Russian Aggression Toward Ukraine

transcript

Search Transcript

afternooni’m garrett graf i’m the director of thecyber initiative at the aspen institutehere at with aspen digital and thank youso much for joining our webwebinar todaylooking at the domestic u.s cyber risksand geopolitical digital cyberimplications for the increased tensionsbetween russia and ukraine we have agreatfascinating set of panelists anddiscussions todaythis uhis being broadcast live on youtube aswell uh as on our website and we arelooking forward to a great discussionthere will be time for q auh at the end of our program today weare going to start today with a keynoteaddress from jen easterly the seconddirector of the cyber security andinfrastructure security agency at thedepartment of homeland securityafterwards then we will go into a paneldiscussion moderated by directoreasterly’s predecessor at cisa chriskrebs the senior numark cyber securityfellow here at aspen digital along withsandra joyce from mandiant and herb linfrom stanfordtwo other aspen digital programs i wantto mention that we will provide somemore information about in the chat todaythe aspen tech policy hub is workingright now to recruit applicationsthrough the end of this month for itsaspen climate cohort a 10-week programrunning this summer helping to trainclimate scientists and technologists toengage in the policy processapplicants of all backgrounds withtechnical expertise and climate changeare encouraged to applyand will be paid an eighteen thousanddollar stipend to enable thisparticipation there’s an info sessionnext week on that when we’ll be postingabout it in the chat as wellalso aspen digital is working with hp ona program recently launched a digitalaccelerator to help scale non-profitsworking on digital equity issues aroundthe world we’re launching pilot projectsin the united states india and moroccoand next week as well we will be havinginformation sessions for applicants tothe summer2022 cohort it’s a great opportunity fornon-profits interested in applying tolearn more about what will help themstand out and ask questions about theprogram we’ll be linking to that as wellbut firsttodaylet me welcome jen easterly the seconddirector of sizza who is working hard totry to make sure that our country isready and resilient for whatever mayunfold geopolitically over the nextcouple of weeks director easterlyhey thanks very much garrett i reallyappreciate the kind introduction andthanks of course to aspen for hostingthe event today it clearly is a verytimely venueto discuss critical infrastructureresilience as the world braces for apotential escalationat the ukraine-russia border and whilethat border may be over 5000 miles awayand there are nospecific credible threats to the u.shomeland that we know of currently weall recognize that threats to ourdigital infrastructure are of course notbound by national borders and we sawthat very starkly in july of 2017 duringthe not pecha incident our networks andour critical infrastructureare integrated into a larger globalcyber ecosystem which means that we allneed to be ready as i like to sayshields up so given the rising tensionsand the potential invasion of ukraine uhby russia we’ve actually been leaningforward uh to inform our industrypartners of potential threats you knowreally as part of a paradigm shift thati’ve been talking about for a while nowof moving fromthe government being reactive to beingmuch more proactive and in this role wehave been leading a national campaign toensure that senior leaders and networkdefenders are prepared to manage such athreat so a couple things we’ve beendoing that folks should be aware ofstarting in late 2021 we began a veryrobust outreach campaign and our role asnational coordinator for criticalinfrastructure resilience and securityso pulling together the interagency tohelp critical infrastructure have theinformation necessary to be as preparedas possible for any escalation thatmight pose a potential threat to thehomeland and that included classifiedand unclassified briefings to ourprivate sector and state and localpartners regarding evolving cybersecurity risks we also released manyproducts one in particular was a jointcyber security advisory with ourteammates at fbi and nsa in januaryabout the russian threat to u.s criticalinfrastructureit included specific tactics techniquesprocedures associated with russianactors very importantto get that one in particular to networkdefenders and we also put put outseparately an advisory that was moreexecutive level for ceos and businessleaders that urged every organization totake urgent and near-term steps toreduce the likelihood and impact of apotentially damaging compromiseuh we also have a dedicated publicwebpage that provides an overview of therussian government’s malicious cyberactivities uh as well as a collection ofall our advisories and products onrussian state-sponsored cyber threatsand then we just stood up a new shieldsup web page so if you go to sisa.gov youwill seeshields upand the page includes the latestguidance on how organizations regardlessof size can adopt a heightened posturewhen it comes to cyber security andprotecting their most critical assets sowhat should companies and organizationsbe doing todaywell we recommend four basic things butalso go to the website and check outgreater details first of all reducingthe likelihood of a damaging cyberintrusion making sure that mfamulti-factor authentication is enabledthat your software is up to date thatyour patches have been implementedtake steps to quickly detect a potentialintrusionmake sure that logging is enabledconfirm that you have the antivirus theanti-malware software and signaturesupdatedthree ensure that your organization isprepared to respondif an incident occurs uh that yourcrisis response team is ready to goand that hopefully by now you’veexercised your plan to make sure thateveryone understands roles andresponsibilities in the event of asignificant incident and then finallymaximizing your organization’sresilience by testing backup proceduresand manual controls in particular forindustrial control systems oroperational technology to ensure thatcritical functions can remain operablein the event of a compromise now we’vebeen putting this information out formonths now so i hope this sounds veryfamiliar to anybody from industry thatwe have out therebut again please go to the website iwould say of the guidance that we havebeen providing perhaps the most criticalis that organizations need to lowertheir thresholds for escalatinganomalous activity and sharing thatinformation with the government whetherthat’s cisa at cisco central or ourteammates at fbi at sciwatch or at anfbi field office just get thatinformation to the government and restassured that we are very tightlyconnected and we will share thatinformation to ensure that we canprotect the securityof the u.s and this is crucial becausewe all recognize that early warnings ofa cyber attack affecting u.sorganizations are frankly going to beidentified by very likely a privatecompany first rather than the governmentas we’ve seen with uh many of the cybercampaigns throughout the past year andour goal is to ensure that we areconnecting the dots between seeminglydisparate events so we can identify andwork to remediate an emerging campaignas rapidly as possibleto support all of these efforts we havestood up dedicated operationalcollaboration channels on this issuewith key cyber security and technologycompanies through our joint cyberdefense collaborative many of youfamiliar with by now the jcdc acollection of more than 20 privatesector companies the biggest technologycompanies in the world isps cloudproviders major cyber security companieslike our friends at mandia you’ll hearfrom sandra uh in a couple minutes andthese companies have visibility intonetworks and can can help us tounderstand the threat landscapeuh in the ways that we don’t have thatvisibilityand so the theory of the case here isthat the partners in the jcdc cometogether with the government to help ussee the dots connect the dots and thencollectively drive down risk to thenation at scale and we’ve had somepretty good success in the shortlifetime of the jcdc about five monthsold nowwe’ve been standing shoulder to shoulderwith our industry partners andparticularly throughout log for shellturningus from partnership into trueoperational collaborationduring that period of time we stood upthe slack channel that sounds supersimple and primitive for everybody outthere in the private sector but it’sactually pretty novel to stand that upvery quickly and bring in the governmentand bring in the private sector to sharenear real-time information to helpcreate that picture of the threat uhstood up a github site that made us theauthoritative source on vulnerabilitiesand we did that with industry andacademia as well as uh the fantasticresearch community as you know here atsisa we are huge advocates for anyoneout there researchers academics hackersreporters who willingly and responsiblydisclose vulnerabilities to usso i think at this point in time we arequicker we are more nimble we are moreconnected than we’ve ever been andthat’s allowing us to help be betterprepared for this moment as my goodfriend chris english likes to say thejcdc is not a club uh it’s an engine uhso we just announced uh and i love thisidea we just announced a catalog of freeservices available to those criticalinfrastructure owners and operators whoneed access to tools that will keep themresilient we know that big companies canafford to bring in cyber security folksto help them but then there’s thecategory of those we call target richresource poor and so this catalogincludes services from cisa open sourcetools but also free offerings from ourjcdc partnersmalware and anti-virus protectionvulnerability assessment solutions toolsthat test password strength ddosprotection services intel from severalleading cyber security companies allfreefor all of our partners whether that’scritical infrastructure or partners atstate and local so i think those will bevery helpful and we wanted to get thatoutso that organizations can take advantageof it this is version 1.0that catalog will grow and mature butcheck out cesar.govand and uh check out some of thoseservices there you know i fundamentallybelieve that this sort of whole ofecosystem operational collaborationmodel is really going to move us from aplace where it’s just aboutbasic information sharing into enablingand everything we’re focused on now isproviding timely relevant and mostimportantly actionable data that can beused by network defenders across thecommunity to increase the security andresilience of their networks i want toclose on one other aspect because whilewe are completely shields up in criticalinfrastructure cyber security uh we arealso working to prepare for and mitigateforeign influence operations we knowthat given rising tensions foreignactors may use influence operations tospread misdis and malinformation or mdmnarratives to bias the development ofpolicy and undermine the security of theu.s and so we are very focused on thatwe’ll be putting out a product shortlywe may even bring back the famous uhpineapple tutorial chris uh we’re gonnalaunch a product which essentiallyprovides guidance on how to identify andmitigate the risks ofmdm narratives and operations and sowe’re encouraging all organizations totake steps uh both internally andexternally to ensure that they can reacttouh information manipulation so finallyi would just saymake sure you are availing yourselves ofcisa resources you have any questionsabout tools services information uhplease let us know our job is tounderstand manage and reduce risk to ournation’s critical systems so we are hereto be your collaborative partneras america’s cyber defense agency sothanks uh chris for giving me theopportunity and i hope the rest of thepanel is fantasticdirector easterly thanks so much for uhthose opening comments i think youcovered a lot of uh waterfront includingsome of the resources available tovarious organizations out there but alsosome of the initiatives that you’vekicked off in your tenure i’ve beenquite impressed with the us government’sefforts to get actionable informationout to the private sector to state andlocal governments to federal partnersbut also convening in various uh uha range of organizations so that thatthey can share information and then geton top of these threats and i think theone kind of key here that i’d point outis that uh look i think we we’ve allbeen hearing about what may happen inukraine now not just for a couple daysnot just for a couple weeks but reallyfor months and it at times uhparticularly when you continue to briefyour leadership it can get a little alittle tiring and stress thing uh butyou know this is not the moment i thinkto kind of let down your guard in factthis is a moment to redouble yourefforts as you pointed out and i lovedseeing shields up last week so uhdirector easter again thanks for thanksfor everything you’ve you’ve been doingin the team at cisa and the rest of thethe national defenders within the usgovernment have been uh leading over thelast several monthsawesome thanks brotherall righty okay so what we’re going todo today is or now rather is kick into abit of a fireside chat a question andanswer session with two uh aspeninstitute aspen digital affiliated uhexperts and uh get into kind of where weare in the situation where this might goand ultimately what are some of the thethreads that are playing out across theuh eastern europe and elsewhere and buti think before we get there thoughparticularly if you’ve been watching anyof thethe news alerts today twitter whereverit does seem as if within the last 24 to36 hours things are heating upin the east of ukraine just earliertoday there was some reporting on uhthat where the u.s government haddeclassified or released someinformation about potentialassassination lists that the russianshad developed for umwithin former officials within ukraineso before we get into some of thetechnical aspects that we all liketalking about i think it is critical toacknowledge and recognize the fact thatthat you know while we don’t knowexactly how this is going to play out ifit plays out if russiainvades if putin decides to invade therethere’s no question that this has allthe hallmarks of a potential uh tragicuh humanitarian crisis with massive lossof life just dislocation anddisplacement of people refugees uh andit’s just a sad state of affairs thatit’s gotten to this point um and and ithink that’s in part what is behind someof the the us government efforts to uhradically uh be radically transparent asthey’re calling it get the plans outthere that they’ve come across from anintelligence perspective so let’s uhlet’s jump into it now i’m gonnaintroduce our panelists and then we’llwe’ll get into a bit of the q a so i’dlike to start with sandra joyce uhsandra is an executive vp and head ofglobal threat intelligence at mandiantshe oversees intelligence collectionresearch analysis and support servicesfor threat intelligence customers andthe mandiant security product portfolioalso a friend of mine and it’s great tosee you here today sandra thank you forhaving mewe’ve also got another friend that i’veworked with for quite some uh time drherb lin he’s a senior research scholarfor cyber policy and security at thecenter for international security andcooperation and the hank j hollandfellow in cyber policy and security atthe hoover institution both at stanforduniversitydr lynn is particularly interested inthe use of offensive operations incyberspace as instruments of nationalpolicy and in the security dimensions ofinformation warfare and influenceoperations on national security i hadthe the honor of working with herb onaspen the aspen commission oninformation disorder uh we wrapped upthat effort last october uh and releasedabout 15 recommendations on how we canaddress at the national level here inthe u.s some of the the disinformationuh issues that weface on a daily basis so all right letme sandra if i can start with you uh ithink what would be helpful is setting alittle bit of context so mandiantobviously has a is a global operation alot of telemetry and incident responseforensics analysis globally and so youprobably have a pretty good sense ofwhat has happened to date so are youable to walk us through can you walk usthrough what we’ve seenfrom a cyber perspective a technicalperspective over the the last severalmonths in ukraine and then maybe give usa sense of what youas and your team at mandiant might beexpecting to seeuh here in the u.s in the west and alsoin ukraine in the coming days weeks ormonthsyeah i’m happy to chrisso the way to think about it is we’veseen activity that really falls intothree main areas uh softening of thetarget within ukraine uh domesticpositioning within russia and then whatthat so-called casas belly so that youknow cause for war kind of activity uhwe track a group called unk 1151 this isthe group that has been conducting whatwe call the ghost rider campaign a lotof information operations against uhgroups in in germany latvia poland andreally looking at pushing narrativesthat are anti-nato so they’ve beenjust really doing andconducting a lot of intrusions againstorganizations that have a critical rolewithin the the ukraine um you knowterritory we also been seeing a groupthat we’ve tracked for a long timecalled secondary infection this is uhwhat we believe is a russian-backedinformation operations group and reallywe’ve seenfour recent operations from november2021 to february this month where theypushed anti-ukraine messaging attemptingto drive a wedge between ukraine andnato countriesparticularly poland and germany in factwe sawa fakemap that had been disseminated showing aasort of a an occupation of polishsoldiers along the border of ukrainesomething that is designed to really getum the domestic audiences in thosecountries to start to feel negativelytowards their own governmentwe’ve also seen russian domesticaudiences targeted with informationoperations campaigns that have uh reallybeen uh you know victims of this arelooking at at lies around humanitariancrises that supposedly have beenperpetrated by the ukrainian governmentalong with that we’ve seen ddos ordistributed denial of service attacksagainst banks this was widely reportedbut even more interesting than that wasthe follow-on smsspam somessages going out to bank customerstelling them that their bank doesn’twork that the website is down which hasa two-fold effect one it drives moretraffic to the bank itself beating thatddos uh incident but also and probablymore importantlydriving up that fear driving up theuncertainty around can the ukrainiangovernment protect itself is you knowundermining the confidence that therethat that is uh there so really all ofthis goes to show we really are watchingso these active measures these you knowsoftening of the target within ukrainedomestic positioning within russia andthen really looking at how can we um howcan russia put out a message that couldbe interpreted as a cause for war sowe’re seeing all of that uh happeningover the last couple of months and weeksif i can pull a quick thread uh realquick and then hop over to her but butback to you real quick for one follow-upsandrayou had a blog post earlier this weektalking a little bit about you knowtrying to put into context what some ofthese events are and at the same timehappening across uh uh twitter i’munfortunately extremely online and ontwitter all the timethere were there was a lot of debate onwhether a ddos attack against a bank ora ministry of defense or websitedefacement or you know sms spam whetherthese actually constituted attacksand i think you know if looking inisolation if you’d seen a websitedefacement on the government of chile oraustralia you probably wouldn’t thinkmuch of it but as i see it within anarea of geopolitical tension uhi thinkyou know i pay attention to all thesignals so can you can you dive in alittle bit more about how you thinkabout the spectrum of attacks what mightuh you know and how to how to put thatinto context for for us as we’re lookingat things developedwhen i think about cyber attack there’sthat traditional definition right denydestroy disrupt uh deceive those arepretty clearly you know going under thisbucket of cyber attack but to me what’smore interesting is really not the themode not the the level of sophisticationbut really it’s the effects it’s theoutcomesan operation can be very low-tech buthave tremendous outcomes in the case ofthe ddos attack against the banks sureddos is not something that you know ison the high priority list of threats itis easily relatively easily mitigatedbut what was interesting was thefollow-on information campaign getpushing people through the sms tech spamand pushing them back to the banks tolook at the website to perpetrate and topromulgate the fear the fear factor soto me it’s it you know the semanticsaround whether it’s an attack or not areare less important than really were theoutcomes reached were the goals achievedby the perpetrator of these things andand to what measure i think that’s amore a fuller way to look at what we’retalking about when we think about cyberattacki think i think that’s right i think i’di’d agree with that and so kind ofbuilding on this gray zone space wherewe see activities that don’t necessarilycost a lot on the adversary side and theimpact is a little nebulous on the thetarget siteside we have heard um you know herbyou’ve you’ve talked about from anuclear perspective the cyber securityrisks with the nuclear arsenal uh you’realso an an expert in offensive securitycan you give us a sense offrom your perspective at least what youmight expect in the coming days andweeks in ukraine and how to think aboutescalation what what would be some ofthe limiting parameters for russianoperations uh both in ukraine and ineurope and here in the u.s that where wemight seeactivity x but not necessarily activityyumlet’s see uh on on on the first what i ithink that if there if an attackactually happens uh by attack i mean akinetic attack or with troops invadingand so on there’s a full-fledgedmilitary operationum i i think at that point uhmany of the operations that have beengoing on i still i think will stillcontinue um there is also the questionof uh the extent to which we’ll seeattacks on infrastructureperhaps ukrainian perhapsnon-ukrainian uh that helps theukrainians fight the waruh so for example um to the extent thatthe you the that ukraine relies on spaceassets for reconnaissance and and uhcommercially commercial space assetsright uh commercial satellites to tellyou where russian troops are massing andso on those kinds of companies may wellbe attacked uh as well to shut downintelligence feeds to uhuhto be retaining ukrainian military uh soi mean just just as one of them so ithink we’ll we’ll see a broader range ofuhof attacks where theybasically intended to umuh many of the military functions thatthe iranianthat ukrainian armed forces are going tobeundertaking uh on the uh on the escalaton the escalation side umyesthere are you you worry about escalationum in both nuclear and and uh and incyber and uh and conventionally i don’twant to say in in any sense that the theeffects ofcyber operations escalatory cyberoperations are are anything like goingnuclear i meanthat i i’m not anticipating goingnuclear on on this no wayuh but the but the theory of escalationis is you know has to be thought abouthere which is that you escalate only youescalate with the idea that you canforce the other guy back down that youwant to cause them pain enough uh sothat they stop doing what they’re doingor to influence their decision making uhand then you have to reif you decide to escalate you have toworry about his counter escalationuh and so it just builds up on eachother and in the end there it reallyyou either get off the escalatory ladderum or you go all the way down to the matuh i don’t expect that to happenimmediately um but you know it may wellbecome a uh a test of who has the uh thestrongest you know the largest paintolerance uh and that’s a dangerous youknow that’s a dangerous place toto be um and it could well spread toother uh other nations for examplenations that are supporting ukraine uhin in their in their efforts um soi so i mean i think to put a bit of afiner point on it i i would stipulatethat as a part of any sort of groundforce movement by the russians if theydecide to invade would probably bepreceded by some combination of cyberattacks oncivilian infrastructure power grids likewhat we saw with the sand worm effortsin 2015 and 16 combined probably withsome electronic warfare againsttelecommunications network to your pointdazzling jamming of satellite bothcommunications and other sort of remoteground sensingwhat do you think you know againstipulating that ukraine will will havethose sorts of targets that could evenbe destructive what do you from anescalatory perspective what would the usand allies what sort of steps up theladder would would have to happen foruh russia to turn andturn the the gru the fsb the svr or anybella russian assets or others againstas you’ve heard from the u.s governmentin the banksdoj yesterday with their notice to bankswhat do you think it would take to getthere just again national assets so sodistinct aligned state-sponsored andcontrolled forcesi think what you’re asking iswill they be attacking them will they beattacking uh sort of criticalinfrastructure in some ukraine uhukrainian critical infrastructure uhpower grids banks and and so on and i ii expect them to be doing that now um oror at least planting the seeds to enablethem to to to do it now essentially atwillum i ithe the ukraine has had you know has hada long history of being the test bed forrussian cyber operations um they uhthey’ve been victimized a lot um i haveno particular reason to believe thatthey’re gonna necessarily do very muchbetter now than in in in the past so i iexpect theif the balloon goes up for them to to beuh compromised in ways that um actuallyhave there are two effects one thatactually cripples useful nationalfunctions like providing power and twois it creates panic and and uncertaintyuh about the ability of the ukrainegovernment to uhuh to protect them uh so the the examplewith the banks and so on is my moneystill there that’s a big deallots of people are going to beare going to be concerned about that sothat’s an example you might see attackson hospitals uh where you shut downhospitals and people can’t get uh can’tget to the hospital and and and so on ummight not actually beaum you know have have actual medicalimpact on a large scale but certainly alot of you know if i were if there was aif there were troops coming in and so onuh and i was uncertain about my of myability to get medical care and so on incase they were shelling so i sure wantto get out of the way and so you knowjust a way of you know driving refugeeflows and and stuff like thatso there’s a there’s i think i agreewith that particularly with with what’sgoing on in ukraine so so sandra let’slet’s shift over to back over to you andum there’s there’s a lot ofyou know are they aren’t they are therussians going to go aren’t they goingto go there’s a lot of anticipation ofas we already talked about whatconstitutes an attack and so that that’sit i don’t want to go as far to saythere’s a lot of admiring the problembut ultimately you have to ask thequestion so what and then what do we doabout it and so from a maniacperspective from where you sit how areyou all thinking about uh some of thethreats that that we may face here inthe usuh separate again separate from thegeographically limited uh attacks withinukraine how are you thinking about andhow are you talking to organizationswhen when kevin goes out on the roadwhen you all are out there on the roadhow are you how are you talking tobusinesses about what the specific riskswe may face herewell really it’s the message is it’sit’s not a panic moment it’s a missionmomentso prepare but don’t panic because we’veweathered cyber attacks in the past ifthere’s been anything good that’s comefrom years of russian cyber activityaimed at the united states it’s beenthat we’ve enumerated a good portion ofthe russian cyber capability we have alot of information about their ttpsabout threat actors and businesses andcyber defenders know what they need todoin order to defend themselves if notthey can look at what director easterlyhad put out you know what she mentionedabout the shields up advisory some ofthese things just are aimed at makingyourself not the lowest hanging fruitmaking sure that you are resilient andthat when and if an attack or some kindof breach were to happen that you have atabletop exercise that you’ve alreadyrun that you are you know what the planis to mitigate and then frankly to getback to work because we need to beresilient cyber attack attacks and cyberactivity is here to stayand we need to be resilient and pushforward and not panic but certainly beprepared and again director easterlyshields up advisory is a great documentfull of very good informationwe also published a hardening advisoryourselves on howorganizations can protect themselves ithink there’s a lot of really greatinformation that’s out there thatbusinesses if they’re waiting for it istime to stop waiting and go ahead andget prepared nowyeah we’rewe’re doing the same thing i think takeyou you have time now to prepareuh take some of the measures the otherthe other issue is you know kind ofdon’t let a good crisis go to wasteright now this is certainly not thefirst uh or last geopoliticalcrisis that will have some function oftechnologicaluh exploitationand it’s it’s uh it’s smart to get youryour house in order now all right so i’mgoing to do one more question before weopen it up some of the the audiencequestions but uhjust to make this issue that much morecomplex uheverybody of course remembers colonialpipeline from last year jbs meets uh iliving in the dc area couldn’t get gasfor a few days last summer and thatkicked off an effort on behalf of thenational security counciluh under uh anne newberger the deputynational security adviser working withthe kremlin working with hercounterparts at the the russian nationalsecurity council of uh trying to defangand undercut the cyber criminal elementthatseems to be uh operating out of a safeharbor or safe haven in russiaand interestingly over the last severalweeks or months you’ve actually seen thesecurity services in the kremlintake some actions and roll up the areevil group now it’s not clear if they’rethe developers or the affiliates andthen you’ve seen some other otheractions against uh some other malware uhdevelopers but what do you you knowherb i’ll start you what do you make ofthis how does thisdoes it fit intothe the broader context you know the theactually exerting and it reallycoincidental time influence and controlover these ransomware groupsit can’t possibly be an accident thatthis happened at this at this time righti mean i don’t think anybody on thiscall or anybody uhyou know on the panelists or in theaudience possibly believes that it wascoincidence okay so the question is whywould the russians roll attempt to rollup this group as you point out first ofall we don’t know we we don’t know whowho they rolled up uh we have a pressannouncement and and so on to the bestof my knowledge we haven’t gained accessto any of them we haven’t been able toquestion them wedon’t know really anything about theroles that they playlet’s even let’s assume that they’re keyplayers that they’re really big you knowthey’re they’re not uh the low-levelguys uh that you know that hold the dooropen while the the real players go go toworkwhat russia has done is it’s pointed outhiwe have these people and we can controlthemwe can you know we can turn them on ori’m sorry we can turn them off or youknow and by implication we can turn themonuhand uhi think it’s a pointed reminder from thefrom the russians that um they have avariety of umsort of non-traditional resources attheir disposaluhand i think that’s that’s the lessonthat we should be taking from it uh andwe can do what you know we we can takethat information asas we see fit now everybody here knewthat already but it’s just their way ofreminding usthat’s my take on it yeah i i mean looki i gotta agree it’s it’s it’s kind ofridiculously coincidental um and andit’s interesting it’s a deniablereversible asset so i sandra going togive you a chance to jump in and and howyou’re thinking about this issue as welloh i think the timing is suspect uh forsure but it alsoit really doesn’t matter you know whybecause today manny and ir respondersare going after you know going to helpcustomers all over the place who arevictims of ransomware it is stillhugely uh active and one of the reasonsis a lot of these ransomware operatorshave affiliates that onceone operation shuts down they simply goand and either are already connected toare already serving under a differentgroupso the problem is you know the arrestsare you know a blip in the actual youknow outcome in terms of reducingransomware um it is simply a in my viewa way to try and obfuscate or confusethe situation to bring in umyou know the the uh you know like somekind of activity that russia is doing tohelp so that we can be justyou know confused or just misdirectedfrom what’s happening now so right nowi’m not buying it and i i don’t thinkanybody should be buying iti so you know i think i’ll give i’llgive the the white house maybe a littlecredit for uh engaging in dialogue andapparently getting some sort of outcomebut i think to the to the broader pointthat both herb and sandra you’ve made isthat this smacks of a bit of gangsterdiplomacy and that hey look we can workon this thing here don’t pay attentionto what we’re doing over here and it’sit’s also you know entirely consistentwith with my feeling over the lastseveral years that uh that the kremlinhas been turning a blind eye knowingfull well what the criminal assets intheir country and within their orbit imean just the fact that one of the firstchecks that the the developer or the themalware does is looks for the cyrilliclanguage package on on machine so youknow this is they’ve been developingthis strategic cyber capability throughcriminal gangs over the last severalyears it’s also aligned withthe broader kind of objectives ofof uh of the security services and thekremlin to destabilize the west allright so we’ve got a few minutes andwe’ve got a couple questions coming infrom umfrom the audience and there’s one frompeter wolverton from the fletcher schooluh i love this question i i was talkingabout a little bit earlier today as welluh so i’m just going to throw this let’sthrow this herb first to you howeffective has the u.s been in itsstrategicdeclassification of intelligence inorder to counteract russian false flagdisinformation both within and outsideof russia and ukraine you’ve seen it yousee it today you’ve seen it all weekhow effective has this beenin your viewum it’s certainly been much moreeffective uh than we’ve ever done itbeforeuh whether it’s adequate or not that’sit that that’s a different that’s adifferent question we don’t know howit’s narrowing uhrussia’s options and so on but they’vecertainly done a whole lot better uh nowcompared to four years ago uh you knowor five years ago um you know with theuh you knowwhen russian interference in theelection uh was was was noted uh thatstuff was very very tightly held and youknow it’s just it’s just not now umi think people understand that there areuhthere are imperatives to get out even ifyou might take some risk with yoursources and methods and and so oncompromising those um but they i meanhats off to them for doing as much asthey’ve done but you know sort of aa b plus they should be doing better youknow that we want them to be encouragingthem to to do better no a pluses yetwell i umi’m kind of i’m an easy grader so i’mnot afraid to throw out a couple apluses right here having been a part ofcounteractive measures efforts over thelast several years it it’s quiteremarkable to me at least the thetactical and strategic shifts but youknowyeah so so kenneth sanders same questionto you and then maybe a broader thinkingout loud question of um how far can thisgo how much further can we take it iswhat are the risks possibly associatedwith iti’m very encouraged by what i’ve beenseeing in the quick declassification ofinformation if if not only because whenwe’re talking about you know a purveyorof misinformation like russiauh we reallyneuter the message if we can spotlightit we can neuter the effect of influenceoperations if we can debunk it ordeclassify information about intentionsbeforehand so i you know i agree i’m ahard grader but i’m still giving it an abecauseknowing where we’ve come from and wherewe are now i think it’s been atremendous step forward for thegovernment on you know making sure thatwe candeclassify in time to make an effect thedays of taking years to attributeactivity those days are over they helpnobody and what we’re doing now i thinkis the exact right thingi you know and i think i’d add the factthat it this has a there’s a sense ofproactiveness ofstrategy around it where i think overthe last several years we’ve been alittle bit more tentative and reactivenow it feels like there’s a real gameplanand you know herb one of the things thatwe recommended right in the aspencommission on information disorder was afederal strategic approach to counteringdisinformation and and so it seems likethere’s there’s something afoot here uhso i am i’m encouraged to see where thisgoesand uh see we’ll see how much more wecan use it and kind of with the addedside benefit ofnot only does it expose the operation italso i think throws probably a littlebit of uncertainty into the head of thekremlinleadership including putin of maybe hedoesn’t have his operational securitylocked down maybe they’ve got some leaksand of course that can cut the other wayright they can start doing someintentionalplanting of of uh false informationfalse flags in it on themselves so allright um let’s uh change gears here alittle bit so of course ukraine is not amember of nato in fact that that mighteven at least be the the uh thethe cover story here that the russiansare using that they want to prevent thatum and yet they share a border with uhat least one nato member in in polandand in fact they’re quite uh closeum so what is the role here of nato froma cyber perspective you have the londonstatement from a couple years agothatdid in fact include cyber attacks aspotentially invoking article 5 responsesi’ve had this same question of what doescyber really mean in an article 5context when you look at the specificlanguage it says it restores securityand stability and i don’t know what thatlooks like so so herb i think you’veprobably looked at this in the past butthere’s a question here from uhstephanie helm from the mass cybercenteris there any role for the nato cyberdefense center or u.s cyber missionforces what contributions can they maketo counter russian or sympathize orcyber actions and i think probably thethe best way to to frame this up is ifthere’s any sort of spillover uh orcollateral damage on poland how howwould could nato play a play a role hereumwell if it’s if it’s spillover orcollateral damage then by definitionit’s unintentional uh and and we youknow we wewe try to talk to the russians aboutthat and say you did something and youknow they acknowledge that it’sunintentional that’s not going to happenright um uh so the the the question isis is there any you know should we bebolstering cyber defenses for nato anduh for for the nato for the borderingnato countries umand the answer is yes and i think wehave been helping them um i i would beamazeduh if uh u.s cyber command uhhad not been um all over the place in ineurope and working with nato andand so on umperhaps a moreimportant question and i don’t know theanswer to this uh is uh whether or notwe’rewhether or not we will be willing todeploy any offensive capabilities uh insupport of the nato countries um that’sof course a a different you know a lowerthreshold than actually sending troopsthat will go and shoot people uhand that that i don’t know and i thinkthere there there are many escalatoryquestions that i don’t know i don’t knowthat anybody’s thought about them i meani would be surprised if they haven’tthought about them but i don’t know idon’t know what they’ve been thinkingaboutand i think that kind of really gets tothe heart of what an article fiveresponse is on nato what does restoringstability and security mean in practicefrom a site i mean that doesn’t meanthat you’re going in and you’reattacking uh a pipeline or the gridaround moscow there there has to be iyou know i would imagine some sort ofrules of engagement around hittingcommand and control infrastructure or orsomething to that effect which couldright to your point it you know to yourpoint on escalation it could that couldinvoke some kind of ctsoresponse and all of a sudden you’ve gotyou know sandra i’m sure you can talk tous about belarus and some of theircapabilities so i think i think this isright so let’s let’s kind of pivot herea little bit and sandra there’s aquestion we have from from anonymous i’mnot sure if that’s the collective orthey just didn’t give us their nameum but what are the what are the hurdlesto attributing cyber attacks to russiaquickly and accurately so obviouslyyou all have a wholeuh an alphabet or a rather a zoo ofanimal names or or whatever number namesand all that stuffuh it’s the other guys that have theanimal names you all have the the numbername so uh how do you how do y’all workthrough the attribution process and andwe’ve seen really fast attribution insome cases and other times it takes alittle bit longer so what you know whatare the hurdles and benefits herewell there certainly are hurdles becauseespecially with new groupsyou knowbacking up a little bit the way that wedo attribution work is we look at yearsworth of data on clusters of activityand over time we canwe when we cluster these we can start tosee overlapping infrastructure we canstart to understand um you know targetsand areas where there’s there’s overlapand then oh you know what we do there iswe classify it as an unclassified groupbecause we can only attribute theactivity but not back to uh in you knowa sponsor with an apt designation we’vegone all the way but that does take timeand it takes time becauseyou know these are spies who are doingeverything possible to obfuscate theiryou know their activity we have thebenefit of having information you knowtrack these groups for a very long timeso when when we see the same group or wehave a lot of data behind that groupit’s easier for us to recognize thatthis is you know a cluster of activitythat is very familiar to us you know thethe difficulty is that these groups areactively trying to hide their tracks umand it takes very careful work and ittakes very uh you know down to theforensic level to understand you knowwhat not just what the you know the uhtradecraft is or the behavior behind itor the the infrastructure the commandingcontrol it’s all of those things butalso you know who benefits from thistype of activity looking at thefrom an analytical perspective againstthat geopolitical backdrop who would bedoing this and why you know i can tellyou that with a lot of theghostwriter campaign for a while it wassuspected russian groups but until wecould put more technical evidence onthere um we it was it became clear to usthat it was belarusin organization you know stemming fromthere so over time the picture becomesclear because more and more evidence cancome togetherso let’s uh let’s take another couplequestions uh from the the audience we’vegot tj harrington from mckenzie that’sgot a couple questions in here that thatare are good so i’m going to take bothof them and i’m going to give one to youfirst herb and then i got another onefor for you uh sandra so first uhso herb a lot has changed over the lastcouple years in terms of rule ofengagement authorities for cyberoperations particularly here in the uswith cyber command you knowbased on what you know you’reunderstanding some of the thediscussions that that we’ve been havingon in congress in the policy sphereshow are we dealing right now from arules of engagement perspective and whatis the ideal uh posture to enable ourour you know our cyber cyber warriors asthey may be as tj says here umwhat are the appropriate updated rulesof engagement for our cyber warriors toallow them to actively engagein critical infrastructure defense and ithink let’s split that off and let’stalk about supporting allies over therelet’s just focus on that part right nowwell okay so from my standpoint therules of engagement regarding defensiveoperations um are prettyare are relatively straightforwardcertainly if you’re talking about stuffthat willnot have an offensive effectonnot harm adversary systems uh then ithink that you’re you can basically dowhatever you want and and that’s uhthere’s very little controversy aboutthat the real questions here are i ithink uh what does it mean to conduct uhan offensive operation in cyberspace umto to go after the your your tormentorumthere’s and and here the the distinctionis between uh offensive operations takenwith the intent of being defensive oroffensive operations taken with theintent of power projecting power cyberpower into the other guy’ssystem that will sort of teach aboutlesson umas opposed to defeat a threat uh aspecific threat and uhu.s cyber command has uhhas has uh looserrules rules of engagement as iunderstand it under its uh approach ofpersistent engagement and defendingforward it says let’s go let’s be outout there um uh for for for defensivepurposes but in the other guys networksuh doing things that force them to dodefenseuh and therefore shifting some of theirresources out of offense into defenseand thereby weakening their their theirdefenseso this is something that uh i i thinkumis looser than it was under the uhcertainly under the obama administrationum i i think that therethere’s a fundamental tension uh betweenum centralizing your authorities forconducting offensive operations uhfor whatever purpose um and uhwhich you want you want centralizedcontrol because you want people to beable to weigh the different equities thedifferent costs and benefits from adiplomatic perspective economicperspective and so on but that takeslongerand you’re much slower that wayum and so you know you can argue thatunder the obama administration uh thingsdot things happen on the offensive sidejust too slowly and and uh that’s thereason for uh for new for new rules uhforgreater flexibility um i have some somesympathy with that on the other handwhen you when you decentralize it alittle bit you know more you increasethe possibility of inadvertentescalation that the the guys in thefield are going to take some actionthat’s going to have some untowardeffect that they didn’t anticipate umand the you know the the national ournational command authority thepresident’s going to have to deal withthe repercussions of thatum so it’s athere’s no perfect balance to it umand i think we’re still in process ofexperimentationyeah i think i think that’s right thereare a few other questions in here kindof about that escalatory nature and whatthe you know what a punchback is sosandra real quick um there’s a questionanother one from from tj from mckinseyhere what is the advice to usinternational companies with operationsin russia and china they have russiancode writers russian employees withaccess to their systems what riskdiscussions should be underway i’m goingto take that question and shift it alittle bithow are youyou know what are you doing withcompanies that have operations inukraine right now whether it’s afootprint whether it’s a workforcewhether they have third partydependencies code writers i mean they’rethey’re brilliant software engineers inukraine and so how are we thinking aboutthose dependencies and what shouldorganizations be doing right now uh toprotect themselvesit really is about vigilanceunderstanding that right noworganizations in ukraine are should be aheightened alert if they aren’t alreadyi think that goes without saying butwhen we think about the the threatlandscape and what russia has alreadystarted to do with you know defacementsand you know some wiping activity andspearfishing uh every organizationthat’s in ukraine particularly thosethatare in critical infrastructure reallyshould be thinking about their defensiveposture you know doing the same thingsthat we’re asking american businesses todo to be ready and to understand that umthey are could be on a target listit could very well be not even becausethey are core to any military oreconomic umuh you know function but because theiruh breach or the the network going downwould have uh you know informationoperations value so it would havea fear factor so that could benewspapers it could be uh you knowfamous or or you know highly visibleorganizations they really need to bethinking about themselves within youknow what is their threat profile whenit comes to russian objectives i thinkthat’s the way to look at iti yeah i you know as i think about umwhat could be coming over the course ofthe next couple days i think similar toyouhave bucketed up into three sorts of uhcyber actions first is anything that mayhitukraine and then you could have somesort of network connection that couldspill outside of the country the secondis some sort of ransomware event likenot petcha that may not begeographically limited to ukraine andcould have some wormable capability thatwould spread globally and the third ismore that directed activity againstuh u.s infrastructure so we’ve got aquestion here fromuh joe uh uhuchill from uh joe i forgot where you’rewhere you’re with but uh from apractical standpoint what level ofrussian cyber activity and to whom willit take for the us to treat it asescalatory what would fall under thatradar so herb you know we you’ve talkeda lot about escalation ladder what arethe things that would beyou know immediately take it up abovethat that that that red line which is aa uniquely american conceptwell so for example you could i meana big thing they could do uh would be topull down the power in washington dc umi don’t think they’re going to do that imean the real quick for me the mostimportant question is what’s thesmallest thing they could do that wouldbe uh that we would regard as escalatoryand i think we don’t know the answer tothat there’s certainly some big thingsthey can do that would be escalatory uminterfering with nato uh troop movementsfor example that are that are happeningnow as we speak uh you know the bolsterbut there’s uha bolstering of of uhof us forces in uh in in europe rightnow uh they could in fact you couldimagine cyber attacks that get into thatthat mess that up or delay it and so onjust as a signal not that it would haveany significant effect but just as asignal that hey we can do this umhow would we how would we respond tothat that’s an interesting question imean it might not have anybig effect um might not even benoticeable outside a bunch ofspecialists but the specialist wouldknow and the president would know andthey would have to take that intoaccount so i think the real question ishow smallan effectwould have to beand i think there we don’t that’s wherethe uncertainties arewell with that i think time she’s up uhwe are at the top of the hour almost iwant to thankherb and sandra for joining us todayspending the last hour or so with us uhvery insightful conversation hopefullyit gives us a better sense of what’scoming uhwell what hopefully does not happen ofcourse uh but what we may be seeingunfortunately in the next couple daysdays or weeks uh with that uh doc herbyou’ve got a great book out about cyberthreats to uh to the nuclear arsenaleverybody should pick that up of courseas we heard mandiant’s got a great listof uh recommendations and defensivemeasures and as you heard at the top ofthe show uh we’ve also uh sissa in theirshields up message and it you didn’t youmay have missed it at the beginning butgarrett graff also has a new book it’sright behind me over my shoulderwatergate and then if anyone isinterested in more about russian activemeasures and how they both use cybercapabilities that information technicalas well as the information psychologicalthere’s another book over my shoulderhere called active measures by thomasridd i recommend you check it out sowith that thanks everybody hope you havea good afternoon and weekendyou

Three decades after the fall of the Soviet Union, Russian troops stand at the border of Ukraine in a pivotal moment for the young democracy. Meanwhile, governments, industry, and the public brace for potential escalation at the border—and the keyboard. In this session, leading intelligence and security experts will discuss how a cyber conflict might unfold and what it might mean for Ukraine—and the world.

Speakers

• Keynote by Jen Easterly, Director, CISA
• Sandra Joyce, EVP and Head of Global Intelligence, Mandiant
• Herb Lin, Senior Research Scholar, Center for International Security and Cooperation; Hank J. Holland Fellow in Cyber Policy and Security, Hoover Institution
• Moderated by Chris Krebs, Former Director, Cybersecurity and Infrastructure Security Agency; Senior Newmark Fellow in Cybersecurity Policy, Aspen Digital

Jen Easterly

Director, Cybersecurity and Infrastructure Security Agency (CISA)

Jen Easterly is the Director of the Cybersecurity and Infrastructure Security Agency (CISA). Ms. Easterly was nominated by President Biden in April 2021 and unanimously confirmed by the Senate on July 12, 2021. As Director, Ms. Easterly leads CISA’s efforts to understand, manage, and reduce risk to the cyber and physical infrastructure Americans rely on every day. Before serving in her current role, Ms. Easterly was the head of Firm Resilience at Morgan Stanley, responsible for ensuring preparedness and response to business-disrupting operational incidents and risks to the Firm. Ms. Easterly has a long tradition of public service, to include two tours at the White House, most recently as Special Assistant to President Obama and Senior Director for Counterterrorism. She also served as the Deputy for Counterterrorism at the National Security Agency. A two-time recipient of the Bronze Star, Ms. Easterly retired from the U.S. Army after more than twenty years of service in intelligence and cyber operations, including tours of duty in Haiti, the Balkans, Iraq, and Afghanistan. Responsible for standing up the Army’s first cyber battalion, Ms. Easterly was also instrumental in the design and creation of United States Cyber Command. A distinguished graduate of the United States Military Academy at West Point, Ms. Easterly holds a master’s degree in Philosophy, Politics, and Economics from the University of Oxford, where she studied as a Rhodes Scholar. She is the recipient of the James W. Foley Legacy Foundation American Hostage Freedom Award and the Bradley W. Snyder Changing the Narrative Award. A member of the Council on Foreign Relations and a French-American Foundation Young Leader, Ms. Easterly is the past recipient of numerous fellowships, including the Aspen Finance Leaders Fellowship, the National Security Institute Visiting Fellowship, the New America Foundation Senior International Security Fellowship, the Council on Foreign Relations International Affairs Fellowship, and the Director, National Security Agency Fellowship.

Sandra Joyce

EVP and Head of Global Intelligence, Mandiant

Sandra Joyce, as EVP and Head of Global Intelligence at Mandiant, oversees intelligence collection, research, analysis and support services for threat intelligence customers and the Mandiant security product portfolio. Sandra has held positions in product management, business development and intelligence research over the course of over 23 years in both national security and commercial industry. Sandra serves in the US Air Force Reserve and is a faculty member at the National Intelligence University. She completed her MBA at MIT and holds a bachelor’s degree in German with four master’s degrees in cyber-policy, international affairs, science and technology intelligence, and military operational art and science. Sandra speaks English, Spanish and German and lives in Virginia.

Dr. Herb Lin

Senior Research Scholar for Cyber Policy and Security, the Center for International Security and Cooperation

Dr. Herb Lin is Senior Research Scholar for Cyber Policy and Security at the Center for International Security and Cooperation, and the Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University.  In addition to these positions, he is also Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where from 1990 to 2014 he served as Study Director of major projects on public policy and information technology. He is also a member of the Science and Security Board of the Bulletin of Atomic Scientists. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace. Dr. Lin is particularly interested in the use of offensive operations in cyberspace as instruments of national policy and in the security dimensions of information warfare and influence operations on national security.  He has also published studies in cognitive science and science education. He received his doctorate in physics from MIT.

Chris Krebs

founding partner of the Krebs Stamos Group

Chris Krebs is a founding partner of the Krebs Stamos Group, Senior Newmark Fellow in Cybersecurity Policy at Aspen Digital, and previously served as the first director of the federal Cybersecurity and Infrastructure Security Agency (CISA). As Director, Mr. Krebs oversaw CISA’s efforts to manage risk to the nation’s businesses and government agencies, bringing together partners to collectively defend against cyber and physical threats. At CISA, Mr. Krebs also pioneered the Rumor Control program, which was designed to counter disinformation campaigns. Before serving as CISA Director, Mr. Krebs served in various roles at the Department of Homeland Security, responsible for a range of cybersecurity, critical infrastructure and national resilience issues. Prior to his time at DHS, he directed U.S. cybersecurity policy for Microsoft. He also served in the George W. Bush Administration, advising DHS leadership on domestic and international risk management and public-private partnership initiatives. Mr. Krebs holds a Bachelor’s degree in Environmental Sciences from the University of Virginia and a J.D. from the Antonin Scalia Law School at George Mason University.