ADRIAN FLORIDO, HOST:
Passenger train derailments, entire cities gone dark, critical infrastructure destroyed. In the early days of cyberattacks, these are the nightmare scenarios that officials feared for the U.S. if it didn’t shore up its defenses against network-based attacks. And while the U.S. has largely avoided these kinds of catastrophic attacks, our next guest says that does not mean it has done a good job in responding to or preparing for cyberattacks.
Susan Gordon spent decades working in national security, most recently as the government’s principal deputy director of National Intelligence. She’s now a senior fellow at Harvard and Duke universities, and along with her colleague Eric Rosenbach, wrote a recent essay for Foreign Affairs called “America’s Cyber-Reckoning: How To Fix A Failing Strategy.” To start off, she described what cyber threats look like today and where they’re coming from.
SUSAN GORDON: It comes from everywhere. It comes from nation states. It comes from rogue states. It comes from individual actors. It comes from criminals. And I think what Eric and I were trying to articulate is, while the U.S. has responded aggressively since at least 2009 to the national security risks, we tended to view it within the framework of a really binary view of war versus peace and within the structures that the national security apparatus had at its disposal. What we missed was that the nature of cyber, in fact, defies those definitions, whether that definition is what’s the red line between peace and war or the boundary between government and the private sector, it is a ubiquitous threat.
Every intention of our adversaries and competitors increasingly can be affected through the cyber realm. But our ability to understand the nature of it and then develop a response and a deterrence that’s effective in this kind of murky threat is what challenges us today. And I think you see it. For all our efforts, 2021 was a really aggressive year for our adversaries and competitors.
FLORIDO: And you write that one reason the U.S. is ill-prepared for cyberattacks is, you know, what you just mentioned, that because for a long time, the government was preparing for cyber warfare. Tell me a little bit more about that. What do you mean by that, and why, in your view, did that sort of reflect a fundamental misunderstanding of the problem?
GORDON: Yeah. So we viewed it as a national security threat, where nation states using their national security apparatuses – of which the military – would affect attacks on governmental institutions and the functioning of society. And so we built up structures to try and defend against that model. The problem is it didn’t go far enough. It missed the fact that, now, probably the greatest threat surface we have is controlled by the private sector, not the government, whether it’s SolarWinds or Colonial Pipeline or attacks on the city of Atlanta. Those are outside what you would expect normal governmental responses, and you see being slow to figure that – how to respond – because it didn’t fit within our model.
FLORIDO: Well, you offer a pretty robust list of recommendations for how the U.S. can better protect itself. Some are simple and some are pretty complex. Which one or two are the most important in your view?
GORDON: The one that I’ve proffered that I think is worth some consideration is this recognition of how important the private sector is to our nation’s security, both from protecting that part of our infrastructure but also in the decisions that they’re making when they act internationally. You know, I think there’s an analog here. In ’29, after the stock market crash, the U.S. government recognized that the private sector and what was happening financially within the companies was important to national security. And you see the rise of the SEC, an independent organization that sets standards for hard financial accounting should happen. And then you see them turning to the private sector to establish generally acceptable accounting principles.
I think there’s an analog that the time may be right for the government to form an institution, an independent body that says here are the standards for cybersecurity and then turn to the private sector to say, let’s establish what those principles are, and then let’s measure them and ensure that they are enforced. So I think there’s an opportunity because without that, the volunteerism is good. The new organizations are good. But I think we need a new model that kind of bridges the gap between those two. And I think we have one, you just need to twist it to cybersecurity.
FLORIDO: You say you also want to see the U.S. be quicker to publicly identify the perpetrators of cyberattacks, even if it’s a foreign government responsible and even if it means a political or diplomatic fallout. That’s not something the U.S. has always done. Why do you think it should?
GORDON: If we’re asking the private sector to talk about when they’ve been breached, the government has to be more transparent in what it knows and be willing to call out what it sees, again, because we do need to establish these norms of behavior. And if you don’t call out what is egregious, you won’t set an international standard. And I think there are plenty of examples. When we have been quick to call out breaches, you do actually see a diminution in attack against that vector. So I think it’s important not only to show that we are more transparent but also to set – some norms setting.
FLORIDO: I’d like to ask you a question about privacy. In your piece, you praise a recent rules change that now allows the government to hack into private servers that it knows have been compromised by malware from foreign governments and remove that malware. Why should that not raise concerns for privacy advocates and everyday citizens, you know, the government accessing private computers, and where should the government balance these concerns?
GORDON: What we do know is that when we can identify mal actors, speed is of the essence. And we have to develop ways to do what we’ve always known how to do, which is to stop bad action quickly rather than being flummoxed by the fact that it is happening digitally. And so I think it is relatively easy to develop the legal framework that allows us to maintain what’s so important to free and open societies and certainly our democracy, which is privacy, but still allow us to adequately respond to mal actions against that. And so this is just one of the things that we have to develop a framework and some principles around. And I think the FBI has shown that the way they’ve approached it is totally within the laws and standards that we have as a nation.
FLORIDO: That’s Sue Gordon. She’s the former principal deputy director of National Intelligence. She’s now a senior fellow at Harvard’s Kennedy School of Government and at Duke University. Sue Gordon, thanks for joining us.
GORDON: Thanks, Adrian.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.