's correct. I teach a course in the graduate school encounter intelligence. It's actually the history of American counterintelligence.
Arika Pierce: Oh wow.
Eric Trexler: So where does that start? Revolutionary War or before?
Mark Kelton: Revolutionary war. Before the Revolutionary War, actually when you want to talk about the genesis of it, of course was in the British tradition before the war, but it really begins with American counter intelligence, the Revolutionary War.
Eric Trexler: And we all know about Benedict Arnold, but the Brits, they were pretty strong in this area from what I know.
Mark Kelton: Well, they had a much greater capability than the United States did. The United States was an emerging nation. Obviously, the British had an established capability. The United States was focused principally on defending itself than on gathering tactical intelligence on the British.
The CIA in the 1980s
Eric Trexler: Okay. And so you, you started with the CIA when, I can't do the math, forgive me.
Mark Kelton: 1981, 1981.
Eric Trexler: 1981, so really the middle of the Cold War.
Mark Kelton: Correct. Yeah. Yeah.
Eric Trexler: How, how did we as Americans evolve from several hundred years ago to the Cold War times?
Mark Kelton: And then the evolution of cybersecurity is great. You know, the United States really had no intelligence community, no formal intelligence community until the Second World War, and immediately thereafter the National Security Act of 1947. Prior to that, we basically stood up intelligence entities as we had wars and in between we let them wither away. So the profession of intelligence really begins in the 30s but really as codified in the National Security Act of 1947 that formed CIA.
Eric Trexler: And if we've been getting better ever since?
Arika Pierce: We hope so.
Mark Kelton: I like to think so. Yeah, I mean intelligence is a rough business, right? So you get some thing's right, some thing's wrong. I think the CIA and the intelligence community gets more right than it gets wrong. Uh, but there's a lot of hard lessons. It's a difficult craft.
The evolution of cybersecurity, espionage and counterintelligence
Eric Trexler: So as we look at the 80s and the 90s into the 2000s, from an evolution perspective, just looking at those decades, how has counterintelligence, how has espionage, the insider threat really evolved?
Mark Kelton: Well, you know, of course, the Cold War, there's all the classical espionage cases that people read about. If you read your history at all, you know, you read about Rudolf Abel. You read about Penkovsky, you read about the big cases, the people who were exchanged on the bridge of spies. You know, all that sort of stuff.
Eric Trexler: The Rosenbergs, right?
Mark Kelton: The Rosenbergs, right. The Rosenbergs, of course were, immediately after the war. They were part of the penetration of the Manhattan project, which was probably the greatest intelligence success and certainly the greatest counterintelligence failing in US history, when the Soviet stole the secret for the atomic bomb.
Mark Kelton: But the issue of evolution of espionage. I mean, people say there's nothing new in espionage, right? They say it's the second oldest profession with all of the merits of the first. And I like to think though that, you know, things do evolve. Basic principles don't change. So if you look at the history of espionage, you're asking the Cold War through the 90, 2000s.
How the cold war changed things
Mark Kelton: Of course the big change was the end of the Cold War. People thought that there would be an end perhaps to a nation states spying or at least a diminishment, and certainly to Russian spying or other adversaries as the United States turned itself in other directions. But in fact, much of this didn't go away, and intelligence itself adapted to new threats.
Mark Kelton: The United States moved from a posture of targeting principally the Soviets, although other Soviet related adversaries, the eastern Europeans and the like, to looking at myriad problems. And then of course, in the 2000s, we have the run up to 9/11, and then 9/11 itself. And then after that, you know, the war on terror, which was an intelligence problem in and of itself.
Mark Kelton: At the same time, of course, the 90s and early 2000s saw some of the big Cold War spy case come to an end in the United States through Ames and Anson cases, both being detected and rolled up. So, I guess that should have given the lesson to people that espionage was not ended. And as we see things that are happening today, it hasn't.
The physical limits of spying during the cold war
Arika Pierce: Okay. well, I'm curious. So, in terms of obviously it hasn't ended. So then, how has the response evolved or changed in your opinion?
Mark Kelton: Well, see in the old days, let me just talk a little bit about the threat. That's easiest to start with that, right? So if we're talking about nation states. Of course, there's all sorts of espionage, there's industrial espionage, there's all kinds of espionage that go on. And states have various sizes have different capabilities, but we talk about people that are targeting say a country like the United States. You have, you know, Russia, China, big, big countries with big capabilities.
Mark Kelton: In Cold War period, the amount of material, the amount of damage a spy could do was basically bounded by physical limits.
Eric Trexler: What I could carry?
Mark Kelton: Well, a spy like Ames, he had to carry out material, photograph material, copy material, what he could carry out in his hands, on his person, and then ultimately deliver to the people that he was working with. So there's a physical bounding of that. The, if you will, the amalgamation of data, the drawing together of data of the information age and putting it in databases that are accessible, of course, have also increased the target a value for those spying against us.
Limits have changed in our global information age
Mark Kelton: So, the damage that a single spy can do is much, much greater. You compare Ames with someone like Snowden, an imperfect example, though Snowden defected, and is certainly a trader, that the information that he took out was many times greater than the amount of information that Ames took out. Ames to killed people, of course, but Snowden took out information that was greatly damaging to the United States.
Mark Kelton: So, you know, a spy today, an insider spy, can do great damage in a very, very short period of time. Take something out on a thumb drive, exfiltrate something out over the internet or the like, and we see that both in government and in the private sector. A company can be destroyed in an afternoon.
Eric Trexler: So, when you marry that up with globalization, right, the advent of high speed, always on communications, incredibly quick transportation, I mean, we have Apple shipping phones via planes when they release.
Mark Kelton: Right.
Eric Trexler: Really you're talking about a major problem for the large economies of the world, or potentially.
The asymmetry of the USA vs other countries
Mark Kelton: Well, absolutely. And there's a couple of fundamental asymmetries, too, that one has to look at. If you're talking about state actors, the United States, there's a fundamental asymmetry between the United States and almost every other country in the world with regard to intelligence activities, and that being the United States has no mandate to collect industrial and trade secrets with the United States intelligence. Every other intelligence service in the world has that mandate.
Mark Kelton: So if you're a part of the national security sector, part of the economy of the United States, you have intellectual property, you have financial data, you can potentially be the target of a state actor. And that particularly for companies that that work overseas, it becomes a much greater problem.
The means and the speed have changed
Mark Kelton: Beyond that, of course, espionage, you're going to have a spot, but if the spot doesn't have somebody or something to deliver his information to, he really is irrelevant. So the issue then is, the means of communication and the rapidity of the communication. In the old days, if you had a guy like Ames, Ames would collect his information, he would have to go out and put up a piece of tape on a stop sign in downtown Washington and arrange to leave his material for his Soviet handler in a park in northern Virginia, which is effectively how we did it.
Mark Kelton: In the modern era, of course, you can have people that can transmit it rapidly over electronic communication, the Internet and the like and in a protected manner. Or they can just get on a plane with information, as Snowden did, and just leave the country and go out and meet somebody. So the modern technology is a double edged sword. It has given the United States, certainly post 9/11 when the United States, you know, the revolution and intelligence affairs, the ability of the United States to collect action and or process an action intelligence at unprecedented rates, gives us great advantages in the world. But the, again, the adversary is also not passive. The adversary also learns and adapts and uses the same technology and exploit it against us.
Eric Trexler: So we have the most to lose. We have the most information. We have the biggest problem. What do? Whether we're going against an insider who's stealing it, you know, PII for monetary gain, or we're going against a nation state who is trying to steal critical IP either from the government or from a business. What do you recommend? I mean, it sounds kind of dire.
Mark Kelton: Well, yeah. You see, the first thing of course is to say that, you know, insider threat programs are worked best when they're part of a comprehensive defensive strategy that includes also cyber defenses. If you're talking about most state actors, they're going to take what they can take. If they're going to target a company, an organization, a government agency, they're going to take what they can take it in the cyber arena because it entails less work for them, right, and if they can do it in a manner that doesn't expose their activity.
Mark Kelton: That being said, if they can't get what they want from strict cyber attack, they will find other ways, which is to recruit insiders to find insiders who will parlay information. So the question then becomes, how do you deal with and detect insider threat? So, people tend many times to lump insider threaten into either cyber or security problems. It's really neither, but both of those capabilities are needed to defend against insider threat.
Mark Kelton: Insider threat is really a problem of people and the role of human behavior. Understanding human behavior, analyzing it, and addressing the challenges that human behavior might pose. So, you've got all sorts of types of insider threat that you're looking for. You're looking for espionage, classified and unclassified, intellectual property theft, industrial sabotage, fraud and abuse. And then finally, a big one that's come out over the last few years is workplace safety, right? Workplace violence, and workplace violence means not only of course the safety of the employees from a insider, but the safety of that insider itself, anytime somebody who's going off the rails and needs psychological help, so sometimes programs help to detect those people before they have a problem.
Monitoring outside the workplace
Arika Pierce: I'm just thinking about the need to monitor human behavior and so the notion of that continuous evaluation. So, I know we see a lot of especially risk adverse organizations, now monitoring not just what's happening inside the workplace, but also what's happening outside as well. Social media and other public records, things like that.
Eric Trexler: But do we? I mean Mark, how are we doing?
Mark Kelton: Well, it depends on what we say we is. The US government of course, as you know, with the continuous evaluation program which has been talked about quite a bit, and that is essentially an effort to draw on more databases to have a look at what employees are doing both inside and outside the workplace, to pull that data together and to look at, to analyze an employee's behavior, and try to detect someone before they act, before they go off the rails.
Predictive analytics, which is always the holy grail is the challenge there. Right? But you try to pull together data that tells you about Jane. Jane just had a drunk driving arrest. Jane has gone, declared bankruptcy, and she's coming into work late all the time, and then she's trying to access databases she shouldn't access. Those sorts of things pile up and they say maybe Jane has a problem maybe.
Shifting employee monitoring to be non-punitive
Mark Kelton: And then, the question is how do you deal with that? In my experience, it's always best to have a program that is not punitive in nature. So if you detect a problem, as long as it's not outright theft, but a problem, a challenge for Jane: drinking, financial problem, you try to help Jane, right? And try to get in front of that and help her before things get bad.
Mark Kelton: You do that for two reasons. A, on the merits, because you got an employee who is in crisis.
Eric Trexler: Right, it's the right thing to do.
Mark Kelton: Yeah. And B, because it sends a good message to the rest of the workforce. What you don't want is a punitive program, right, where people feel afraid to come forward and say, "I think my fellow employees having a crisis and maybe somebody should do something about it." You really don't want that kind of atmosphere.
Mark Kelton: Because most espionage cases, the government has studied quite a lot of espionage cases, and I've unfortunately read most of them. If you look at those cases, and the history of them, after the fact, when people walk into the offices of where those people were working, those spies almost always you get people who say,
"Well, I knew something was wrong, but I really didn't want to say something because it might embarrass or it might upset him. It might put them in a bad light within with management or whatever it might be."
There's almost always that case. So, that gets to the point of trying to establish an atmosphere with your program that is as trusting as you can make it. And secondly, the focus should always, always be on deterrence. Always on deterrence and the first instance, because if you get in the business of just detecting, you're going to be detecting forever.
Mark Kelton: So what do you do with deterrence? Deterrence is education, of course, education and training, but it's also messaging from leadership, messaging from the C-suite, messaging from the agency leadership to say that this is why we have this program. This is why it exists. It exists to protect you, to protect your fellow employees, to protect your jobs, protect the intellectual property of this company, to protect the classified information of this agency, whatever the case might be, and to explain why a program exists and not try to hide it.
Mark Kelton: This is where you get into that. I was going to go back to it on the continuous evaluation where you get into one of the main challenges is culture. And so in many companies, you get leadership that doesn't want to quote spy on their employees. My response to that is then don't spy on employees.
Mark Kelton: Tell them what you're doing, you're monitoring activities in order to protect them. Right? So, I think it just, if you mount a program and don't tell the employees anything about it, that's going to be seen by some people as spying. And maybe even after you explain it, some people will see it as spying, but in fact, you have to do right by the majority of the people in the company and by your employees, and under current threat environment, if you have valuable intellectual property, industrial secrets, classified information you are a target.
Eric Trexler: Well, and I think we have a responsibility to the shareholders or to the US people.
Mark Kelton: Oh, absolutely.
Eric Trexler: You know, if you're in a foreign government, whatever your country is, to do that.
National security and the economy are linked
Mark Kelton: Well, I like to say that you know, the CIA, and DOD, and all the rest, they execute national security, but national security is built by the US economy, right? So the strength and the basis of the United States, whether it's in the defense sector, the intelligence sector or writ large, finance is based upon the strength of the US economy. So, people aught not to forget that, and when they think about national security issues, they're not just confined to what CIA is doing, or what DOD is doing, or what the government is doing. It also plays into the industrial and economic strength of the country and the wellbeing of the people. That's why government agencies exist.
Eric Trexler: How many organizations follow your guidance and actually promote helping their employees and do the right thing?
Mark Kelton: Well, you know, I don't know how you quantify that. I think people are increasingly coming around to the realization, though, given the events of today, that they really don't have a choice but to look at the threat holistically and say that the United States, particularly the US government, but also US companies are being targeted comprehensively.
Mark Kelton: There wasn't a day that went by in my past job and my last job at CIA that I didn't see this. And I think that CIA today is reaching out itself, and so the intelligence community, I know certainly the DNI is, to try to make the case to industry and all kinds of venues that they must pay attention not only to cyber security, but also to insider threat, which is a growing challenge for the United States.
Arika Pierce: Well, I know we have a lot of government listeners, so we hope that they have heard your advice and they will execute it going forward.
Mark Kelton: I'm sure they are. I'm sure they are.
Eric Trexler: They should take your course.
Arika Pierce: Yes, yeah. There you go.
Eric Trexler: I feel like I want to audit it.
Arika Pierce: That's a great idea.
Mark Kelton: Most complimentary. Thank you.
Arika Pierce: Well, thank you Mark. That's all we have time for this week.
Eric Trexler: I'm out of time already, Arika?
Arika Pierce: Yeah, out of time already. You know we keep it to the point.
Mark Kelton: All right. Okay.
Eric Trexler: What a great start to 2019 now. What a great podcast. Mark, this has been very fascinating.
Mark Kelton: All right. Thank you very much. Thank you, and look forward to speaking to you again in the future.
Arika Pierce: Thanks. Thanks Mark. And thanks to all our listeners out there for checking in with us in 2019. We had some great guests coming up, so we're excited to continue down this journey and please subscribe to the podcast, give us a comment, let us know that you're listening and let us know what you want to hear us talk about. So until next week, we'll talk to you later.