NSA Director of Cybersecurity Anne Neuberger in Conversation with Garrett Graff
Released on 11/08/2019
Good morning.
I'm Garrett Graff, I'm a contributing editor
at Wired and cover national security,
and I'm excited to be joined here today
by Anne Neuberger, who is the head
of the Cybersecurity Directorate at the NSA.
And I'm gonna ask Anne a little bit about that in minute,
but Anne is a longtime NSA official,
was appointed the first chief risk officer
at the NSA in the wake of Edward Snowden revelations,
and had a background in the Navy,
in the private sector before that,
including as the deputy chief management officer
of the US Navy.
And one of the things, you know,
the NSA is an incredibly hard institution
to cover and understand sort of what they're doing,
but I've always appreciated that Anne has been,
throughout her career,
one of the people who has been very open,
or as open as she can be,
about trying to engage with the public
about the role that the organization has done.
So, Anne, I thought I would start by asking you this morning
about the new Cybersecurity Directorate, which you head.
The NSA has sort of two main missions,
signal intelligence and cyber security,
and as of October 1st, it has this new
Cybersecurity Directorate that knits together
various parts of that mission, which you now head
as sort of the top cyber security official of the whole NSA.
So tell us a little bit about what your new role is,
and what the goal of this directorate is.
Absolutely.
So first it's truly terrific to be here.
I really appreciated the invitation.
Wasn't lost on me that there was one government individual,
part of the 25,
so really, really appreciated the invitation,
the opportunity to be here, and the opportunity
to really listen to all the talks going on today.
So I'll start with that.
The director of NSA, which is a four-star Army general,
General Nakasone, decided to stand up the directorate
because we recognize that we're at a crossroads
from a national security perspective.
There are significant advancements in technology,
in economy, in society,
that are converging and coming together.
Really exciting, right?
We see 5G, we see Internet of Things,
autonomous vehicles, drones.
And with those significant advancements,
we also see malicious actors able to accomplish
strategic impact with individual tactical actions.
For example, theft of a company's research
and development investments, which can then allow
others to more quickly productize a product.
It affects, like the discussion we just heard,
the future of jobs, the future of the economy here.
Similarly, we see certainly using social media
to influence elections, so achieving
those strategic outcomes with tactical activities.
We felt the need to ensure that,
while using these technologies,
we understand the risks to our democracy, to society,
economy, and we ensure that we're accounting for those risks
at the same pace as the advancements become reality.
So the director brings together thousands of people
to focus on those problems,
and to allow us to really not only recruit,
but keep the kinds of people we need
to ensure we're putting in place those defenses needed.
And as the public, what should we expect different
with the addition of the Cybersecurity Directorate
and sort of this specific focus on the mission now?
Absolutely, so first and above all,
our mission is to prevent and degrade cyber actors
on the most sensitive, critical, national networks.
What does that mean?
It means, for example, that you know, Garrett,
you mentioned earlier at the beginning,
NSA has two missions.
Well one of them is we build the cryptography
and distribute the key for things
like nuclear command and control,
the military's secure communications,
both with itself and with allies all around the world.
So ensuring that those networks,
our critical infrastructure networks,
for example the defense weapons systems,
ballistic missile defense systems, working very closely
with the Department of Homeland Security
on secure critical infrastructure networks.
That's a key focus area for us,
and there's a lot of interesting areas
both in technology that we need to focus on
and modernize in that space.
Beyond that, we recognize that defenders operate
in unclassified space, and in order for us to be effective,
we need to operate more in unclassified space.
So in our first month, folks may have seen
we issued three advisories.
And in them we say, you know, there's a nation-state actor
using this CVE, this vulnerability, to do this,
and here's what we recommend you do
to secure your network to address it.
So those kinds of things where we tie together
a threat to enable and present defense are critical.
And then finally, the third thing,
is future technologies, and ensuring that
we're working in standards bodies,
we're working with companies to ensure those products
are as secure as possible.
Cloud security, Internet of Things, looking at,
can we do for low-compute, low-power,
what's the cryptography for that?
Quantum-resistant computing, quantum computing
has significant implications for the cryptography
we use today to secure a good deal of internet commerce.
So those three types of efforts is what you'll see more of.
I wanna come back in a little bit to talking more about
the emerging technology, but let me stay with the NSA,
and its mission for a minute longer.
You've had a front-row seat as General Nakasone
has settled in, he's been there
about two and a half years now,
and he's been sort of a...
Remarkable transformation of the NSA,
and he has this second role, the dual-hat,
of heading CYBERCOM, and we've seen
a much more vigorous engagement from CYBERCOM
in offensive cyber operations, against targets like Iran,
and against actually Russia during the midterm elections
last year, and you had an election security role previously,
and I wonder if you could talk a little bit about
how General Nakasone is approaching his mission,
and the NSA's mission, and sort of how, philosophically,
he's looking at the work that the NSA should be doing.
Absolutely, so great question there.
The key principle he brings to it is to say
it all starts with partners, and it starts with
operationalizing intelligence to better secure.
What does that mean?
So I'll use counter-terrorism as an example.
In the counter-terrorism mission, when we learn of a threat
across the intelligence community,
yes, certainly we issue that warning and awareness
in a top-secret report, but in addition to that,
we quickly make information available
to a local police force, to an allied police force
anywhere around the world, to ensure
that they can do something to save lives.
At the end of the day, it's not interesting for us
to write a classified report and then people are killed
in a terror attack, that's not the goal.
The goal is saving lives.
And he brings that same approach to cybersecurity,
election security.
So as you noted, I was the NSA lead, co-lead,
working very closely with a Cyber Command co-lead
for the 2018 midterm elections.
And the guidelines he gave us was,
I don't wanna see a classified threat intelligence report
about what was done to shake confidence in the elections,
I wanna make sure there is a secure and safe election,
and that every American feels confident
in the integrity of the vote.
And that's where we were with regard to ensuring
we laid out together three lines of effort.
The first was ensure we're building the insights
to understand who might have an interest
in shaping the election in some way,
in tampering with election infrastructure in some way.
The second was ensure that information gets to people
who can do something about it,
whether other elements in the U.S. government,
we partnered very closely with DHS and FBI,
partnered closely with social media companies,
make sure they can actually...
And you saw, for example, accelerated take-downs
which occurred of accounts which were
maligned social influence, social media influence,
both because the social media companies really put in
a greater focus on their own.
And then finally, that's the distinct authority
Cyber Command has, so this is not NSA,
but Cyber Command is authorized,
is one, authorized by the president,
can impose costs to ensure that, as was stated,
U.S. government policy is any attempts to interfere
in a U.S. election will be met with some consequences.
And we're just about a year away
from the 2020 election now,
although it feels like it's been going on
for 72 years already.
For you too? [audience laughing]
Sitting here today, sort of knowing what you know,
surveying the horizon and the threat landscape that you can,
do you think that Americans should feel confident
that we will have a secure and accurate
un-interfered with election next year?
Yes, I think that there are...
Not I think, I know, that there are hundreds of people
across the intelligence community,
across DHS, FBI, working to do those three things
I talked about, right?
Ensure they understand what's potentially planned,
ensure they're making that information available,
and ensure that we're making clear to those
who might have an interest that there will be consequences.
But that being said, it is a challenging task.
And beyond the elections, one of the things we saw
in 2018, and I think we've seen
over the last number of years,
is attempts to heighten the polarization of our society.
As a democracy, what we rely on is,
I love the word that Nick used earlier,
which was civil discourse.
We don't have to agree on everything, in fact, we won't.
This is not...
The beauty of America is that people
from many different backgrounds can come together
and can live together with different ethnic backgrounds,
with different religious beliefs,
with different values potentially.
But that there's more that unites us than divides us.
And I think that when we look at how social media
can be used today, and the degree to which individuals...
Influence operations have been around since the days
of Adam and Eve, right?
But what's changed is the way social media allows
for targeted yet broad messaging
that makes people believe, hey, this is a friend,
I can trust them, and then at the time
those messages are integrated,
or for example combining cyber attacks
to gain compromising information that's then leaked
at an inopportune time to shape thinking.
Right before a key event, a key vote, or a key decision.
So that's the piece that we worry about a great deal
with regard to a trend, and that's not something
the government can take on alone at all.
That's the reason I so appreciate the invitation,
and that's the kind of work that needs to be done
between individuals committed to civic discourse
in our society.
So speaking of civil discourse,
the NSA being here in San Francisco,
in the Bay area and Silicon Valley,
that has not been necessarily the warmest relationship
over the last five years or so.
Garrett has such a nice way of putting things.
Which Edward Snowden has a little bit to do
with the soured civil discourse
between the NSA and the tech community,
and I wonder if you could sort of, sitting here,
sort of talk a little bit about what...
What you sort of wish that Silicon Valley understood
about the work that the NSA does on a daily basis,
and what, from the NSA's perspective,
you wish you could get from Silicon Valley.
So you are correct that the...
Discussions and the trust broke down a great deal
post-2013 media leaks, but my perspective is,
we had some responsibility to do with it long before that.
As human beings, we don't trust the black box.
We trust things we understand, we trust people we know,
we've met, we've heard their values.
And when you walk in, I don't know how many people here
have been to the National Security Agency,
but when you walk into NSA, and you pass all the turnstiles,
and you get to the elevator,
it's the way I walk in every single morning,
in front of you is a black granite wall,
and on the top of that wall it says,
they served in silence, and they have names,
most pretty young, of individuals who in the 60-odd years
of the National Security Agency have lost their lives.
Most are young, military.
The most recent one was actually just a few months ago.
And that culture of they served in silence
is one I think that didn't always do us well.
It's a culture of pride in saying,
we just want people to be safe,
we don't need people to understand our role in that,
but the flip side of that is that the citizens we serve
don't necessarily get to know who we are.
So I think we had some responsibility before Snowden.
And I think actually to your core question,
there is a tension in being an intelligence agency
in a democracy, and I think it's a good tension.
I've lived with that tension in my own life.
I was raised in a family with a deep fear of government.
My father grew up in Soviet-occupied Hungary.
He and my grandparents fled here
after the Hungarian Revolution.
My mom's mom wore long sleeves her whole life
to hide the tattoo on her arm from Auschwitz,
which was tattooed to make her not a human being,
to make her just a number.
You know, my great-grandparents and most of their children
were all murdered, gassed to death in the death camps.
So I grew up in a home which feared government
and the power of government.
And yet my parents talked about the tremendous gratitude
to have the opportunity to live in a democracy
where they could practice their faith
and live lives free of fear.
So the responsibilities that we have in this country
to use the force for good, to do that balance,
to ensure that we can live safely,
to ensure that individuals all around the world
can live safely because of who we are,
and balance that carefully,
because there is no perfect security,
and there is no perfect privacy, you need both,
and there's tension in that, and that's good.
That's the goal for us.
And what we need, to your question,
from the Valley, and I think
from really every American citizen,
is to get involved in that, to figure out
do we have that balance right, challenge it,
get involved in making that balance right.
Come into government for a few years,
or if you're working in Silicon Valley
and you have a way to both protect privacy,
but help folks understand that when there are threats,
whether that's child pornography, crime,
or a national security threat,
best minds are working on those areas
that are really not black and white, they're gray.
And balancing the gray to get to the best outcomes
and protect who we are as a country
is I think the core challenge we have in front of us today,
and we need great, committed people being a part of that.
Do you feel like the relationship between the NSA
and the Valley, and the tech platforms,
has been repaired in a meaningful way
over the last five years?
I think it's become much better.
I look at the work we did together in the 2018 midterms
where we said, neither of us can do this alone.
The Valley made clear they wanted insights
about how platforms were used, how individuals
were appearing to look like they were U.S. individuals,
how people can anonymously connect to platforms,
how you can ensure that people have to validate in that way.
And we made a commitment to recognize that...
It wasn't enough to write a classified report,
and we had to ensure that information we had
made its way to people who could do something about it.
So I think repaired is a hard thing to say.
I think it's gotten better, and more importantly,
I think there are now enough conversations around values
and core shared goals to make...
To make what we need to happen more likely to happen.
And where do you see those shared values
between the NSA and the tech community?
Like, what is the overlap in where you can have
a conversation about values?
America is not a perfect country,
but I think America was a dream
that people from all different backgrounds
could live together, and respect each other enough
to give each other the freedom
to live their lives differently.
To me, the fear of what social media allows,
it allows those ties to be frayed.
It allows people to treat people like other
by creating communities that say,
we're all in this community, and we can talk anonymously
and safely, and that other community doesn't know
what we're saying, and that's dangerous
in a society that has to have...
That shared values are paramount.
And I don't think we should think that the society
is just there without our working to keep it that way.
So I think the shared values to say freedom of speech
means also freedom to respect each other's speech,
and respecting each other's speech
means that civil way in engaging
so you're not shutting people down by the incitement
and the anger in your speech.
And how to ensure that we protect speech
to enable freedom of speech.
I think there's more shared discussions on how we get there.
There's still more to be done,
but I do believe that we're closer to that point.
And I think one part...
One of the things we're trying to do at NSA
is bring more diversity into tech.
We run, for example, GenCyber camps, we call them,
which are camps for kids in high school.
There are 15,000 kids participated, 38 states,
which is super exciting, right?
'Cause if you can get people involved young in...
Cyber is something that can easily be...
Intelligence is a harder thing, right?
Intelligence, but cyber is defense, is a shared goal,
and by getting kids involved young
who can see that it's a shared goal
between government and the private sector, then...
And that diversity then allows that as well
by everybody seeing themselves in it.
We have about a minute left, so I wanna get to
emerging technologies and sort of what you're thinking about
in terms of threats that you see coming over the horizon.
Yep, three trends.
One is certainly see nation-state actors
becoming more sophisticated.
We see more of a focus on disruption,
kind of what we saw with Iran, Saudi Aramco,
breaking tens of thousands of machines.
And that shift to disruption, as well as hacking
to gain compromising information
that's then leaked at an inconvenient time.
So that's certainly the trends we see overall in cyber.
What we're focused on are securing technologies
like I mentioned, like IOT, looking at cryptography,
high-speed cryptography at the 400G level,
low-power I mentioned, and certainly looking at
security standards to enable us all
to use those technologies safely.
So really excited about some of those areas,
distributed ledger is another area
we're putting some focus on.
Excited both for the partnership
and for what we can do with those technologies.
One of the things that sort of stands out to me
in covering cybersecurity is how each major attack
that we've fielded from a nation-state adversary
has represented a failure of imagination,
that the attack on Sony Pictures by North Korea,
Russia's attack on our confidence in our democratic process
in 2016, what do you think sort of the next failure
of imagination that we're going to see
in terms of an attack on the U.S.?
That's a really good question.
I think it...
One of the things we've seen is the weaponization of drones
and low-orbit satellites, sensor platforms,
I think bringing together the intelligence
off those sensor platforms with potentially large numbers
of weaponized drones is a key concern.
The technologies to defend against that,
the cost of defense far exceeds
the cost of just building and deploying a drone.
And we're seeing those kinds of technologies
in certain ungoverned areas around the world.
So that's something that we're thinking hard about
and how to protect against.
Great, thanks so much for joining us, Anne.
Thank you, Garrett.
[audience clapping]
John Cena & Awkwafina Answer The Web's Most Searched Questions
This Craftsman Designs & Builds 100% Wooden Puzzle Boxes
Hayden Christensen Answers The Web's Most Searched Questions
'Critical Role' Cast Answer The Most Googled Vox Machina Questions
TXT Answer The Web's Most Searched Questions
We Tracked Every Visitor to Epstein Island
Historian Breaks Down Napoleon's Battle Tactics
Dream Answers The Web's Most Searched Questions
Valkyrae Answers The Web's Most Searched Questions
How This Woman Creates God of War’s Sound Effects