The Role of NSA in Cyber, With Dick Schaeffer - Part 2 - Ep. 61
Picking up where we left off, Former Senior Executive with the National Security Agency (NSA), Richard (Dick) Schaeffer discusses the role of NSA in the future of Cyber, what Cyber looks like in 2030 and Commercial vs. Government leadership in cyberspace. Quantum computing, 6G and more.
Episode Table of Contents
- [0:22] We Need to Do a Much Better Job
- [2:21] Leveraging the Strengths of the Government and the Industry
- [6:36] We Can't Predict the Technologies That Will Exist in 2020
- [10:31] Going Beyond Machine Learning
- About Our Guest
We Need to Do a Much Better Job
Arika: Hi and welcome back to To the Point Cybersecurity. So we're going to pick back up where we left off last week with our interview with Dick Schaeffer. If you haven't listened to last week's episode, go back, listen to that episode and then re-join us this week for part two.
Arika: We're entering into a new decade. If you had to jump, I would say even a decade further, it's 2030. What do you see happening then in terms of how we're better managing these types of threats? What are your thoughts there?
Richard: So I think I'm going to use the word collaboration.
Richard: Collaborate, collaborate, collaborate. I use the term public-private partnership. And as the new cybersecurity directorate at NSA advertises the publishing or the making available threat information in real-time to government and industry organizations, critical infrastructure entities.
I think we've got to do a much, much better job at making real-time threat intelligence available with sufficient information in a timely way to make it useful for the private sector. Whether that's the Defense Industrial Base, whether that's a small company that's supporting NSA or some other part of the intelligence community or someone that's supporting critical infrastructure. Whether it's transportation, energy, finance, whatever it is. But the community has said for a long time, we provide threat information to the community.
Leveraging the Strengths of the Government and the Industry
Richard: DHS has been the primary purveyor of that information. I would say there was very little that the industry didn't already know by the time DHS informed them.
Eric: Yes, I'd agree with that myself. I saw that myself.
Richard: Whether that was the actual characteristics or artifacts of an attack vector or whether it was the fact that something was actually going on. I think the industry has deep capability in being able to detect those things. So as we look out to the future, I think there has to be a much stronger partnership between government and industry. Leveraging the strengths of both. I think there has to be a much more real-time nature to the information that's conveyed because by 2030, I think by 2025, people talk about 5G and what it's going to do, I'm looking ahead at 6G. I think by 2030 we've got the next generation of technology.
Richard: I think it's possible that we've got some successes in the world of quantum computing that puts at risk a lot of systems that are in place today. I think we've got a much more robust and a much more widely diverse adversarial threat environment, not just Nation States, but as I said earlier, the tools and techniques keep finding their way down to a lower level. So we've got a huge challenge ahead of us and I'm not necessarily seeing things in the research world, in the collaboration world. And I mean government and industry that is going to help us have a much harder, much more effective defensive environment in that timeframe.
Protecting Our Way of Life
Eric: You're not talking about just protecting our intellectual property. You're really talking about protecting our critical infrastructure systems, our government systems, our communications, everything, right? I mean that's what I'm hearing you say.
Richard: I'm talking about protecting our very way of life. I think we're in a very, very catastrophic point in history where the ability to disrupt is easier than it's been ever. Whether it's ran somewhere, whether it's a denial of service, you look at some of the statistics that say the majority of the activity on the web today are bots. So they're not real people communicating or are not real people sort of trying to access a website. It's a bot that is being controlled by someone. You can buy a bot for a nickel on the dark web. So if you want to do something either against an industrial competitor or a nation-state, it's pretty easy to mount the attack. All that's necessary is the will. It's not that expensive. So being highly resourced from a financial standpoint, doesn't really come into play.
Richard: Having deep technical expertise isn't necessary. You can download the instructions so you can be sloppy and still be effective.
Eric: And even if you're not, you get to try again.
We Can't Predict the Technologies That Will Exist in 2020
Richard: And even if not, you get to try again. It's sort of like in the simulation, you get to continually hit the reset button until you get it right. And, unfortunately, all of us, whether it's a private citizen, whether it's a small company, large company or government, we all have to defend against that entire space. And the noise that's created by these activities mask the operations of the highly sophisticated, highly talented, highly resourced, highly capable adversary. We depend on it in the U.S. in our activities. Other nations rely on it as well in the conduct of their activities. So we're in a situation today where it's incredibly challenging and we can't predict the technologies that will exist in 2020, let alone 2030.
Richard: All we know is that things will get continually more sophisticated, with sophistication brings challenges in providing levels of security. So we've got a lot of work to do.
Eric: So what do we do?
Richard: Well, it's collaborate. We hide things under levels of classification that shouldn't be classified. We make it more difficult for players to participate because of clearances and security and I'm not saying we don't need the security, we absolutely do, but we do things in such a way that we make it difficult to share information on a real-time basis that can really have an effect. It's really actionable. I go back to in the early days of some of the network defense, the perimeter defense systems. The U.S. Government says, well, we can't share signatures that we have because they're highly classified. And if we do, we'll lose access to targets so there are more for or whatever.
The Industry's Pile Is Larger Than the Government Pile
Richard: I once asked a director, I made a comment, I said, "Let's put all the information that the US government has on the table, and then let's invite industry and to put all their information on the table and let's see who's got the bigger pile."
Eric: Well, let's see who's more reluctant to share.
Richard: And nobody would ever take me up on the bat, but my feeling is the industry's pile is probably larger than the government pile. Government may know more about the background of the perpetrator, but if you're going to defend against something, you've got to be able to see it or you've got to be able to predict it based on behavioral models or whatever. And we're working all of those things.
Richard: I still call it machine learning. I think we're doing some very advanced work in machine learning today. I don't think anybody's got artificial intelligence.
Arika: We've heard that a lot on these podcasts.
Going Beyond Machine Learning
Richard: Yes, this is Dick Schaeffer's opinion, but I haven't seen any artificial intelligence. I haven't seen any systems that demonstrate the capability to actually go beyond just machine learning. We're writing much, much more sophisticated algorithms. We're able to collect and analyze much greater volumes of data.
We don't have any artificial brains in there yet. Really beginning to do what we do is as human beings. We can predict some behaviors based on past behaviors, but just as our most sophisticated adversaries study the past and go where we haven't been or where they haven't been, the same thing is true of what we're going to see as time goes on.
Richard: More sophisticated adversaries and more complex systems that make it much, much more difficult to defend in any real-time basis. And the consequences continually go up. Whether that's election systems that determine the future of the republic or whether or not that's financial systems or energy systems or whatever. I see those challenges just continuing to increase and until we've got the kind of collaboration between government and industry that really allows us to make some substantial gains, I just don't see us being prepared and maybe as prepared as some other countries simply because they learn from our mistakes.
Eric: Well and they lock off their environments. You look at the great wall, the great firewall of China, you look at some of the things I don't think we would ever do on supervision or understanding what their population is doing. Just as one example. Being in a free economy, a free country like we are, I don't see us doing that.
Guarding Against Malicious Activity
Eric: But I agree with you and I think it's getting much more difficult with increased globalization. You even talk about a company, but you look at somebody like IBM, they have more employees internationally than they do in the U.S. I think most people would look at them or General Electric as an American company. So how do you share?
Richard: That's where this whole issue of classification and so forth comes into play. I believe global companies have to be able to protect themselves irrespective of where they are in the globe. And that means the ability to share information that's relevant, time-sensitive, actionable to those entities. That makes a lot of people nervous.
And I understand that, but I think we have to decide whether or not we're going to harden the operational environment that we live in today. And that is a global environment or are we going to hold back information, hold back capabilities from being shared across the global company because they happen to have an entity that's located in Singapore or it's located in Japan or it's located in Morocco.
Richard: You can only guard against malicious activity to a certain extent. I believe it's more important to harden the whole environment even though it may make it a little more difficult for people that I'm still close to in the community. But you have to look and say, well, where's the common good? Where's it most important to be most effective? And then figure out.
Legitimate Government Purposes
Richard: I have no doubt whatsoever that clever people in the community working together across the community can figure out how we can access information that's necessary for both. I'll just call it, for government purposes, legitimate government purposes, we have the capability and the capacity to do that.
Let's harden the environment. And even though we may raise the bar for those folks a bit, I think it's more important to protect because the implications of failure in that environment are much, much more dramatic than the implications of failure in the exploit environment.
Arika: Well, Dick, you've certainly given us a lot to think about and I think of the theme I hear is we've come a long way, but we still have a ways to go. So thank you. Thank you so much for your thoughts and your expertise and the work that you're still doing within the community.
Richard: Yes, anytime. I think there's a lot of benefits in discussions like this and at least getting views on the table that some can say I agree with, some say I disagree with, but it's the dialogue that's important.
It's a Global World Problem
Richard: Exactly. I go back to the word collaboration. This is not a government problem, this is not an industry problem. Not even a private sector defense kind of problem. This is a global world problem and we've got to approach it that way. Some people talk about climate change as an existential threat. We've only got so much control over that. I think we've got a lot more control over the way we architect systems, design systems, handle data, and we ought to be paying a lot more attention to that because those effects are today. They're today impacts, not future impacts.
Arika: No, you're absolutely right. It is not just a government problem.
Eric: Well this is our future.
Arika: So thank you. Yep. Thank you, Dick. Thanks to everyone that listened this week. We always appreciate these discussions and that's exactly why we have this podcast. So please continue to tune in every week and to subscribe and share the podcast with a friend or colleague. And until next week, this is To the Point, Cybersecurity. Thanks guys.
About Our Guest
Richard C. Schaeffer, Jr. is a former Senior Executive with the National Security Agency (NSA), with over 40 years total U. S. Government service, including 15 years as a member of the Defense Intelligence Senior Executive Service. Positions held during his career include Director, Information and Infrastructure Assurance, in the Office of the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) at the Pentagon and NSA Deputy Chief of Staff.
Since retiring from the NSA in April 2010, Mr. Schaeffer has continued to pursue his passion for improving the security of U. S. interests in the Cyber domain. through his own consulting firm, Riverbank Associates, LLC.