Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffoand this week have the privilege to sit down with Brandon Wales. Brandon just stepped out of a senior role in government where he was the Executive Director of the Cybersecurity and Infrastructure security agency, spent
20 years in government, 19 at DHS. We're going to sit down today and talk about the evolution of cyber, since I can't think of any planning owners who were there as long as Brandon was in all sorts of senior roles. We'll also talk a little bit about the geopolitical environment and priorities for cyber on the homeland and how we can protect our critical infrastructure and cybersecurity assets, and also a little bit
on transition priorities. So stay tuned. Looking forward to this. Brandon, thanks so much for joining us today. No, Frank, really happy to be here. So 20 years in, I mean, you're literally just out of the gate. How does it feel? And let me first thank you for your service. In all sincerity, you've done yeoman's work and I can't think of anyone who's probably had more impact on CISA than yourself. So thank you for that. No, you're really appreciate that, Frank. It's good to hear and you
know, I'm really proud of the service that I was able to perform, but I recognize that I was a key part of a team and it really was a team effort over the past 19 years to build and develop the department's cybersecurity and infrastructure work. And across the board we've really accomplished a lot. And why? One of the reasons why I felt comfortable stepping down after 19 years there. But it feels good, relaxing. Only have one phone to worry about. Which is pretty nice. You slept
well? Slept well. Was able to go on vacation without getting phone calls. So that
was a change from past experience. But I do miss it. I'm probably always going to miss the mission, but I look forward to staying close to it. And you
can always support the mission through different means and venues and doesn't mean public service is out of the blood forever. So stay tuned on that. So let's talk sort of evolution. And truth is it's moved a whole lot in a short amount of time. I remember when I was at the White House, we were coming up with various structures and IPIA Infrastructure Protection Intelligence Analysis. Then it transitioned after the second stage
review by Secretary Chertoff into the proposed Preparedness Directorate. Then we had Katrina and Congress had pichemera and a lot of the post Katrina capabilities that were in that directorate sort of found their way back to fema. And Secretary Chertoff stood up nppd and under President Trump, CISA was created. So talk to me a little bit about sort of your trajectory because you've seen it through so many different lenses. Yeah, and I
think you're exactly right. The, the organization has evolved, but I think more importantly the mission has evolved over the same, over that same time horizon. When I joined the department figure mission. Focus, that's, that helps every once in a while. Yeah, that's. I mean, that's where I come from, always. I think that's a way to ground the conversation in part because when I first joined in 2005, it was all CT, all
the time. That was the focus. I mean, we're still living in the. In the aftermath of 9 11, the focus was still on how do we protect against both overseas and homegrown terrorist threats. I joined in April 2005. In July we had the Sunday, the London subway bombings of that year. And so the terrorist threat was still very, very much omnipresent. I would say that began to change with Katrina in August
of 2005. And I think the massive impacts, particularly on critical infrastructure in the Gulf coast and then some of the reverberating impacts across the country, led us to begin to look more all hazards missions. So looking at things like natural hazards and it made some of the changes that were envisioned. Under Secretary Chertoff's second stage review about combining some of the aspects of FEMA that have to do with resilience and preparedness
along with the infrastructure mission made a lot of sense. Even after those pieces went back to fema, there is still very much a focus even to today on, on all hazards risks. What do we need to do to be prepared and how do we build on the public prior partnerships that we've established and built and maintained to
ensure that we're able to address the all hazards risk environment. I had the privilege of serving in a infrastructure intelligence fusion center, really an organization that sat between the infrastructure protection mission and the Office of Intelligence Analysis at the time called the Homeland Infrastructure Threat and Risk Analysis center, hitrac. And it allowed us to kind of look across the threat space. And in the early days, the cyber mission was a small
part of that. You know, we had one or two analysts focused on communications and the IT sectors. As you could imagine. Today it's much different. Absolutely. And not to
conjure up any ptsd, but you've seen a lot. Again, the bad guy has a vote in all of this. And if you were to sort of look back, what were the biggest crises you were facing and how have you seen the maturity of CISA to be able to respond to these better? Sure. You know, over my time
I have seen a number of both natural disasters and man made hazards come to fruition. Some of the big ones that I had the opportunity to work on a number of obviously the major hurricanes from Hurricane Katrina, Hurricane Sandy, a fair amount of work when I was working in the front office for the secretary on hurricanes Harvey, Irma, Maria in 2017. But on the man made front you had technological hazards like Deepwater Horizon and the impacts that had on the Gulf Coast. We have inland flooding
every year in parts of our country that impact critical infrastructure. And then you have the real threats that we face from malicious actors. And those could be things that have impacted our mission from areas like school shootings and attacks against synagogues that sadly,
you know. You know, extremely sadly. But we reacted by surging our protective security advisors into the field across the country, meeting with schools, meeting with places of worship, helping them have tools to better react and prepare for and respond to those kind of
incidents should happen there so that they're able to minimize the consequences. And then frankly the cyber incidents that have dominated the news, things like SolarWinds, Microsoft Office, 365 compromises that came to light in 2021 and 2020 and 2021, Colonial Pipeline and others today, you know, Volt Typhoon compromises of US critical infrastructure. I've seen it all. And I think the one thread that I would pull throughout the entire arc of my experience
at the department has really been our relationship with industry. What is UNDERP that, what it allows us to be successful is our ability to work from government with industry in a honest and direct way on security, resilience, preparedness issues. And it really has, you know, I think a lot of people say that that's was really, you know, CIS was purpose built for that type of partnership. You know, that type of partnership
is really CIS's superpower. And I think what has been most impactful for us as an agency is being able to use those relationships and build and maintain them over time. And as the threats evolved, as the mission focus has evolved, those partnerships have been able to grow and evolve with them. And that is a unique, really around the world for how we have built and maintained those partnerships that has allowed us
to really leap ahead in some really critical areas like cybersecurity and integral. To success
going forward. And truth is, there's still some unfinished business. There always is in all of this, which is a good thing. I mean the reality is it's moved mountains in a short amount of time, but still got a ways to go. And I'd be curious in terms of you were actually in the acting director role when solar winds hit, right? So that was sort of a wake up call. I think that still to this day supply chain issues are near and dear and need to be
prioritized. But take us back to when that hit. Yeah, it was actually an interesting
time. So I had taken over the acting directorship of CISA just on November 17, the day that Director Krebs was fired by the President. And I think it was about a week and a half later that I got a phone call from Kevin Mandia letting me know that Mandiant had been fireeye had been compromised by suspected Russian actors. And they at the time the initial focus was on the theft of their red teaming tools. And that came out publicly a few weeks later
when they released a report on that. But I guess it was maybe about two weeks after that that the kind of scale of the program and the compromises really became fully known. And I got a call on a Friday night from Micro letting me know that there'd been a compromise at the department that the email of always a. Friday night, isn't it? So it was Friday night that they needed to get
on a call with us to talk about a potential compromise. And at the time our email system was maintained by the department and had to bring in the department, CIO and others. But even at that moment we were just beginning to understand the scope of this is Microsoft indicated that there were multiple federal agencies that were impacted
along with multiple private sector entities across the country. And as we unraveled this campaign by Russian intelligence services to burrow into the email networks of government and industry, we got a sense of its scale. This had been going on for about a year. Not in same in every agency they were compromised at different times in different companies. The initial compromises were against some nonprofit organizations and then some industry and
then government started to be compromised during the summer of 2020. We and again it wasn't detected until late late November, early December 2020 when it was actually detected and we jumped on it. But I think importantly we focused on it from two perspectives. There was one. What do we need to do to clean this up? What do we need to do to understand what happened? How do we remediate it how do we work with agencies to evict the adversary from their network? How to provide
guidance to industry to get to who are dealing with these same exact challenges. But internally we had a secondary focus which was what are we learning from this? That we need to begin to make changes in how we do federal cybersecurity. As a result, it exposed some real weaknesses in the overall architecture of federal cybersecurity. It highlighted
areas where we were weak and where we needed to make changes. And so when I was talking to the incoming Secretary of Homeland Security, the now Secretary Mayorkas, he said, what do we need to do to make progress here to really fix things? And I said, we need three things. One, we need some additional authorities that allow us to more persistently hunt on federal networks. Right now we don't have the ability to do that. We have to ask permission. It's lengthy and it doesn't give us
persistent access and persistent visibility, which is what we need to actually resolve this. Second, we need the entire government to be moving in the same direction. And three, we need additional resources to deploy more agents inside of networks to give us better visibility at the actual endpoint level and hosts and workstations across the government. At the time our focus was predominantly on perimeter based security sensors and those were becoming increasingly blind
thanks to encrypted network traffic. And more activity was happening on the host. And we just did not have the same level of visibility there. So it was all about how do we better have improved visibility so that we can more quickly detect activity and more quickly take action. And frankly we were able to get all three of those things done. The NDAA that passed over the President's veto in January of that
year for unrelated was vetoed for unrelated reasons. But that gave us persistent hunting authority across the federal civilian executive branch. Yes, a lot of these things were solarium ideas that we needed to get over the finish line. Second, we got a supplemental, as part of the broader American Rescue Plan act that the President was pushing, there was an additional several hundred million dollars for CISA to put into federal cybersecurity, which we
did. And third, In May of 2021, we had the President sign his executive order on CyberSecurity that required for example, agencies to give CISA object level visibility into their their networks to required both agencies and their contractors to report incidents directly to CISA and the FBI so that we can take more concerted action more quickly. And I think as a result, if I look back over the past three years, what, you
know, the changes that have been wrought based upon what we started then. Significant, I mean, night and day difference in terms of our ability to both understand what's happening on federal networks, to detect malicious activity more quickly. And I think we have seen this play out in the real world. When there was additional activity from a nation state against the State Department, they were able to detect that activity before Microsoft and
actually alerted Microsoft to activity that was happening on their own network. Again, that is thanks to a lot of work that we started three, three plus years ago. And getting those building blocks in place has allowed the federal government across the board to be far more secure, far more resilient from a cybersecurity perspective. And I think having that approach, we were looking at solar winds to not only focus on today, but
look ahead at tomorrow. What are we going to do to learn from this and real. Make real, lasting changes to how we do security here? Because that's the way in which we're going to get ahead of this. These are our, you know, from these adversaries. Thank you. That was very thoughtful and lots there to unpack. But one
I want to start with is a term you mentioned at the very end, and that's not only secure, but resilience. The truth is, is we're never going to be able to protect everything, everywhere from every perpetrator and every modality of attack. Obviously, we'd need to do more to prevent bad activity, but we can build resilience where we
can minimize the consequence, minimize the impact. And historically, and I think you had a significant role personally in a lot of this, you've had to come up with very creative ways, whether it's binding operational directives, to be able to make sure you can root out, whether it's Kaspersky or other technologies, Huawei and the like. But tell me
from a resilience perspective what you think some of the lessons learned are here. And not to add to that rich set of questions, but historically the department also has a significant role in countering terrorism and emergency preparedness and consequence management and all those sets of issues. So does that DNA help in all of that? Yeah. And, you
know, I would say when I look at, you know, using a case study being the Russia, Ukraine conflict. And you had a leadership role there, we're going to save
that for sure first. But I want to raise it here because, you know, when
I was given the responsibility for standing up the Unified Coordination Group to handle the domestic preparedness and response activities associated with the Russian invasion of Ukraine, built around the concept that we were likely to face blowback from Russia that they would likely target the United States. As a result of our support for Ukraine, our sanctions against Russia are leading international community. My deputy in that effort was from FEMA fantastic partner Keith
Turi, now a leadership role in FEMA Response and Recovery Directorate. But the reason for that is for this exact reason in that we want to make sure that there are not hard boundaries as we go from protection to response and recovery. So that we're thinking about how are we prepared for all phases of, of incident management from the very beginning. And you know, we were lucky. We never faced an actual, an
actual incident directly against our critical infrastructure. As a result from the Russian government, we saw some lower level hacktivists doing website defacements and such and some DDoS attacks at a lower level, but never a real significant attack. So what we were doing was a lot of planning and a lot of exercising. So for example, we brought together exercises working with some of our sector risk management agencies like Department of Energy and
epa. Both their cybersecurity elements, but also their emergency response elements. So do we think about how does that continuum work if there are, for example, cyber attacks that have physical implications? We want there to be as much close support and synergy as possible. Some of that has been enabled by changes that were made post Hurricane Maria, like changes to the National Response Framework, the creation of ESF 14 on Critical Infrastructure that
CISA leads. But even right before I left, we were still doing work on exercising to understand how do we better perform the kind of national security work that we need to do in responding to major potential disruptions and how will that work from. From a preparedness, protection, resilience, response, recovery, all of it needs to be closely aligned.
And that is a real strength for us being in the Department together. And it's one of the reasons that CISA Director Jen Easterly, along with FEMA Administrator Dan Criswell last year kicked off a resilience effort together called Shields Ready. It was because of this idea that these things are meshed. Resilience of critical infrastructure, resilience of communities, that these things are very much intertwined and we need to approach them in as joint
and unified a way as possible. I'm going to ask you the unfair question five
years out. Does CISA stand alone as an independent agency or does it remain, given some of the strong arguments he made within the Department of Homeland Security? Well, I
think the strongest argument is big reorganizations are challenging. So it's probably easiest to say it'll probably stay because removing it is hard. But it was significant to create CISA
as a standalone agency. I think it was important to create something that had a
real clear brand and focus and it allowed us to create the type of culture we have today where it's really unified around the concept of protecting critical infrastructure from cyber and physical risks. When we were nppd, we had some other functions that were a bit ancillary to that. And I think it does, it can weaken the focus. And so I think we have created a much more mission focused and it allows the Director to spend more time focusing on that mission. And I think ultimately that's
what generates success. You know, I think, you know, it has a lot of work to do and so does FEMA and so does other parts of the department. A change could distract from that work at a time when we don't necessarily have time for distractions. And so I'm much more, you know, an institutionalist. I've been in, was in the government for, you know, 20 years, in the department for 19. I'd rather
see us make kind of small, consistent improvements in what we are doing. And I think we showed how we did that in federal cybersecurity, how we've continued to build on those successes in critical infrastructure security. So that's where I think the focus should be. That's well said and nothing I could disagree with there. So good stuff. Talking
about sort of the geopolitical environment, you sort of teased out and you did play a very significant role in the run up to supporting US support of Ukraine after the Russian invasion. Bolt Typhoon, sort of. If it's quacks like a duck, maybe it is. So I'd be curious what some of your thoughts are in the broader geopolitical environment. And I think it's fair to say and disagree with me. I don't think
any form of conflict today, tomorrow will not have a cyber element to it. Whether it's intelligence preparation of the battlefield, whether it's phase one, phase two into activities, whether it's trying to weaken morale from a misinformation, disinformation, deception perspective, or whether it's actual cyber attacks that can have kinetic impact, or cyber attacks that can have cyber impact or kinetic attacks that can have cyber consequences. So what are your thoughts on all
that? Yeah, I mean, you know, you don't have to believe us. You can just
look at the writing, the doctrine of, of our adversaries. You know, both China and Russia are very clear that the US homeland will not be a sanctuary in future conflict. Certainly we were preparing in the case of Russia Ukraine for blowback that would impact the United States. There was a real belief that this US support for Ukraine in that conflict was sufficient to be a trigger for the homeland to be brought
into conflict. But I would say critical infrastructure was the first shot fired in the Russia Ukraine conflict was cyber was the disruption of Western critical infrastructure viasat satellite constellation by Russian intelligence services to disrupt command and control in Ukraine and had implications and impacts on neighboring countries in the region. And China is even more clear about what they will do. And it's not only what they will do, but what they're doing
today. As you note, you know we have seen the Volt Typhoon actor, Chinese state sponsored actor who is compromising US critical infrastructure today so that in future conflict they can launch disruptive and destructive attacks. That is what these compromises are for. There is
no intelligence, no espionage, there's no espionage value. And you do not sit in a piece of critical infrastructure in one case for up to five years and don't do anything except make sure you continue to have access and dump the credentials every six months. Unless you are waiting for something you are not looking for intelligence gap, you know, intelligence information. You are waiting to disrupt, to destroy, to degrade those networks when
given the direction to do so. And NSA referred to it as living off the
land. Living off the land is very much to detect the specific cyber techniques that
they're using. They're not deploying malware, they're using often administrative tools that are resident on those networks that network admins are using to make. They aren't accessed regularly. Some cases are, some cases they're not. But also there are things. For example, network administrators don't normally dump the credential files on a active directory. They shouldn't unless you're doing some type of major, major overhaul the network. But these actors are doing it every six
months. So they are, they are giving off indicators that could be detected but they're not being looked for in the right way. And I think are the advisories that CISA, FBI, NSA and some of our Five Eyes partners issued over the past 18 months on the Volt Typhoon activity. Talk about the living off the land techniques, what
to look for. But we are now seeing other groups, ransomware groups and others begin to change tactics, employ more living off the land techniques because they're just harder to detect. It requires network operators to have much greater degree of visibility, much greater insight into what a baseline of their network operations look like and how to detect whether something's anomalous. So you know, it really is likely to be the wave of the
future. The Chinese have just been perfecting it over the past several years, are very good at it and they are using it for this purpose to get inside of our networks to lie in wait. And if we are in a crisis situation, the next boom, you know, again, the first strike and the next war could also be through cyber. And that pre positioning to make it happen could be happening right now.
And it need not be something that's overly destructive. It could be something that could stymie our ability to respond, deploy forces, project power. Yeah, our sense, our sense is
that Chinese in particular have, have two goals in their targeting of our critical infrastructure. One is to disrupt the flow of U.S. support and project power to Asia and support our allies. And two, to induce societal panic inside the United States because they want to affect our geopolitical decision making. And in order to do that, you don't have to hit the biggest, most important pieces of critical infrastructure. You can hit medium
sized entities around the country. And I think that is borne out by the actual targeting in the Volt Typhoon campaign location because they're hitting targets around the country, they're not hitting only big critical infrastructure, they're hitting small and medium sized companies. Sometimes they're in supply chains, a bigger one, sometimes they're not. So and Guam and, and some,
sure. Some that are very focused under that first, under that first piece on disrupting
our ability to project power, there are going to be some very specific targets they want to go after and those need real attention. But those are ones that we know who they are, we can spend the time working on them. The bigger challenge is just going to be if they can target anything, if anything could help them achieve their goals of inducing societal panic, then the attack surface is so huge. And
this gets back to the conversation earlier about resilience. We're not going to protect everything. How do we make sure that we can get back on our feet quickly. And
bounce forward ideally. Right, bounce forward ideally. And I think in this case some of
the lessons learned out of the recent large scale outage caused by the crowd strike technical glitch are good highlight, you know that we lack resilience in key areas that we're not able to bounce back, let alone bounce forward like we want to. And so I know that this was a big focus as I was departing from both within the agency itself at the White House level to look at lessons learned coming out of CrowdStrike for what it means about both our cybersecurity but also about our
resilience, our ability to withstand disruptions, to operate in a degraded environment. We need to do better, period. And just to remind our viewers and listeners, still patch, still patch
regularly. So absolutely, that's the irony and all that. Let me ask though, with Volt Typhoon and to your point on inducing panic or concern or just saying the consequences are too grave to act, to me that's more in the traditional deterrence sense of signaling. Do you think that they've pre signaled or do you think that they were just as surprised as anyone else was that we caught them? You know,
that is a, that's a hard question because. An almost an impossible one to answer. It's a hard question because I don't think that they expect to be caught. They have worked really hard over the past several years to improve their tradecraft. You know, probably 12 plus years ago we would have said noisy. We would have said the Chinese are noisy and the Russians are quiet. Today it's a little bit of the
reverse. They've worked really hard to improve their tradecraft, to fly below the radar. That's not true across the board, particularly some of their intelligence services that use outside hackers that tend to maybe be a little bit less stealthy. A lot of discussion around
proxies we. Could have, but I would say here is they don't plan to be
caught, but they know that we're good. U.S. and Western intelligence services, cybersecurity services like ours, the robust private sector cybersecurity firms in the west are good. And from the fact that they haven't really changed even after the disclosure, that really signals to us that while they might care that they've been detected because it's better for them to not, it doesn't necessarily mean that it's going to change their overall objectives or what
they're doing. Volt Typhoon is as active as ever, trying to compromise U.S. critical infrastructure. We, along with Taiwan, are still target number one and two of the Chinese actors. And their teams are spending every day figuring out how do they compromise the networks they want to get into so that they're in position to execute direction from their leadership at a time and place in the future. You mentioned Taiwan, which is obviously
near and dear and front and center for everyone. I think we can say publicly you've had bilats with the Taiwanese on some of these issues. Are they ready? I'm
not sure that anyone is ready for cyber, for full cyber conflict. I will say that they very much appreciate the nature of the threat and they are Working hard both with us and with others to make sure that they continue to get better. I think the more we can demonstrate to the PRC that the west is capable of handling what they want to throw at us, the less likely future conflict will be. And we often talk about what lessons Xi is learning from Putin and, and
certain behaviors there. But the flip side is we can learn the Taiwanese from some of the Ukrainian lessons and a lot more backbone than I think a lot of people thought on the cyber side. And that didn't happen overnight. That was a lot of blood, sweat and tears to get to that point. Fair. That's fair. And I
think Ukraine, and not just. Government, but private sector too. Yeah. I mean, what I would say is Ukraine, because of the initial Russian invasion in 2014, the cyber attacks that they faced, including against their critical infrastructure in 2015, against their, in 2016, against their energy grids, etc. They were, they have been focusing on improving their cybersecurity and
also their resilience. I mean, I think the thing that most, that we have been most impressed by is both the societal and the infrastructure resilience, that they are not able to only withstand cyber attacks, but really barbaric physical attacks against their, against their critical infrastructure. I mean, their energy grid is routinely hit by bombs and missiles and let alone cyber attacks. And so their ability to withstand those types of attacks and
continue to stay cohesive as a country. Taiwan will have unique challenges as an island country, you know, being able to be supported and serviced has some unique challenges, but it's also harder to conduct operations offensively there. So, you know, there'll be a little bit on both ends. I think that there, you know, everyone is looking at what lessons can be learned from Russia, Ukraine, including the, including the Taiwanese. And certainly that
has been a key part of our conversations with them. What, how do they build similar levels of resilience of their digital infrastructure, of their physical infrastructure? And that's certainly front and center, and it will likely be front and center for government and private sector actors with Taiwan. But there's urgency. Absolutely, absolutely. So looking not
just Taiwan, but more broadly, one of the things that I think is also significant and I've been really pleased to see is on a lot of these advisories, you'll have seals from not only the significant Alphabet soup in the United States of agencies that should and must be part of the solution, but also a number of allies. And it started with five eyes, but now it's expanded beyond that. You've seen South Korea, Japan, Germany, a bunch of NATO countries and, and beyond. Tell me how that
looked. How hard was that to be able to initiate when you were at cisa?
So you know, I think and keep. Doubling your successors I hope will double down
on this. And it is our priority. It was our priority when I was there
and it is certainly a priority going forward to make sure that we are speaking with as much as one voice. And I think this is born out of feedback from industry, particularly industry that has global operations. They want to understand whether we are seeing things in a common way across the world and if we can make sure that we have that common voice because when we speak as one it's more powerful.
And you're right, it started with our closest friends and allies. You know, first starting just within the US Government to more consistently co seal documents to make sure that there is a US government perspective on cybersecurity that we are advancing as often as possible. And so almost all of our advisories today are joint sealed across the government at a minimum. Then we look at international partners, starting with our close partners in
the five eyes and then moving on to others. I think we had one earlier, I think we had one in maybe last year that had like 19 co signatories. I think some of the work we did on AI, some of the work we've done on secure by design, obviously it's far easier to get partners when we're talking more generically about best practices on cybersecurity, on AI for critical infrastructure. A lot of countries want to join and support our efforts on that on secure by design. Huge
global support for those efforts. A little harder when you're doing attribution of a incident to a specific nation state, particularly China. But I will note that we have overcome that challenge in a number of cases and some countries are doing attribution themselves. I mean even in the last few weeks Germany has done attribution of a, of a
campaign to Chinese state sponsored actors. I think more countries are becoming willing to do this because they recognize that the evidence is so overwhelming and the, there's, there's a real demand to, to call out this type of behavior that's outside the bounds of,
of norms in cyberspace. And so my hope is that we convince more countries to be willing to do that because I think the more we are able to highlight the fact that countries like China and Russia and Iran, North Korea are doing things in cyberspace that we all disagree with, the potential exists that it will actually have an effect on their behavior. And if you had to Rackenstack and this is sort
of an un fair question, because the truth is, is I would argue any country that has a military has a cyber capability. But if you had to rack and stack from a threat perspective, China, Russia, Iran, North Korea. I don't want to put words in your mouth, but does it go sort of like. And increasingly, proxies are playing a much more significant role. Groups are afforded safe haven in countries, notably Russia and elsewhere. But how would you rack and stack it? Yeah, I mean, I think
they also, they have much different objectives. And so their capabilities may vary in. That
tensions vary capabilities. They're gonna. And they're gonna vary based on what they're trying to
achieve. So for example, if you're talking about countries that are good at stealing bitcoin, you know, no one, that's North Korea, no one does better than North Korea. My belief is, and I think this is backed up by the evidence, you know, China is the most significant strategic threat that we face. And it really is the national security challenge of the current generation. So that needs to be at the top of
and most important focus. Russia is fairly distracted trying to handle Ukraine. It doesn't mean that their cyber capabilities are less potent, but it does mean that they're focus is a little bit different. Self induced. Self induced. They created their own nightmare. But it also means that they've got, you know, what they do is a little bit different. You know, they are much more permissive in allowing proxies to use criminal organizations, for
example, to operate in inside of Russia without taking action. And I think that is one of the reasons, not the only one, but one of the reasons why ransomware has gotten as aggressive as it has over the past few years is because they've had a safe haven operating out of Russia. You know, you don't see the same exact thing happening in China. Our concern, there is much more actors that are directly
state sponsored, state directed. There's some moonlighting, but it's not. There's moonlighting, but not the scale of the pla. We're not talking about the scale of what there is in Russia. You know, I think Iran's capabilities continue to grow. We've seen them be fairly aggressive, particularly in the disinformation space. And these kind of hybrid attacks, even like we saw a few weeks ago with the compromise of some campaign email accounts and then
leaking, potentially leaking that information. We saw that same similar activity in 2020 where they were masquerading as proud boys. So they've got capability. They tend to focus a bit more regionally a lot more activity. If I'm in Israel, I've got a different perspective on this. But you know, we have seen semi Iranian actors launch attacks against US
water systems. Fairly low level, not very sophisticated attacks, but they're out there. So I think unfortunately the nature of our, the vulnerabilities in US critical infrastructure mean you don't
necessarily need to be the most sophisticated actor to have some negative consequence. And it's, you know, I think it's one of the reasons why CISA was pushing so hard on a lot of the secure by design because defending our way out of this one water utility at a time is not a recipe for a lot of success. We need ways to scale these solutions. And I think working with some of the major technology companies who then provide this technology to tens or hundreds of thousands of
pieces of critical infrastructure, that's the way you really can get ahead. Of some of
these challenges and large ransomware gangs. I mean from a tradecraft perspective, the tactics, techniques and procedures that you're seeing from criminal enterprises used to be in the hands of only a handful of nation states. And now that seems to be widely utilized. And
we've seen, you know, just much more specialization in ransomware. Let's talk about in the criminal ecosystem because you know, in the past, let's say 10 years ago, you would have had it if you were a criminal organization trying to launch electronic crimes, you would have done everything yourself in house. Today that's not the case. You'll have groups that just develop tools. You'll have another group that just develops initial access, these kind
of initial access brokers. And then you'll have people who will license those tools and pay small bouts of the proceeds back to the entities that built them. And you'll buy accesses from another person. And so this specialization has allowed a dramatic improvement in the sophistication of the criminal ecosystem by them basically tapping into the capabilities of the most sophisticated parts of the entire community. And it is an industry, it's an illicit
economy. And you need to. No, that's what I talk about as an ecosystem, because
it very much is there are people who specialize in different aspects of it and they operate like a business in many respects. And unless we were able to disrupt that business model, it is going to be very difficult to make dramatic improvements. And I think the intelligence and law enforcement have done really amazing work. There have been some big takedowns that have had that have disrupted key groups infrastructure, their ability to
operate. But the ecosystem has been demonstrated to be somewhat Self healing as one group goes away, another one. Sort of like the narcotics industry from a counter narcotics perspective.
It does have. It rhymes similarly to what we saw in the 80s 90s and I'm sure through today. Brandon, look, looking to transition priorities, we've got an election coming up. There will be a new president. What would your top three and I won't let you go without talking JCDC and public private partnership. But what would your top three recommendations be? So number one is, is going to be China. The focus on
how we organize and ensure that both the government and industry are cited on the challenge and are working aggressively. You know I think we have, this has been talked about publicly but you know Xi has given direction to the PLA to be militarily ready to, to retake Taiwan by 2027. It doesn't necessarily mean that, that they will be signaling. Yeah, but if they're planning on a 2027 horizon, so do we. And
that will be right in the middle of, of this next administration. And so the urgency of the Chinese threat to, to the US needs to be priority number one.
And that has broad bipartisan support. Broad bipartisan support. And this is also well beyond
just cyber. I mean this, the entire national security. Establishment, look at it. Yeah, we're just one piece of this but it is a key piece of it and you know it needs to be priority number one. Number two will be finalizing circia, the Cyber Incentive Reporting for Critical Infrastructure act that you know, first of its kind regulation
requiring kind of consistent reporting across critical infrastructure of cyber incidents. Really for the first time it is the final rule is supposed to be submitted by October of next year and will go live shortly thereafter. So the next administration is going to have
the finalization all the remaining policy decisions getting it through the interagency process. So that's going to be a kind of key program that needs to get over the finish line because giving us the visibility of what's happening across the US cyber ecosystem is critical. I mean we still today believe between CISA and the FBI that we were only receiving about 30 or 40% of all cyber attacks that were happening. And so
without knowing what's happening, it's really hard to make sure that we're protecting it. And third, going to the, to the comment you made is making sure that we continue to look for ways to optimize how we operationally collaborate with industry. How do we continue to strengthen that. JCDC is the mechanism by which CISA does that. It was
created Joint Cyber Defense Collaborative. Joint Cyber Defense Collaborative built off of the recommendation coming
from the Solarian Commission for a joint cyber planning office. It really is critical for how we work with, between government and industry to advance US Interests in this space. You know, it was designed to be that center of gravity, not just for cisa, but for the interagency for how we collaborate with, with industry. I think it has demonstrated a lot of success, particularly in some instances during major, major incidents, it really
demonstrated its value. So I think really now it's kind of how do you optimize it? How do you make sure that industry knows how to work with it? How do you make sure people understand what it is and what it isn't? When it works well, how do you make sure we lean into that where it may not be the right mechanism for a public private partnership? How do you identify those other
areas? So I really think that those are some of the most key decisions from both the cisa, but also, frankly, from a broader US Cybersecurity perspective, those same priorities are going to be, I would argue, for the White House as well. Yeah, I
couldn't agree with that last point more. And obviously the other points is as well. But operationalizing the collaboration I think is it is the future. And it's not just going to be CISA and the Joint Cyber Defense Collaborative, but also some of the sector risk management agencies where they have unique insights into their domains, like treasury has a couple of initiatives out other sectors as well. I hope that the energy continues
behind that because that, that's where we're going to yield great fruit. And I think that's where you've seen the inner agency yield great fruit is one team. And I
think this is also about leaning into our competitive advantages as a country. When you think about how do you align our strengths against your opponent's weaknesses. Our strength really is the vibrancy of our industry, the innovation that comes from it, the expertise that's resident in it. And for us to win, we need to harness all those capabilities and bring them together and that operational collaboration is the way we do it. I
agree with that. And the companies we have in this country in cybersecurity and technology really lead the globe. And if we can bring them together with what the government understands, the government's expertise with the national partners, you know, that's really our strength. And I think that is, and that is not a partisan issue. That is, anyone will kind of look at it the same way and needs to figure out how to lean into those partnerships to achieve our overall goals. And I'd like to see it
move from great collaboration in response to incidents to everyday sort of collaboration, which I think is the next step. That is the challenge. How do you sustain that partnership
when there's not something to rally around? Because it's really easy when there's a major incident to say everyone get together. How do we bring together what we know and use this to, to, you know, advance our objectives? It's a lot harder to sustain that on a day to day basis. And I think that's part of what we need to look at. What questions didn't I ask that I should have? Well, there's,
we covered a lot of territory, but there's so much more to, there's, there's many.
You know, the only thing I will say, the only thing we didn't really discuss was election security. Only a few weeks away from the next presidential election. This is something that I worked a lot on in 2020 and before I left government. You know, I'll just say at the top end, I think that our elections are in really good hands. They are arguably more secure and resilient than ever. And people should have confidence that when they go to vote, their vote will be counted and counted
correctly because of the strength in the systems. Let's say they won't have, won't be some issues here and there because anytime you have, you know, 150 plus million people doing something on the same day using technology, you know, there will be, there will be challenges here and there. Things won't work perfectly, nothing does. But overall there's enough
redundancy, there's enough resilience in the system for us to have confidence. I think it is a good example for a sector that even before it started focusing on cybersecurity, focused a lot on resilience. How do you make sure you continue to hold an election even after you had a hurricane wipe out all of your polling stations? And election officials do that every day. And so as we run up to the, to this election, people should continue to have confidence in it because people who have spent
the most time looking at it do. Brandon, thank you for your many years of
public service, for advancing the ball, bringing us to a place where we're much better than we were many years in the past. And best of luck with your next step at Sentinel One. Do you want to share your new role? Yeah. I was
offered a position at sentinel 1 to be vice President for cybersecurity strategy. Really looking forward and for me, really, this is a way to continue the mission going to get to work with some of the most important companies in the United States and around the world, helping them improve their cyber security. And for me, I really think it is just the next step for me kind of understanding the US Cyber ecosystem. And also, as we've been talking about, industry is not only on the front line,
it is the frontline in cybersecurity. And so having an opportunity to really get in with some of the most critical companies, helping them better protect themselves, working with a great team at Sentinel One, I think it'll be a really fantastic opportunity and way for me to make sure that I'm still helping with what we started in government.
Rannon, keep running. They're lucky to have you. Thanks so much for spending some time with us today. No, thanks, Frank. Really great conversation. Thank you. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.