Inside President Biden's 'Relentless' Cybersecurity FocusUS Deputy National Security Adviser Anne Neuberger Details Priorities, Future Plans Tom Field (SecurityEditor) • May 4, 2023
Cybersecurity priorities? U.S. President Joe Biden's administration has more than a few.
In particular, the White House continues to pursue a "real, relentless focus" on improving critical infrastructure security and U.S. resilience to attacks, disrupting ransomware groups and combating the illicit use of cryptocurrency, said Anne Neuberger, the U.S. deputy national security adviser.
In this video interview with Information Security Media Group at RSA Conference 2023, Neuberger discusses:
- Drivers behind the Biden administration's national cybersecurity strategy, including its focus on critical services and infrastructure;
- The role cyber plays in global conflicts and how it has been evolving since Russia launched its all-out invasion of Ukraine;
- Key White House initiatives and what needs to happen to advance them, including securing the internet of things and safeguarding the use of machine learning and artificial intelligence.
Neuberger is deputy assistant to the president and deputy national security adviser for cyber and emerging technology at the White House. Previously, she served as the National Security Agency's director of cybersecurity, where she led the NSA's cybersecurity mission, including emerging technology areas such as quantum-resistant cryptography. Prior to this role, Neuberger led NSA's election security effort and served as assistant deputy director of NSA's Operations Directorate, overseeing foreign intelligence and cybersecurity operations. She also served as NSA's first chief risk officer, among other roles. Before her government service, she was senior vice president of operations at American Stock Transfer and Trust Company, where she directed technology and operations.
Tom Field: Hi there, I'm Tom Field. I'm senior vice president of editorial with Information Security Media Group. It's my privilege to introduce our next guest in ISMG studios. She is Anne Neuberger. She is the deputy assistant to the President, deputy national security adviser, cyber and emerging tech, National Security Council within the White House. Anne, thank you so much for giving us your time and your insight today.
Anne Neuberger: It's a pleasure to be here with you.
Field: Here we are. We're midway through the term. How would you assess the work done so far by the Biden administration to address cybersecurity and certainly critical infrastructure protection?
Neuberger: New President Biden made it clear at the outset of his administration that he wanted to see real improvements in cybersecurity for the nation - on the ground improvements. And I think to your question, there's three areas where we've put a real relentless focus. One is the security of the critical services Americans rely on: pipelines, water and rail. So for the first time ever, President Biden has put in place requirements for critical infrastructure owners and operators of those critical services. What do I mean? After the Colonial Pipeline ransomware attack happened in May 2021, we asked ourselves, how could this be? How could a major regional provider be disrupted via a criminal cyberattack? And we realized that we did not have the required cybersecurity practices in place for, in that case, the 97 oil and gas critical pipelines in the country. So for the first time ever, we executed emergency authorities to require those. So when President Putin began his invasion of Ukraine, and the President looked to us and said, what is in place in terms of cybersecurity protections across pipelines, we had the answer, because we knew those emergency measures had been put in place six months before. Now, of course, it's still a journey, and improvements are still needed. But we have that visibility. And we have that back and forth discussion via DHS and TSA with critical infrastructure pipeline. So that's one good example - kind of those minimum requirements for critical infrastructure. I think a second and third, I would say, briefly, is bringing all elements that are possible to fight ransomware. So fighting illicit use of cryptocurrency, you've seen the shift in the Department of Justice, disruption activities, looking at Hive. You certainly see our focus on resilience - CISA's StopRansomware.gov. And, of course, our international partnership, bringing over 35 countries together around the world to fight ransomware together because it's such a transnational problem.
Field: Within your watch, two years ago, there was the Biden Cybersecurity Executive Order - the biggest, most robust Cybersecurity Executive Order in history. You've just recently released the new National Cybersecurity Strategy. What would you say are the highlights of your first two years in office to this point?
Neuberger: It's a great question. I think, to your point, the Executive Order said two core messages. One, we will practice what we preach. And we set aggressive guidelines for improving cybersecurity across federal government networks. That was in the aftermath of SolarWinds. That compromised quite a few sensitive federal government networks. The second piece was we said, we in the U.S. government buy large amounts of technology and we buy the same tech. Americans are buying and American companies are buying. Let's use the power of the purse to say we will only buy software that meets these critical security standards. Let's establish that standard. And by our own purchases, lift data. There were many elements of the Executive Order. Those were two key ones that we focused on. We look at the National Cybersecurity Strategy, you have that first piece where it captures the work done to improve the security of critical infrastructure I mentioned a moment ago. It focuses on our international partnerships. And it focuses as well to say there's a shared partnership between the companies who build tech and the companies who use tech. And as tech is a bigger part of our economy and critical infrastructure, the companies who build tech need to recognize their role in building tech that's as secure as possible.
Field: That's a great conversation to have at RSA Conference. And it's been happening all week. You mentioned Colonial Pipeline, and that was the big neon sign pointing to the issues that we have with critical infrastructure, particularly, when you get into OT. Where would you say we continue to fall short in protecting critical infrastructure? And what's the administration doing to address that?
Neuberger: So, it's interesting. We're working to learn the lessons from our cybersecurity critical infrastructure and the way we're thinking about artificial intelligence. And I'll talk about that in a moment. As we connected the various parts of our economy, our pipelines, connected sensors, determining and monitoring how much oil and gas is flowing, our electricity grid to do electric grid optimization. And now, in the last two years, we've taken a step back to say, we must secure this rapidly. So it is a journey. Parts of that journey we talked about. We're first requiring owners and operators to practice minimum cybersecurity practices, to do vulnerability assessments, to give us a plan at how the vulnerabilities they find will be addressed and when, to report incidents, and to exercise incident response plan. The second part is using the power of government purse to drive more secure tech. And I think the final piece is working with governments around the world. So we're working to share what we learned about critical infrastructure in that way. But fundamentally, because we rolled out tech across our economy and now are aggressively racing to secure it, there's always more we need to do. We focused on the tech, on separation between IT and OT networks, and on fundamentally building more secure technology. But having that filter across critical infrastructure will take some time. My goal is that we gain more and more visibility. So we have a good picture of what is the state of cybersecurity, for our electric grid. And the fact that we now have companies reporting in to TSA and to EPA, on what they were doing with regard to cybersecurity is giving us that picture. Where are the greatest risks? Where do we need to double down and move even more quickly?
Field: Now, it's a different world since the administration took off, as we now have a universally embraced hybrid workforce. We have organizations that through digital transformation have migrated to the cloud in ways they never have before. We have an application economy. We now are talking about generative AI, and we're looking in a federal election already where people were concerned about deep lakes and other exploitations. How would you describe other cyber priorities within the administration? Now, what are you looking at?
Neuberger: I'll talk about two. One is, when we look at Internet of Things, devices, they're ubiquitous. They're ubiquitous in our homes. I was reading the statistic this morning about, an average of eight attacks against an individual household happening regularly. 46 connected devices in each of our homes. So as we bring in connected devices, one of the core problems in cybersecurity has been, how do you know if something is secure?
Neuberger: If you and I are shopping for a smart TV, how do we know? So the White House hosted an Internet of Things event in October bringing together companies, consumer products associations, government agencies, and others and we'll be rolling out further steps on that in May, which is an exciting opportunity to say consumers, we want you to know when you're bringing in device into your home, it's secure. And by the way, manufacturers, here's a way that you can monetize cybersecurity, consumers want to buy secure. Much as we have a nutritional label, can we put a cybersecurity label? How do you design a national program that does that? So more to follow on that. As I said, I think the second piece of that is, we've heard a great deal about the risks artificial intelligence can bring from a cybersecurity perspective. It certainly brings risks; it also brings opportunities. And you saw some of the announcements here at RSA. So we're thinking about both together. How can we use AI to accelerate helping humans write more secure code? How does AI help us write more securely? How does AI help us identify vulnerabilities and code that's broadly used, for example, across critical infrastructure and help us accelerate those patches? And on the flip side, what kind of regulatory models do we need to have in place to ensure that if AI is rolled out, for example, in critical parts of our infrastructure, we understand how do you interpret it, we have a human in the loop, we understand how to explain it. And we understand as risks evolve, what risks that brings to the broader system.
Field: Excellent! I want to ask you about some of these initiatives and what needs to happen next to advance. Let's start with securing IoT. This isn't just the exception anymore, it's the rule. What needs to be done to advance it?
Neuberger: We certainly are very focused on an IoT labeling effort because we believe it brings visibility to consumers. It also can bring industrial-level visibility when we think about IoT. And it incentivizes companies to say, take a moment, and build it more secure. So more to follow on that, we will be moving forward on our on an Internet of Things labeling program, working closely with the private sector. So it will be an interesting example of government and private sector, each bringing what they bring uniquely.
Field: How about posturing the U.S. to continue to lead on tech, particularly at a time when people are talking a lot more about quantum computing?
Neuberger: It's such a great question. So, the President issued National Security Memorandum 10, just about 18 months ago, and that was the first government to roll out a plan to say we will be both promoting quantum and protecting from potentially an adversary quantum computer that could bring real risks to our broad use of cryptography - asymmetric cryptography. So that started the transition across the U.S. government. And its work we regularly track at the National Security Council, work like NIST rolling out algorithms, the work on the Department of Defense and the intelligence community, beginning that rollout to post quantum, because we're concerned that data collected today could potentially be still valuable if decrypted even a decade from now. And we are signing a number of partnerships with countries around the world to ensure that we are - our universities, our governments - both contributing to broader global knowledge, and to your point leading in this promising new space.
Field: One more priority, harnessing emerging tech, such as machine learning and AI, to secure critical infrastructure. What are you doing to advance that?
Neuberger: So we talked a bit about that earlier to say, fundamentally, to make cybersecurity scale to the pace of the threat, we can learn from accumulated data. And one of the challenges we have as we know in data is false positives. And in order to use the power of tech to more rapidly find an intrusion, and more rapidly contain it. And I think that's where we see the power of machine learning, to learn off incidents that occur that's been challenging, but to do so in a way that accelerates and when I've talked to some of the companies who are now rolling out generative AI models in for cybersecurity purposes, that's what they're focused on, more rapidly helping defenders find an intruder and then more rapidly contain it.
Field: Anne you mentioned the Russian invasion of Ukraine, and that's made everyone think more about the role of cyber in warfare. How have you seen the role of cyber in global conflict develop since last February?
Neuberger: Cyber is a part of global conflict, now, in a way that was talked about, in a way that we exercise, but now we see it. So in the hours before Russia's invasion, Russia conducted a cyberattack against a global satellite company, because they were a provider of communication services and command and control for Ukraine's military - Viasat. In order to ensure that as a group of countries, we called out that behavior, and we said, it is not okay to attack a commercial and it is not okay to disrupt satellite communications of a commercial firm providing services. It had impact across Europe, windmills in Germany. We worked very closely with the European Union. And we very quickly attributed that attack to Russia. And European Union attributed that as well, with the goal of saying when we think about international norms, what's okay for governments to do, to your point in conflict via cyber, what is irresponsible to do, we wanted to make very clear that was irresponsible and counter to norms. So we've seen the number of Russian attacks against Ukrainian systems. But I would also note that I think, in many ways, the experience in Ukraine is a positive example for cybersecurity. For those of us who've been working in cybersecurity for a decade, we know that it's hard to be a defender. And an offensive actor has to find one vulnerability, but a defensive actor has to be monitoring all of them and ensuring rapid detection of any anomalies. And I think the way we saw both the work Ukraine did as a country, beginning in 2015, after the massive Russian cyberattacks against its energy grid, so the work they did to secure their grid to disconnect from the Russian grid and connect to the European grid, the work American companies did to surge support to get Ukraine's data out into a global cloud to protect it, winning highlights that focus work by security defenders, the partnerships across governments. A great deal of work we've been doing with Ukraine, we've been doing with our European partners, the partnerships between government and the private sector can absolutely make a difference. And I think it's proved how much more it can be.
Field: Talk about partnerships. Earlier, you talked about the accountability of the industry to be able to secure its own products. And this was a tenet of the new National Cybersecurity strategy that if you're going to put a product out there, you stand behind it, and you'd be accountable for it. What feedback have you received from industry? And I ask you this at a time because just two days ago, I had two different individuals sit in your seat. One was from the Venture Capital community and that notion scared him a little bit. The other was Eric Goldstein of CISA; he was quite encouraged by it. I see a big discussion here, to say the least. What feedback do you hear from industry?
Neuberger: So when we talk about industry, I think there are multiple categories. There's companies who produce tech and they also use tech. And then there are companies who just use tech. And I think we're all aligned to say, the technology that we bring into our operations that we bring into our pipelines and water systems plays a critical role. So, for example, every sensor we connect is also an opening. And if we think thoughtfully, it's so much easier to build security in when you're writing the code in the first place, to layer in on top, you're always looking for what vulnerability did we leave open? What can we automatically patch? What can't we patch? So I think there's a thoughtful on the spectrum of let's get tech out quickly so we're first innovators, but we've given no attention to security to let's lock something down so completely. And when I think of our experiences with governmental tech, we ended up on this side of the spectrum, which is why governmental tech was so much behind commercial tech. But I think there's so much knowledge now about safe coding practices, safer languages. And frankly, the way things like artificial intelligence can help a human coder find vulnerabilities and patch them more quickly, before code is rolled out. The testing that can be done before code is rolled out. We're at a moment in time where we can make that leap, both because of the criticality of the tech. Because of all we've learned about how to do safer coding, how to do more secure supply chains, to take advantage of the moment and say, all of us consuming tech will use the power of buying to say, we're only going to buy tech that meets that standard. So then that lifts all boats.
Field: You mentioned a moment of time, you and I have got the privilege to be in this industry at a time when cybersecurity is one of the biggest topics - not in the nation, but in the world.
Neuberger: It's pretty cool that we've come to where we are.
Field: Indeed! And you're in a unique role within the administration to be able to influence cybersecurity policy. One day, this role will end, you'll step down, you'll move on, what is the legacy you want to leave for your successor?
Neuberger: Two items in that legacy. One, I want that individual to when the President asks them, we are in a crisis or national security situation is our critical infrastructure secure, do we feel confident that Americans can rely on the critical services that drive their lives, gas for their tanks, supermarkets to pick up food, and of course, the national-level critical infrastructure, our electricity grid, our pipeline, that we have the visibility of the critical companies, and have they put in place critical practices that we know of, so that they can rapidly find any intruder and ensure there's no degradation of critical services. And the second piece is that we've built the network of countries around the world, who we share what we learn with them, and they share what we learn. One of what they learned. One of my fondest memories was we held the first in-person, international counter ransomware meeting in October, the White House. We were 35 countries and the European Union. There aren't a lot of big rooms in the White House so we were sitting so shoulder to shoulder. The reason everybody was coming sitting shoulder to shoulder was to say these are transnational threats. You could have infrastructure in six countries, used by people and another for conducting attacks against another set of countries. We have to work together to understand that infrastructure to find it quickly. Take it down when needed. The crypto in many cases was driving criminal work. The individuals who are building in some cases ecosystems that are then leveraged by less skilled hackers. And building that operational partnership driving information sharing, which we've done increasingly in groups like that, driving the partnership so that we all recognize we're in it together. The administration has made significant progress. There's so much more to do. And that's the second part of what we very much intend to leave better than we found.
Field: Well said. Anne thank you so much for your time, for your insight. I appreciate you taking time to speak with us.
Neuberger: Pleasure to be here with you.
Field: For Information Security Media Group. I'm Tom Field, thank you so much for your time and attention today.