Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and this week I have the privilege to sit down with Christopher Porter. Christopher served as the National Intelligence Officer for Cyber Matters between 2019 and 2022, currently is at Google, but he's speaking on behalf of his previous experience inside government. And we're going to take a little bit
of a shift in our discussion today. We're going to look at transitions and the significance in terms of intelligence sharing, briefings and assessments between transitions. Christopher, great to have you today. Thanks for joining us. Thanks for having me, Frank. So, Christopher, I mean you've been in the hot seat before. You've had to brief
presidents, gang of eight, cabinet members. But what are some of your lessons sort of learned because we are coming into a transition, whether it's a continuation of the current administration or a whole new administration. But that's an important time in our government's history, is it not? Yes, absolutely. And it comes up regardless of who wins the election.
Right. If President Biden's reelected, there's still going to be a lot of secrets. Senior officials who are changing jobs, moving up, leaving government, being replaced by others. So this is an evergreen topic. And even during an administration, you're going to have some senior official turnover as well. So if you're briefing someone at that level for the first time, perhaps it's your time briefing them or it's their first time getting briefed, as
would happen during a transition. The thing to remember, to me the most important lesson learned is your core job as an intelligence analyst. You're not a researcher, you're not an academic, your core job. And you're not a policymaker. You're not a policymaker. Yeah, don't backseat drive the policy making. Your core job is to improve decision making. And to do that you have to understand at some level how the person you're talking
to makes decisions. You don't need to make them for them, to your point, but you have to understand what's their background? Have they been in government before or not? Are they familiar with if you're doing it in a government context, have they been familiar with classified reporting before or not? And what type of substantive background do they have? There are going to be officials who come in who have important cyber related
roles, for example, Secretary of Transportation, Secretary of dhs. You might be appointed to such a position based on completely other skills that you have and other security domains. But still have very large cyber responsibilities. Right. So is the person you're talking to going to be familiar with cyber as a domain of national or domestic security or not?
What do they know? What are they experts in that you can speak to? But as you get to know them over time, usually it's not just one briefing, it's a series of briefings. How do they make decisions? What information do they need from you to make a better decision? I think that's the most important part, is understanding your role and where do you fit in? Sort of like a good server at a restaurant or a good butler, anticipating what their needs will be. Great point. And
the reality is cyber is everyone's business to one extent or another. So that may not be your core mission area, but every cabinet member needs to be at least cyber aware. Correct. It permeates so much of daily life. It permeates domestic governance, certainly,
but a lot of international competition as well. So there are going to be diplomats and other people who you don't think of as having cyber portfolios, but whether they want to or not, it's going to come into their lane. And almost without exception, both parties, both administrations, these are going to be people who are intellectually curious and want to learn. The danger for a lot of senior intelligence analysts is, of course,
you're very interested in your own subject, hopefully acquire expertise. And if you're the briefer, as I often was, perhaps you're not the expert on every individual subject, but you're representing their views and bringing that material into these preparatory discussions. What is interesting to you might not always be what's most interesting to the policymaker. Right, Exactly. For example, technical details. Maybe they don't need to know every technical detail, but that's how you
spend most of your day. And that raises a great point. So when I had
the privilege to work in the Bush White House, this was many years ago, it was right after 9, 11. There was still a big deficit between decision makers and awareness around cyber. I think that's leveling out a little bit today. But still, they're not going to have the technical chops that an intelligence officer would have, for example. So how do you go about translating sort of technical issues into a manner that a policymaker can. Can run with, like any good analyst? I'll start off with a
few caveats. There are going to be policymakers who are themselves very technical entrepreneurs or, you know, have backgrounds in industry. You know, Senator Warren and even more. So now,
I think. Right? Yeah, even more so now. And, you know, you could Be also
briefing a senior military official who came up with those skills. Right. So it's not to say that they personally don't have those skills, but they're not usually making decisions based on that. In general, the higher up you go, of course, their primary function, if cyber comes on their plate and they're not a cyber specific policymaker, it's probably because something bad has happened and the issue has come to them. They may not
have even thought of themselves as being a cyber policy. It could be a surprise to them that they have cyber responsibilities. There's many permutations this could go through. The technical details generally matter to decision makers in the corporate world and also in government at that level as it relates to risk analysis. So you as the intelligence analyst, the team, because it's a team sport, you at an intelligence agency or in the
private sector, you should know those technical details and sometimes they are relevant. But generally what you're doing is helping the policymaker understand risk. This threat is this widespread or we can be so confident that we've remediated it or not, or we've detected this much of an operation is at the tip of an iceberg or not. The solar
winds incident was a good example of that. Right. I was the national intelligence officer starting in the Trump administration and transitioning almost exactly half between Presidents Trump and Biden was honored to do both. You know, during the transition, the Trump administration was working that issue, you know, remediating it within the government and broader society. The Biden administration is coming in and of course many of their officials want to know, well, I've
read in the press that it's xyz, but how bad is it really? How widespread is it? You know, how confident can we be that we fixed these kinds of issues? Right. Is this the tip of the iceberg or is this all we have to be concerned about? Now to be the NIO for cyber, you do have to
be a bit of a savant though. How do you do in national intelligence estimate on Russia and not cover cyber or on cyber and not cover China, Russia, Iran, North Korea, large ransomware gangs and operators? You really do need to bridge those worlds, don't you? Sure. I think particularly at the National Intelligence Council where I was, that's
one of the primary job duties is to bridge the worlds because there's hundreds of smart analysts who could work even on not just Russia or China, but very niche subsets of that problem. So no matter how smart someone might be, there's always going
to be somebody smarter, especially on a Particular issue. Yes. A lot of the job is bridging from private sector, think tank, academia world, bringing that into the intelligence community, bringing all of those different perspectives to the President and to congressional leadership, making sure.
Everyone'S having an exquisite means to corroborate. So that is an advantage of being part of the community, right? Yeah, well, or you say corroborating, but also, you know, if
you're doing long term thinking, the best ideas might come from those areas. Absolutely. You shouldn't assume that the intelligence community is great and very powerful, but a good idea has its own power. So, yes, as the nio, you're one of the few senior substantive people because you're not really managing very many officials directly. You're mostly doing substantive analytic work. You're one of the few people who can go out and interface with
the real world here. To the extent that DC think tank world is the real world, you're able to come down to those sorts of meetings and get a lot of ideas on what could go wrong. Right? Yeah. And some of these lessons that
you gleaned in terms of briefing in the private sector CEO C suite, there's a lot of discussion that this is a C suite set of issues that it's about managing risk. What sort of lessons have you gleaned there? Again, in the private sector
in general, the people doing the work, particularly if you're not at a cyber company, you're at any other sector but an owner. Operator of critical infrastructure service. Large, small business critical infrastructure operator, you might have a threat intel team. In general, they're going to be focused on day to day technical issues because there's a monster every day
there's more threats than they can triage any given day of the week. So yes, they're going to do thoughtful trends analysis, but as they are talking to the ciso, the cio, you know, maybe the board of directors of the CEO, the people producing the intelligence are still going to be very technically focused and that's what they think is important. But as you move up, you do have to translate more and more into not just technical risk, but business risk. You know, if you, if your private
sector entity has been compromised by an actor, that's your whole world. If you work in the SOC or on the threat dental team, your whole world is getting them out upside down. Yeah. The farther up the org chart you go, you're thinking more about how does this risk our business operations? Is this going to disrupt our ability to, is our website going to be down at a critical moment when we do most of our annual sales and supply chain. How does this affect our supply chain
partners, our reputation, business to business? It's not that they don't care about the technical details, it's that they're placing that network intrusion into a larger business risk context. So you need people who can translate that. That's why I'm an optimist, that artificial intelligence related cyber threat intelligence tools, they're going to make hopefully people like me more effective at doing our jobs. But you're still going to need someone, a human being to
apply that to your organization. What does this mean for us as people who run this organization? That's the part that I think people are going to play in the future. Increasingly, yeah. And this is an age old issue, but at the end of
the day it is hard. So technology can do a lot, but it doesn't make up for years of gut that may not even be articulated in a specific kind of way. And experience and scar tissue, and we all have been through some of that, that is worth something in these sorts of roles. Most of what makes someone
senior in intelligence analysis or more broadly within the profession, what is typically called like tradecraft, that's really just the accumulated lessons learned of mistakes. Right. Your predecessor or you, in my case. We learn from them. Hopefully you learn from it. When you think about artificial intelligence and how that works in a cyber threat intelligence context, let me refer back to a comment I made earlier. Your job is to improve decision making.
So there's two sides to that. There's what are the bad guys doing to us, to our network? What are their plans and intentions? What are their capabilities? But there's also what does our organization, what's normal traffic on our network look like? If you're the government, what are our plans for domestic peace, stability and prosperity and tranquility? What
are we trying to do in a positive sense? You need to know both. You need to know both the blue side and the red side simultaneously to make better decisions. That's difficult anyway, even just in a human context. But artificial intelligence, I mean today, the way it is today, LLMs, I think it's best to think of them as a kind of large scale translator. You can very quickly make different types of data, talk to each other in a way that puts a premium on asking interesting
questions. You as the analyst need to be the one coming up with the interesting relevant questions. The work of pulling everything from very low in the OSI model, very low technical information, up to geopolitical plans and intentions. I think artificial intelligence in the not too distant future will give us an ability to have analysts ask those questions and start putting it together in a thoughtful way. But who's going to do the
translating for your organization? I say organization could be a business. Could be the government
and context that's specific to an organization. Right? I mean that's hard. I mean at the end of the day it's only as good as the questions that are queried. And I could say the same about analytic tradecraft writ large in cyber. That's the
first question that any business leader and most experienced intelligence leaders have. When for example Infragard or any other intelligence sharing organization, if they put out a report that, you know, CISA puts out a report that says such and such sector is potentially under attack or is under attack, the first question is going to be is that relevant to us? Does that apply to my organization? Is it in my network? Because that's
your responsibility. That's not small mindedness, that is your responsibility. Jumping from here are some indicators of compromise to does this even apply to my organization? But really what you want to get from is indicators of compromise to how does this affect business risk. That requires several stages of translation and the more of the translation that can be handled by cycles in a computer versus a human being that frees those human beings
up to do those later. Higher ordered thinking that today isn't getting done necessarily. And
there are some positive indicators. I mean our world is filled with a lot of doom and gloom, but there are some dwell time is beginning to shrink. But there's still this. You mentioned solar winds. It's still very difficult for companies to be able to say hey, we do or do not have, this is our exposure, this is our level of risk. Supply chain visibility is still a bit of a challenge, right?
It's difficult getting better. But yes. And even for the best resourced organizations you have to stop your job somewhere. Because it's second, third, fourth order effect. You have a hard enough time defending your own network. You can't defend somebody else's network. Right? So yes, you need to understand who your suppliers are having higher standards for those suppliers, particularly if you're a large purchaser, the government is a tremendous purchaser and you've seen
a lot of push for secure by design standards. I mean that is a very natural response to sort of raise the defenses of everyone collectively. That doesn't really solve the problem of a foreign intelligence or military officer who says I want to get access to. They're not a criminal saying I want to get access to something they're saying I want to get access to this specific target for whatever reason and I can do some open source research and figure out who all their suppliers are and
I only need to get into one perhaps to get in. So how do you address that? As an intel analyst, I'm mostly an expert in problems, not solutions. I mostly just describe or cause problems. But in general you deal with that by assuming that you could be compromised. No matter how good your security is, no matter how many people you have, zero trust. Assume you could be compromised. Do you have a way so that if you are compromised through a supply chain operation, the damage is
limited? As you pointed out in the latest mtrends report from Mandiant Dwell, time is going down and down and down. So it's being detected quicker than in the past. The flip side of that is adversaries are moving quicker once they get into a network. Exactly. And exfilling quicker. But yeah, yeah, no, I can look for a gray lining in any cloud, don't worry. But yeah. So that's not something you address in
the traditional sense of having intelligence that prevents a threat. That's something where your policies and your planning come into effect. Try to beat it every day, but assume that you're eventually not going to. How do you make that bad day merely bad instead of catastrophic. That's a policy decision that goes all the way to the top. Back to business risk as we were. Discussing 104 on that and again just my experience
in government, it was treated as a black magic. I think that's changed dramatically. How
did you feel about getting intel briefings when you were in government? Were they helpful for what you were doing? For the most part, yeah. But of course you're always
looking for that silver bullet which rarely exists because intelligence, they're estimators, they're not clairvoyance. And I think we still have this false impression that you're gonna get the when and where. If we know the when and where, we're preventing it. I'm not worried about that. There's no briefing if you stop it early, that's good. Exactly. That's a good day. Unfortun that's not every day. And for the most part that's not the
messy world we live in. Sort of fast forwarding to say, let's say September, October, November and then after November, if it's regardless of whether it's a new administration or a continuation of administration you mentioned there are going to be a lot of moving of the deck chairs. That's inevitable. What would you think priority one would be? What would that look like? And how do you build some of that trust in rapport
with the policymaker, decision maker? Sure, yeah. It's hard to predict because if we were
going back in time, I wouldn't have predicted that solar winds was going to be such a big issue during the transition. Right. And over the holidays on top of
that. Yeah. To summon my inner Rumsfeld. There's known unknowns. Right. So the unknown unknowns
can crop up. I'll speak actually to those. First, if you have something like that where you know you have a problem, but you may not know exactly what it is, or if it's the tip of the iceberg or the whole iceberg has been hit. Right. If you find, if we find ourselves in that situation, you know, the government briefers add a lot of value right up front by if they know who did it. Talking about plans and intentions. Right. Is this hypothetical operation, is it espionage
or is it preparation for an attack? Often you're in the situation of trying to tamp down a little bit of concern because you have to sort of, yes, you want people to be scared if it's appropriate, but you want to right size how scared they are. So saying this is an enormous espionage operation is bad news. But again, it's not necessarily preparation for war. But that may be how it's described in the newspaper at the time. So we're talking about a hypothetical future operation. It's hard
to say, but how bad. But some could clearly be preparation of the battlefield and
is preparation in the. Known unknowns category for me, at least with what I see,
which is not generally cleared material at this point, but for what I see concern about China's preparations to attack US critical infrastructure in the future, bolt typhoon related efforts, that is if you read the public estimates from the current directors of the intelligence agencies, they'll say things like that could happen as early as 2027, could be later,
hopefully it's never, but it could be as early as 2027. Well, that's not urgent in the sense of on day one you're being attacked, but if you want to be ready by 2027 on day one, you need to be getting ready. Right. So for me at least, are you. Surprised at the volume? I mean, whether it's FBI
Director dni, there's a loud cadence. It's a difficult problem for them to solve because
so much of it is affecting us. And that's not typically the case that the US finds itself in. Right. But absolutely, the Preparations to potentially attack US Critical infrastructure to cause, you know, multiple or cascading failures. All these different descriptions that you see going after the water sector in particular, which undergirds other sectors. Absolutely, yeah. If water goes out, hospitals lose the ability to do surgeries. Electricity, you have no lights, power
plants don't run. Yeah. So it's a, it's a weakly defended sector that is kind
of an Achilles heel for other sectors. Okay, well, the fact that they're saying it repeatedly, I, you know, the Biden administration brought in an all star team of cyber policymakers. So at some level, if they keep bringing it up repeatedly, I assume that that's justified by the underlying substance and something that everyone should take seriously. Even attempting to address that at a, within the cyber domain is going to be a years
long project. So if you're trying to get ready by 2027, preparation, I'm sure is already underway. But whoever moves into those roles in January or before really has to have that front of mind where you've been warned that it's a real possibility. You've been given specific sectors that are being targeted and a specific date. In terms of long term cyber intelligence analysis, that's about the best that we ever do. If that's
not front of mind, then we're not taking it seriously enough. And let me ask,
this is a little off piece, a little off topic, but I think it's also important in the community to have minority views, independent thinking, some would even say maverick views. I'm sure you've been in that situation in the past. How does that look? Cause at the end of the day it can be hard, especially if you're in an intelligence role and policymakers may have a very strong view one way or another. How do you address that? Yeah, I think actually you've raised two related and important
questions. I'll take the easier one. First, working with policymakers who may not like your views, I mean, if they feel like you're trustworthy and not motivated by any, you're not, you're not deliberately undermining their policy. You're just maybe have a different opinion and it's bad for their policy. Most, I mean, a large majority of policymakers will live with that and still welcome your input. And so I, that's something that you work
out at a personal level. I have to build that, that respect and relationship takes over time. Yeah, I've had, I've had plenty of people who felt that way about what I was saying. And over time they realized that it was, you know, we're just reporting the news or whatever. So I think on the other issue, internal to the US Intelligence community, definitely they could do a better job tolerating dissent. I mean, I've taken dissents very publicly in the past on China elections. That's why I raised.
I know you did, yeah, I dissented. Not to put you on the hot seat. So I dissented on my own paper as the nio. I had one hat that was to coordinate the intelligence community's views on threats to U.S. elections. And you did
that and you carried. Those views and represented everyone's views. And then I said, but.
And I think something's being concealed here, or not discussed honestly, on China's efforts to influence the election, no, they didn't amount to anything that would affect the election outcome. But to say that they didn't happen is simply not true. It's demonstrably not true. And in recent years, in 2022, in the midterms and going into 2024, you saw
Blinken and others commenting that they're continuing to do that. So while my case was not important in the sense that it was dissenting on something that had an immediate impact, there was no. Actually it did because there was no effect on the. Continuing
was the key word there. Yeah, well, no, no, what I mean is it wasn't
like I was alleging that there was any impact on the election outcome and there was the failure to confront China over what they were doing, I thought was extremely unwise. And so I took a dissent in my own paper. That's difficult to do. It was easier in my case because I was to some degree a visitor in that world. Although I had previously worked at CIA earlier in my career, for a
long time, you know, I was there on a three year nonpartisan appointment. So on day one, you know, Sue Gordon had me do the oath and they sort of told me, no matter how well you do, good or bad, you know, three years to the day, you know you're fired. So I think that's much harder. If you are a career. I was a civil servant, but I was a nonpartisan outside appointee.
If you're a career civil servant, to take a dissent like that and then to have to go back and have 20 more years of promotions and assignments and so forth, very tough. And it puts you in a very bad professional situation. So I think culturally there's a lot more to be done. It's a difficult thing to get right, though. You can't hold up the overall process. For every individual analyst, there needs to be a way for them to express their views. I think the military and
the State Department do that much better. Right. You're allowed to issue dissent cables and those sorts of things. There's nothing really quite the equivalent of that for the intelligence community. And there needs to be something where you can get your dissenting view out. Maybe the reader can be made aware that there exists these views. But, you know, I'm also not saying that people like me, even if you feel strongly, should hold
up the overall process. After 9 11, many of the reforms emphasized getting coordinated community assessments. And you see that in cyber analysis as well. There's been, for example, in the past in the Obama administration, there was frustration around different answers on attribution. Right. That led to the creation of ctic, The Cyber Threat Intelligence Integration center within the Office of the Director of National Intelligence, which still exists today, has an important role.
So they are coordinating these things to try to get single attribution answers. Well, that also creates institutional pressure for, you know, for people to tow the. Not to toe the line. But sometimes the edges get rounded out when you have those highly coordinated views. So both are good, though. You want coordinated assessments. You need Playbooks too, right? You need playbooks. A policymaker can't act on every dissenting view. Right. So can you
make that transparent and can you provide real protection, particularly for career civil servants? I think that that is something that everyone agrees is important. No one will disagree. That's important. But it's not currently being done sufficiently for sure. And I would argue, and
this is not to defend the community writ large, but I think the expectation of getting everything right all the time is just. It's a pipe dream. The reality is, if we had all of that information again, we're going to prevent it, we're going to preempt it, and hopefully our policymakers will act on that. That. But the flip side is, in addition to sort of getting unified views, if you look back to
9 11, the big key finding of the 911 Commission was failure of imagination. Because it's not only that you have a dissenting view, it's sometimes you need a different view. If everyone's looking at it through the same set of eyes and lenses and experience, they're going to come up with the same solution, right? Yes. And culturally, that's
something that is often expressed as being encouraged. And certainly you're allowed to take those kind of dissenting views. And it's starting to play out a little bit in the
cyber domain, probably more so than others. Yes. No, I think within the government. The
issue you have is that while you're allowed to take those kind of dissents or offer those creative views, that's not how agencies get budgets, that's not how. So there's resource pressures and individual career pressures that conflict. You really have to value those views in a deep way and reward them even if people are wrong. So I love your point about. I often have said in a different formulation, you know, you should
be wrong a certain percentage of the time. If you look at the different guidelines, if you say it's highly likely or moderate confidence and so forth, that implies that you're wrong a certain percentage of the time. Absolutely. So if you're always wrong, by definition. If you play it safe all day, you're not. Well, if you say we have medium or moderate confidence that such and such thing will happen and you look back in time and you're right 98% of the time, well, then you actually gave
your policymakers less confidence than they should have had. They may not have made key decisions on your important topic because you didn't express enough confidence. Conversely, if you're always highly confident and always right, that's great, but probably you're not saying much that's of interest. Right. You're playing it too safe. And I think backgrounds and experiences, I mean,
I think what made you unique in that NIO role is you not only had the analytic tradecraft coming out of the agency and the background there, but also spent time in the private sector doing threat intelligence where you have a different set of customers, needs and demands. And I think that is becoming more commonplace. But still, probably not. I've learned a lot from, from the best analysts on
both sides. And I won't claim to be the best at either side, but having worked directly in those environments with you, set yourself up. I want your big three
takeaways from each. Okay? Yeah. Yeah, Seriously. So I've learned a lot from both sides,
and that's not that common. And it's not, it's especially not common to then go back into a substantive role. I mean, for the most part, those jobs don't exist. When the, when the NIO role came open, I knew I had to apply for it because roughly a quarter, I think historically of National Intelligence Council roles come from the outside, but they're typically from FFRDCs or TRU. Academia, something like that, not somebody
from the private sector. So it was rare. And I still wanted to serve my country and it was a great opportunity and I didn't have to manage too many People. And yeah, it was great. What are the big takeaways? So from industry vis
a vis government, if you had to do Christopher Porter's. Rules of what should you
know if you're in the government about? Okay, what have I learned? Yep. Well, the first one, I think we've all learned a little bit, actually, which is the value of using intelligence in an active way. Right. There's an excellent book by Jennifer Sims called Decision Advantage. It goes into the history of various kinds of intelligence work, but
she makes the point throughout. And I always assign this book to my students about the important role of intelligence analysis and officers supporting, you know, all the way back to Queen Elizabeth I. Right. Supporting the head of government or whatever. So in the private sector, in order to defend yourself, you have to act on the intelligence that
you're given. There may be appropriate TLP restrictions. There may be other agreements in place that restrict how information flows, just like in the government, but to a lesser degree. But you have to use it to defend your network. I think, you know, the US Intelligence community has always done that, of course, but you've seen it play out
spectacularly in the Ukraine war. The rapid declassification of intelligence, including cyber intelligence, sharing with allies and declassifying things publicly, and the positive role that that's seen to have played in the defense of Kyiv and the rest of Ukraine. Okay. So traditionally, going back certainly in the Cold War, you thought about classification as a means of protecting information more or less at all costs. We always want to keep things inside at an
appropriate level, and that's how you're taught. These are the security rules. Don't misuse it. But, you know, having appropriately approved declassification processes and being more aggressive about that can play a positive role for security, too. And that's not the way you're taught when
you're a junior intelligence officer. But, you know, I think DNI Haynes has had. Has been aggressive on that front, declassifying a lot of nick papers and other things, and obviously the Ukraine war mostly very successfully and driving important parts of the public conversation around China and other threats. So you're hearing it from a lot of the national
security community. I mean, three to five years ago, we'd be wearing not just auburn orange, but other orange if we were. I've got more gray hair than I used
to, but I feel like I wasn't doing this work that long ago. But, yeah, you never would have dreamed of even having somebody else declassify your material and put it in the public domain. And now that's A live possibility in a good way, I think. But my point to answer your question is I think it has to be done strategically, not obviously as an individual person, but at a national level using
intelligence actively, particularly in cyberspace. Absolutely vital. I can't tell you how many times maybe this is. I'll use this and count this as my second. But I'm not generally someone who's critical of over classification. I think in most ways the IC generally get. People imagine that it's more common than it is on the important topics, but I think on technical issues there probably is overcast. Very valid reasons. Yes, I've, I've received,
you know, are. We've, I've worked at places that produced indicators of compromise and then we were told, you know, hey, that's classified and go well that's, we, you know, that's the opposite. We didn't, we didn't get it that way. Like, you know, so it obviously. So is an IP address intrinsically classified. That's a common example. There's lots of material that is acquired through classified means that is also acquired through commercial means,
source means. That's also a potent use of commercial threat intelligence is it provides an unclassified means for talking about these threats. The latest APT group, the latest techniques. You don't have to share your greatest classified intelligence. You can talk about the latest public report. So that logic goes both ways though. And that really did change the discussion
as well. It was the mandiants, the fireeyes, the crowdstrikes, the IBMs, you name the intelligence cyber threat intel provider. That information was publicly available, it was getting attention and I think that in turn had the government a little more comfortable, not necessarily compromising, obviously, sources and methods which no one wants, but to be able to have a public discussion because at the end of the day you need the American people behind
these issues to be able to devote the resources. Obviously, if they're ever putting women and men in harm's way, these sorts of questions, they're no longer going to be treated in, in a small room. It has to be part of a. The threats
to the water sector are a great example of that, Frank. Yeah, so there you're talking not only about the difference between classified and unclassified, but federal government versus perhaps local government or local privately owned water or wastewater facility, you know, passing them classified indicators. Most of those places aren't going to have anyone who can show up on behalf of their company. Exactly. None of them have clearance. They're never going to know
about it. They're never going to show up, or if they do have clearances, it's just infeasible to bring that many people in. Where are they going to go to get the briefing? Right, exactly. You have to get them something that they can actually use. And I think that's another area we can do better as a country is
weighing the risk when you declassify something against the positive improvement to security. I think a lot of government, maybe not the actual leaders, but a lot of government processes still think about the private sector and non government entities in the US as sort of being recipients who receive, you know, after we're done gathering and analyzing this intelligence for the President, if there's anything of use to you, we'll give it to you.
And they're sort of an afterthought. They need to be thought of, particularly in cyber and critical infrastructure, as a primary consumer like your agency exists in part to provide them intelligence. Because that's the front line of the battle. You know, it is the
front lines. And quite honestly, I feel that should almost be a public good to be able to get all. But let me ask this, is putting you in your old role. Why is SVR claiming responsibility for some of their incidents recently? You mentioned water. So it's just sort of out of their traditional approach. Not only claiming, but basically saying, hey, we're here. Yeah, yeah, I can't, I don't get that. I can't
speak specifically to that. But I will say, you know, in general, for all of the major cyber powers, they're going to want to show that they can hold US Infrastructure at risk. Yeah. If demonstrate they could do it. Just so when the President of the United States ever thinks about taking action against that country on any issue, part of the PDB is going to say, hey, just a reminder, these guys can
do. And they're going to have a whole list of things, but they're going to say if we make the first move, the other move from that side could include these things. And they want threats to critical infrastructure to be on the list of things that we have to consider. I'll add secondarily also because most of those countries
think that we're doing this kind of thing to them. Right. So again, not speaking to your specific example, but generically, Russia has a strategy of showing that it can maintain qualitative parity with the United States in conventional weapons, wmd, but also in cyber. Maybe they can't do it at the same scale we do it, but they don't want us to have a capability that they don't have. And so they are going to feel like they have to show that they can also shock and awe because
they can't let us have a domain that they don't have. Actually, those are very
valid points. And it gets to a much bigger set of questions we don't have time to address today. But signaling and where that factors into deterrence and if need be, compelling. I still feel like we're in the very early stages as a government to be able to articulate that not only to our enemies, but to potential enemies in the future. And that's not just a clandestine set of issues, quite honestly, you
may not even get the message across. It's a difficult problem, both analytically and practically,
because as I said earlier, you want to know what the other side's doing. You want to know what your side is doing. Now you're adding a third element, ideally shape their decision. You add a third element. I now have to analyze how they understand what we are doing. So this comes up a lot. I mean, probably election interference is the best example. A lot of election interference is sponsored because of perceived
political interference in their country by the United States. And that's a very difficult conversation to have publicly. It's a difficult one to have with a president to say, well, they're doing this because they think we did this to them. Especially if it's not true, it becomes very frustrating. So cyber and election interference issues often boil down to it's a tit for tat game, but the two sides don't agree who struck first.
And so both sides perceive the other as escalating. That is a really difficult security dilemma. But even at a practical standpoint, you as an intelligence briefer are now talking about issues that are far afield from your core expertise, right? You're there to talk about capabilities and technical things and plans and intentions. And you're talking about, you know, trying to, you know, interpret their actions and how they think of your past actions.
Very difficult conversations. And then being able to translate that to elections officials. So it
really is a whole of government, society, and beyond. Christopher, what other big issues? So if you were in the hot seat today and fast forward again till October, anything else that would come front of mind, anything we need to be thinking right here?
I'll give you two. You know, China dominates my thoughts, to be honest, you and me both, two that may not be. I'll try to say something maybe not obvious. One, everyone should be keeping close track of Russia in Ukraine to date. I mean, Russia has been very Careful about trying to, you know, tolerating incidental damage to, you know, Europe and NATO countries in cyberspace, but not trying to cause it. Obviously they
could change that. There's still a world class threat to critical infrastructure. So, you know, keeping your eyes on them. And also as they grow in partnership with Iran and China and other countries, are they sharing any capabilities? No reason to think that they are yet, but at some point that may not be true. So keeping an eye on that. The second issue that I'll raise, you know, the importance of offensive threats
coming from commercial actors. I mean, probably the single largest provider of zero days in the past year or two have been, you know, commercial spyware operators. Not these nation states, certainly not any one individual nation state. So that's one I think people know about. But maybe you don't quite have the right gut instinct of like the scale at which it is a problem that threatens academics and journalists and everyone. It also
threatens government officials. It threatens a lot of things. So yeah, commercial spyware also, only because I think it's undercovered, particularly in national security circles, it gets second shrift. And really it should be up there with the Russias and Chinas of the world. I
think those are both very salient, sober and important sets of issues. I do think there's been some talk around spyware and commercializing that, but the reality is probably more needs to be done. When you're in the private sector, you see it all the
time. And those are not secret reports, those are public reports. So everyone knows about it. But if you go into Langley every day, are you thinking about that as often as you're thinking about nation states? Probably not. So, yeah, it's a good example. Something I've learned from the private sector is there's a lot of concerns that they face every day that maybe are not as sophisticated as what the biggest state actors
are doing. They're pretty sophisticated. They add up well. They're sophisticated enough to get past one individual on their phone. Yeah, sure. And the reality is, I mean, when you're
looking at the private sector role, they're front lines of all this. And I think we try to put these clean boxes around blurring issues. And I have a very difficult time today discerning national security from economic security. I think the two are hand in glove and to your point, private sector's on the front lines. Many of them did not go into business wanting to defend against foreign intelligence services, but that's precisely
what's happening. And then the flip side is private sector holds key functions to modern society, and they have a responsibility in one way or another. And I do think we take for granted that autocratic regimes are limiting technology can be the equalizer for them. And that's a scary thought. Yeah. I mean, even other Western democracies, you know,
emphasize supporting and defending their private sector to a degree that would be foreign. In the US Intelligence community, there are good things about that. Right. We have, you know, creative destruction, and we don't pick favorites. But when the countries that are targeting you are targeting those companies in order to weaken your country, you know, I think that probably means we need to strike a different balance. Absolutely. Last question. What questions didn't
I ask that I should have? You know, a lot of the questions that I
get asked in Europe, for example, that I don't get asked in the United States, deal a lot with user privacy. Right. What do we do to defend individual privacy? And I think, again, I'm a problems guy, not a solutions guy, so I don't have a particular solution in mind, But a lot of questions that I see all over the world, but particularly in Europe, around better protection for user data and individual
rights in cyberspace. People have different feelings about that and different personal values. But as we go around and try to articulate what does a free and open Internet look like, we also have to practice what we preach. So that includes how the government collects intelligence, what we do as a country, how they use, how they're used. We're going to have to set the example that we expect to try to lead the
rest of the world to hopefully stay with the free and open Internet model. It's not going to work for us to, you know, use these sort of authoritarian digital tools and then say, but, hey, we're the good guys. I think in the 90s, that probably worked fine. And it's. It's not so much. It's not going to work today. Right. Never should have done it. But it's not going to work even if you want it to today. And those are big questions, important questions. And Christopher, thank
you for your many years of service. Thank you for being a senior fellow with us. Thank you for spending so much time with us today. And. And thank you for sometimes dancing to your own beat. I think history has proved you right on that one. I appreciate that. Yeah. And thanks for having me on. This is my
favorite cyber podcast. It's. It's top of the list. I mean, I'm honored and thrilled to be on it today. We're privileged to have you. Thank you.