A former cyber diplomat says the government needs to refresh its thinking about response to foreign attacks
When does a foreign cyber attack merit shooting back? It’s a tough question but one defense and civilian planners think about. For some perspective, Federal Drive with Tom Temin spoke with Chris Painter, the former State Department cyber diplomat, now president of the Global Forum on Cyber Expertise.
Tom Temin: Chris, let’s start with what you’re doing now. So many people leave long careers in the federal government and then go right to the vendors, but you did something quite a different vector.
Chris Painter: So as you said, when I left the government, I’m taking a sort of the portfolio approach, which means I’m doing a variety of things, something you certainly couldn’t do in government. And the main thing is running this nonprofit foundation that’s based in the Netherlands, dedicated to the coordination of and promotion of cybersecurity capacity building – something that really countries around the world desperately need. And it has a lot of governments that are part of it, private sector, civil societies – we call it – and then academia, a real multi-stakeholder undertaking. Then I’m also doing, I’m working with a think tank – the Center for Strategic International Studies, I have a podcast there called “Inside Cyber Diplomacy.”
Tom Temin: Oh, there we go.
Chris Painter: And then I’m on a board of another nonprofit, the Center for Internet Security, which works with the states and locals and also on Elections [Infrastructure] ISAC, what they call information sharing.
Tom Temin: And that idea of capacity building, I mean, we tend to in the United States deal with the European Union countries, one of which you’re working out of in The Hague, and Great Britain and so forth, where the capacity, even though it’s inadequate, apparently, is nevertheless vastly greater than it is in places like Africa, in some of the Asian areas. So what does capacity look like around the world? Because in the sense that everyone is interconnected on the internet, the weakest link is the weakest link.
Chris Painter: And that’s absolutely right. And that’s why the business case for capacity building for even developed countries like the U.S. is you need to help these other countries because look if you’re a smart cyber attacker or a cyber criminal, you’re going to route your attacks your actions through countries who don’t have good cyber crime laws, who don’t have the capacity to investigate it, because it makes it harder to find you. So Africa clearly is a big focus. We have a big Africa project we’re doing right now, also our region and Latin America working with the Organization of American States here, and the Asian region, too. So there’s lots of countries who are just getting into this who need this help, because they love this idea of a digital economy and all the things they can get out of a digital economy in terms of growth, but at the same time to do that they need to have this base of strong cybersecurity, so that people want to invest there and they can really profit and see the benefits of the digital part of the world coming forward.
Tom Temin: Interesting aside on the new economy, even now, cryptocurrency turns out can be purloined at will by hackers to the tune of hundreds of millions of dollars.
Chris Painter: But apparently returned because it was hard to launder it, I understand. So it’s an interesting issue. There’s been a lot of issues around cryptocurrency in terms of how it’s been used, especially for ransomware groups. But I think it’s here to stay. So we have to see how we can work with cryptocurrency, how we can enforce some existing regulations to deal with it.
Tom Temin: I thought blockchain was supposed to be the panacea to keep it secure forever.
Chris Painter: Well, there’s a new buzzword every like four years or so. So now it’s crypto.
Tom Temin: All right. And I guess in some ways, what you’re doing is an extension of the cyber diplomacy that you did at your last stint in government at the State Department.
Chris Painter: Yeah, absolutely. I was very lucky, I had a career in government that was about 28 years doing cyber. So back when no one cared about it, to when they did care about it. And my last gig in the government for the last six and a half years I was in the government was I was our first dedicated cyber diplomat, and I was really the world’s first cyber diplomat. And now there are 40 of them around the world, and both in our friendly countries and our frenemy countries. And that’s important, because one of the issues around this area is we need to elevate it from just being seen as this technical boutique issue. To one it’s a core issue of our national security, of our economic security of human rights and, and ultimately of our diplomacy. So upping the game, there was important and I was able to build bridges with lots of other countries, make progress on negotiating certain norms of behavior rules of the road in cyberspace, and also work with other agencies in the government to try to combat the threats we’re seeing every day.
Tom Temin: And that idea of frenemy is kind of really on the forefront nowadays, isn’t it? Because thinking back to the Cold War, we had this rivalry with the USSR, but we did not have the economic interdependence that we have with China. And let’s face it, Russia is like Japan – it can make a lot of noise but it’s a shrinking country, population-wise. So ultimately, it’s really not a world power. China, different story. And so what should the U.S. posture be, the federal government vis-à-vis cyber and China and everything else? There’s a lot in that question, but they seem to be having the upper hand now with respect to espionage.
Chris Painter: One of my former government colleagues put it this way: Russia is like the hurricane, China’s like climate change. China is going to be there. They’re very dedicated, very focused on this. And this is not a new issue for us. Back when I was in the government, one of the big issues and it still is, is China theft of intellectual property that they would use to benefit their own businesses. So every country does intelligence gathering, they have from the beginning of time, they’ll do it to the end of time. But this kind of targeted espionage that goes after commercial trade secrets and other things. It’s the lifeblood of our economy. It’s something we said should be off limits. And it took us a while but got China – used to run our China-U.S. dialogue and also help negotiate this agreement – it took us almost two years of pressure. But they agreed to it and for a while it worked for about 18 months, it worked. There was a lessening of this. But it’s not that way now and so China is going to continue to be a real challenge. Espionage is one issue, the theft of secrets. We’re, of course, worried about more destructive operations, like we’ve seen from the rush of ransomware groups and others. But the good thing about China is I think we have more levers than we do with Russia. We have the economic interdependence you talk about that we can use that to our benefit. We can use things like potentially economic sanctions, pressure on their leadership, work with other countries around the world, as we did with the theft of intellectual property, Australia, U.K., Germany, and others, to put pressure on China. So I do think there’s some trade space there going forward, but it’s going to be a challenge and it’s not going to go away anytime soon.
Tom Temin: We’re speaking with Chris Painter, former State Department cyber diplomat, now president of the Global Forum on Cyber Expertise in The Hague. And is your sense that we hit them back? Are we spying on them, too, and purloining as much as we can have their intellectual property, at least in military, perhaps, affairs?
Chris Painter: Well, no, I mean, certainly as I said, before, every country does intelligence gathering. I mean, that’s gonna happen. And of course, they do that for the national security to protect the people of their country. But the kind of theft that goes to trade secret theft, that kind of commercial theft, we don’t do that to benefit our businesses. We don’t spy on someone and give it and turn around and give it to – I don’t know – name any company you want to in the U.S. – we don’t do that. We don’t think any country should do that. We got an agreement from them both bilaterally and in the G20 that shouldn’t be done. So that we think should be off limits. But even some of the espionage we’ve seen recently, like the Microsoft Exchange hack got a lot of attention recently, that went a little beyond the pale too, because even if that was espionage, it was done in such a reckless way that it left the victims open to exploitation by criminal groups by ransomware groups. It was done in a way that caused a lot of second-order damage. So it’s not that we have to sit still and say, “Oh, it’s espionage good on you,” we shouldn’t do that, we can still react. But when you have that kind of reckless espionage that even takes it to another level too, even if it’s as some people call it, just espionage.
Tom Temin: And that gets to a question I think the federal government hasn’t really decided on what the best response is but you were a federal prosecutor and you went after cyber crimes in that capacity. We should note your lawyer also.
Chris Painter: Recovering.
Tom Temin: Right, well, that’s good. And then there is the Cyber Command military possibility of retaliation. And so the question is, when is it a civil affair strictly? When does the military intervene in cybersecurity? Some people have opined recently that, you know, maybe this time for military, especially when it affects critical infrastructure, and suddenly there’s economic fallout, and the possibility of social unrest and so on.
Chris Painter: Yeah, look, I was amazed at how quickly cyber became a national, international priority. After Colonial Pipeline, I was part of a ransomware task force report, private sector report – 60 former government people, people who do insurance, people who do cybersecurity, we issued a report one week before Colonial Pipeline. And it took off. I mean, you’re always worried about these reports becoming like shelfware, this thing took off, and rightly so. And then you saw this issue go from backburner to front of the line at the G7 summit, at the NATO summit and the meeting with Putin. So that’s all important. And you have to then think about all the tools you have. So you can’t just say don’t do this. These are criminal groups operating in the territory of another country, they still have responsibility. They can’t say, “Well, not us. So wash ourr hands of it.” Clearly, if they do it their responsibility, but they bear responsibility for these actors there. And so that’s the message I think, that President Biden delivered to President Putin. And then we have to look at all the tools we have, both to change the behavior of the government that’s providing a safe haven to themselves, how do you get Putin to decide this isn’t a self interest?
Tom Temin: Or getting a cut from them.
Chris Painter: Well, when I was a prosecutor and dealing with Russia, either that groups were operating under the control of the government or because of corruption, or in some cases, you know, just these free willing groups, but it was still in line with Putin’s larger agenda to have disruption in the West. So as long as they weren’t hacking Russian targets, they were good. So we have to change Putin’s calculus. But also, as we look at our toolset – economic sanctions, diplomatic actions, criminal indictments – we also have to think about those military tools. Now, we have to think carefully about that. Because if we use those to disrupt criminal groups, which is something I think folks are considering, at least I think it’s on the table generally, we had to figure out what that means, what that means for the future, what the reaction is, what groups might use against us. So we have to take that into account but it has to be something that is at least considered.
Tom Temin: And getting back to Russia and the idea that they are not necessarily the world power they posture to be, on the other hand, cyber capability is a great equallizer so even the smallest nation can really badly harass the largest nation without having any intercontinental ballistic missiles or not having any air to ground missiles or anything of that sort.
Chris Painter: Yeah it’s something we call an asymmetric threat. And we’ve seen this play out with Iran, with North Korea, with Russia to some extent. Yeah, absolutely. It doesn’t require a lot of investment to have a powerful ability here. Now to have a sustained impact, like to actually take down our infrastructure for some period of time that requires a lot of sophistication and resources. So it’s not simply you can have a criminal group go instantly to doing these things. But you saw with colonial pipelines, they can have an effect and that can potentially be devastating. And we’re so dependent on these technologies. We’re so vulnerable, we have to think about that side to how do we protect ourselves better?
Tom Temin: And what’s your assessment of the Biden administration’s executive order on cybersecurity, it was long, a little bit convoluted, but it did bring in the zero trust idea. It did seem to elevate, finally, pushing along the idea of information sharing – intragovernmentally and between government and industry, which has been more latent than reality for the past 18 years.
Chris Painter: Yeah, look, I think it’s not been that long. They’ve only been in office about six months, but I think they made some real strides. One is that prioritization I talked about. Two though, is this executive order. The thing I liked the best about that executive order was saying, and when the government procures things, we’re going to insist on it meeting a certain standard, with software and other things and tools. That’s a huge driver for the market. And so even if you don’t regulate and say you have to do this, which is still, I think a live issue on Capitol Hill and others, by executive order, you can say, we’re gonna decide what we’re gonna purchase. And that I think, is really important. The other thing I think is important is they filled the government with people who know what they’re doing. They’ve created this as a high level issue at the National Security Council. This new cyber director, Chris Inglis, who’s incredibly accomplished, Anne Neuberger at the National Security Council. But even at the Cabinet level, these people have dealt with this issue before. They dealt with it in the Obama administration. So they don’t need to be spoon fed. They actually – Jake Sullivan, the National Security Adviser, [Alejandro] Mayorkas, Tony Blinken, and Biden himself – I mean, they’ve all dealt with these issues at the end of last administration. So that’s a good thing. So they have a leg up. And I think early day so far have shown that they really are taking it seriously. And that was borne out by Biden’s message with [the] summit with Putin. But then he’s made speeches about this, including just recently. So it’s still front of mind. You don’t need the president involved every day, but having the president be a big advocate – that’s a big thing.
Tom Temin: And how does that all get translated down into the day to day operations? And as you would put it, the capacity development of the bureaucracy itself?
Chris Painter: Well, I mean, first of all, if it’s a presidential priority, that makes a difference. If it’s a secretary or cabinet level priority, that trickles down. But you also have to put your money where your mouth is. So Congress has been giving more funding to this. That’s important. Structural things have happened at DHS creating the cyber agency there – that happened in the last administration. That’s great. And filling that with the right people, which they’ve done with Jen Easterly, that’s great. So people are policy to some extent. And I think there’s a lot of people at that mid level of the bureaucracy who wants to do this, who felt that they didn’t have the resources or tools to do this? I know my old gang over the State Department felt that way, that they really want this to be prioritized. And now you’re seeing that. So I think – look, hiring’s always a hard issue when the government getting these talented people in, that’s going to be a challenge. But there’s a lot of people who are ready to go.
Tom Temin: And I’ve always had this more of a fantasy thought than actually reality that somewhere, someone is going to come up with the code that revolutionizes everything. And suddenly, we would wonder why we ever worried about cybersecurity, just apply this. Anything like that on the horizon?
Chris Painter: Well, if you go to a cybersecurity conference, almost every company claims they’ve discovered that code. So, and some certainly have some good tools out there. Look, I don’t think there’s a silver bullet. I mean, that’d be great if that happened, right? That would be movie-esque if that happened. But I think we have to understand that as we develop better capabilities to protect ourselves, the adversaries will get better at attacking our systems. I’ve seen that over my 30-year career. I’ve seen, when we’re dealing with some of the early cybercrime cases, their tradecraft has gotten much better. We’ve gotten better at fighting it, but their tradecraft has gotten better. So I think you’re going to expect that cat-and-mouse game to continue. And I wish it were otherwise. I certainly am fond of movies were hackers or computers or main characters. But even those movies, which were almost all dystopian, there’s never the silver bullet that wins everything.
Tom Temin: Which gets us back to the original part of the discussion on currency. So nobody robs banks to get gold coins anymore, or cash. But in the age of cryptocurrency, people have discovered ways to steal that, too.
Chris Painter: Yeah, they have. It was interesting this recent event and who knows what the actual story is, but it appears they’re returning it either because they were doing it on a lark as they claim, or because it was just too hard to get rid of it and launder it. So we’ll see. But you do have criminals using these tools. And so you have to think about, well, how can you – with the expectation they’re going to continue – enforce things we have now like any money laundering and know your customer rules and get other countries to work with us? We’ve got to do that.