Address by the US National Cyber Director on cyber cooperation
US National Cyber Director Chris Inglis addressed the Lowy Institute on the role of cyber in US strategy and the outlook for international cyber cooperation to build resilience and counter threats.
Remarks by Director Inglis
I used to quip that after my time in NSA, it took me a couple of years to learn how to speak in the presence of natural light. But here we are, after COVID, or perhaps kind of on the tail end of COVID kind of learning to speak in the presence of one another, and it's a joy.
It’s very, very welcoming to be here, because I think it's really hard to root out 2 million years of human evolution in one generation. Which then causes me to turn to cyber. I'm going to make a few very brief framing remarks, which hopefully then sets up a question-and-answer session where we can explore areas of interest to you.
The first remark I'd like to make is to perhaps set the context of cyber - what is cyber for? And I do that by beginning with a question that a colleague of mine, Jeff Moss often asks at this moment. He's the person who started BlackHat and Defcon. We're on our way to BlackHat Asia in Singapore, to have a further discussion with him kind of in the public domain. He asked the question: “Why do race cars have bigger brakes?” It's an odd question to start a cyber talk with. He quickly answers , “so that they can go faster”. That's a really interesting question to lift and shift into cyberspace. We have to ask, why do we do cyber?
I might be accused as the National Cyber Director within the United States, of being a cyber hammer in search of a cyber nail - that all things have something to do with cyber. But I have to actually, honestly, humbly understand that cyber doesn't exist for its own sake. We don't do cyber for cyber sake.
We don't do IT - Information Technology - for its own sake. We do it so that we can achieve our personal aspirations, our business aspirations, our societal aspirations. And we therefore need to make sure we get that alignment right. We need to make sure we understand what we want to do with this space, make the necessary investments so that the space will then have a chance to deliver on that, and then not so much obsess with the threats to it, but get on with those positive, compelling aspirations forward.
That then leads me to point two, which is - well, how are we doing? I'm reminded of the anecdote of a chief executive officer - it could be an agency or department head in the government - but a senior in an organisation who was walking around that organisation one day, happened to see the word cyber on a doorframe, thought, boldly, I'll go in and see what this is all about. I've read so much about it, and (he) happens to encounter someone who's in charge of defending the business on digital infrastructure, the so-called Chief Information Security Officer, and asked the following questions like, so I've read so much about this. I'm the CEO, you're the CISO - that's the term of art - How are we doing? And the CISO being somewhat intimidated said “in a word, good”.
The CEO then pressed on thinking there's a really good story here that he might be able to share that with the board said, how are we doing in two words? “Two words? Not good”. Now, it turns out both of those answers are relevant to where we are in cyberspace.
There are so many reasons for us to believe that cyberspace is delivering on our expectations. We were able to, in record time, develop a vaccine and deploy that - requiring some no small amount of miracles in terms of the exchange of information, coordination and synchronization that's only possible on the internet - cyberspace as we know it today. It turns out that we can solve problems of equal or greater magnitude if we get this right. And that happens every day. So there's reason to say that it's good.
There are reasons also to say not good, because there's so many challenges in this space that thwart our efforts to do what we want to do - individually and organisationally, at the business level, or even at the governmental level. Those of you who follow this space closely would know that attacks like NotPetya/WannaCry, which were nation-state attacks in the year 2017, had an extraordinary effect on the commerce, on the business that was essentially coursing across the internet at that time.
But more importantly, had an effect - an attack - on the confidence of people who would then say, should I perhaps stay in this space? Should I do the new thing in this space? Should I extend my aspirations, my reach a bit further. So it's not just data and systems that are at risk, it's not just the critical functions that rely on those data and systems that's at risk. It's the confidence of our societies.
When we think about the ability of cyberspace to hold free, fair, open elections at risk, not because there's the possibility of changing votes, but there's the possibility of influencing broad populations, we have to consider how do we then make sure that cyberspace plays its appropriate role to deliver what we expect of it: the integrity, the availability, the confidence that those things that we inject into the space will be fairly represented and come back to us from that space.
It's not a political choice. That's not even a value choice. You just want cyberspace to do what it's supposed to do.
The third frame then is if, at the end of the day, we have some challenges in this regard, I would begin by saying that, as I suggest strategy, we have to understand whether that answer of good or not good is fate, or choice. I think it's choice. I think we can choose to invest in this space, in various ways that I'm about to suggest, and we can choose to invest in this space such that it meets, exceeds the confidence that we need to have that it will do our bidding.
Or we can choose not to, which has largely been the story of the last 40 years. We can invest in the primary functions and race ahead on the visible performance, perhaps the bandwidth, the ability to access broad swaths of data. But without giving time and attention to the resilience that's necessary to deliver that with the full faith and competence that we prefer. We can choose by our inaction, by our complacency to get the result, that too often we get today - where we obsess because those those threats are real, we obsess about those threats.
Those choices, then if we make them essentially have to come down to - we have to get the doctrine right -roles and responsibilities. We have to get the skills right, and we have to get the technology right. Now I mentioned it in that particular order. Because so often the discussion about cyberspace starts and ends with technology. There's no number, there's no small number of technologies that are kind of trumpeted that would kind of be brought to bear to solve one or another problems in this space. Generally, they react to, respond to, some pratfall that occurred last week, or something that's occurring at the moment. And they will solve that problem in isolation, perhaps through the soda straw that you're looking at on the map, they'll solve that problem. But too few of them are holistic in nature, and essentially solve the real problem, which is we don't have the roles and responsibilities right. We don't know who is accountable for what.
Imagine for a moment that you're a user of technology, where no one took particular responsibility of building cyber resilience. And that then populates down what we would describe as a supply chain, and you're at the end of that chain. And you inherit this technology. The resilience, the robustness of it is an afterthought. It'll catch up later. Who is now the poor soul that has to then deal with that resilience and robustness? It's not the built-in view. What kind of capabilities do you have? What resources can you bring to bear to solve all of the investments - to inject all of those investments, let alone to know something about the nature of the space you're operating in? Precious little.
Imagine if we built and deployed cars that way - that there's no air safety bags in them, there's no anti-lock brakes in them, and then there's no locking mechanism on it. There's no, there's not even a set of brakes that you can guarantee make it through the first 5000 kilometers, and you enter into a road system that is not designed with safety in mind. It's simply designed to get you from point A to point B, but it's your issue as to whether you do so safely. We don't have road systems like that. We don't have cars like that. We don't have airplanes or drugs or therapeutics like that. We've invested as necessary to get those systems into the right place. Because we first attended to the doctrine - the roles and responsibilities.
We then got the people skills up to speed. Such that not simply the experts who actually develop, deliver, perhaps sustain those systems, but the people who use those systems know something about, in the role of an automobile - how to drive defensively. We need to do all of those things in cyberspace, there's no miracle there. It's something we've done before, we must do it yet again.
But that's only the first part of the strategy. Because if we do all of that, and we have resilience by design in our roles and responsibilities - in our people skills and the technology that's been bent to that purpose, what we'll have is a defensible proposition, but not one that secure. These systems do not defend themselves. User participation is required. Individuals, organisations, sectors, governments need to stand in and play a role in the defence of those systems.
And in that, I think I bring to bear the second aspect of the strategy that's possibly new and novel, but that we can no longer do this using a division of effort. We can no longer say you defend your piece of this shared infrastructure, I'll defend my piece of this shared infrastructure, possibly getting to that moment, in an open boat where you say, “the hole's in your side of the boat, so good luck with it”. Turns out, it's the same boat.
We need to actually use our collective capacity to understand what's happening underfoot. To use the hunches and the shards and the insights that one of us might have to compare and contrast those with some party to the left or the right of us so that we can discover and deal with things together that no one of us could have understood alone. Our UK counterparts have done that in something called the National Cybersecurity Center to good effect for the better part of five years. Our Israeli counterparts have done that. We've begun to do that in the United States actually, to eschew this idea that division of effort is the right strategy, and to move forward to where collaboration, collective defence is the right strategy.
Getting to a place where the slogan might be, if you're a transgressor in this space, you need to actually beat all of us to beat one of us. There's nothing offensive or aggressive about that. It's simply it's a statement of fact. For too long, we've been crowd-sourced by adversaries who have stolen, seized and sustained their own initiative. We need to seize that back. So that at the end of the day, we can get back on the trail that we were on in the early 90s, which is we had very positive, boldly audacious expectations about what cyberspace would deliver.
And that, therefore is where we need to get back to. My role, along with many in this room - all of us have some roles and responsibility to play - is to engage in that thought leadership to where we can define roles and responsibilities, we can get the skills up to speed, and we can then define and bring to bear the technology so that a collective defence of that can essentially deliver what we expect, what we want. The relationship the United States has with Australia is an excellent example of how we can take that into the international domain.
Because the collaboration I'm speaking about must be done in the largest possible context. If we do that right, then we will have formed a new social contract. One that's not new or novel, because we've done it in other domains of interest, but one that we can lift and shift into this space, so that cyberspace can and will make our expectations. I look forward to your questions.