Cyber and Critical Infrastructure
Ann Johnson: [Background Music] Welcome to "Afternoon Cyber Tea," where we explore the intersection of innovation and cybersecurity. I'm your host, Dan Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. Today, I'm joined by Frank Cilluffo, who is the director of the McCrary Institute of Cyber and Critical Infrastructure Security at Auburn University, which fuses theory with practice and policy with technology to protect and advance US Interests in the areas of national and economic security. Frank is routinely called upon to advise senior officials in the executive branch, US armed services, and state and local governments on an array of matters related to national and homeland security strategy and policy. Before joining Auburn, Frank served in senior roles at George Washington University, where he founded and led the center for Cyber and Homeland Security. Prior to GW, Frank served in the White House. Immediately after the attacks of September 11, 2001, he was appointed the special assistant to the president for Homeland Security. Welcome to "Afternoon Cyber Tea," Frank.
Frank Cilluffo: Thank you, Ann. Pleasure to be here and look forward to our conversation.
Ann Johnson: So you have this incredibly impressive background from the White House, through the work you did at George Washington, through the work you're doing at Auburn. And I'm sure even before that. I would love if you could start by telling our audience a little bit about your journey. What sparked your interest in the intersection of cybersecurity and national security and policy, and what brought you to your role at Auburn?
Frank Cilluffo: Well, thank you, Ann. And like many of my colleagues and friends in the field, a lot of accidents, a lot of detours. And I wish I had a coherent roadmap for my previous work and how I got to where I am. Bottom line is always curious. Think I started focusing on cyber issues in earnest in the '90s I was at a think tank, the center for strategic and international studies at the time. We did a number of reports that were, at the time, we were calling it info sec and information assurance and just about everything else. But I think many of us had sort of concluded that none of us could have predicted that we are where we are today in terms of our dependence upon technology and the role it plays in society. But many did recognize that there were some vulnerabilities that needed to be addressed quickly. And I think we're all coming to conclude that all forms of conflict, crime, and also all good things have a cyber dimension to it. So it's sort of where oxygen would be in the beginning of time. It's part of us. It's all around us, and I think we have an opportunity to shape it for good.
Ann Johnson: Yeah, absolutely. I think that cybersecurity has finally become something that's very mainstream. People understand phishing attacks. They understand identity theft. They understand their data might be stolen. So it's not something that when I started, and you started a long time ago, that people were just had much less familiarity with. So I do think that's a great thing for the industry because it helps us become more mature the more aware people are.
Frank Cilluffo: Yeah, 10-4 on that. And sometimes, for bad reason, we become aware. But let's hope the forces of good prevail here.
Ann Johnson: Absolutely. So as we pull the thread on cyber and national security and economic security, let's talk first about the big picture. Cyber is obviously a huge issue. You don't have to go far to read any headline to see that. But there are other common trends that we are seeing in the way of how threats are attacking critical infrastructure and national security. Can you talk a little bit about the macro issues you are tracking and what the implications are of those issues?
Frank Cilluffo: Sure. And not to sound philosophical here, because you certainly don't want philosophy from me, but the reality is, whereas technology may change, human nature remains pretty consistent. And unfortunately, a number of our adversaries are turning to computer network attack and cyber means to achieve their diplomatic, military and economic objectives. I think one of the greatest challenges here, though, is that a lot of our true resources, capabilities and value are in the hands of the private sector. And few in the private sector went into business thinking they have to defend themselves against nation state threats, criminals at scale and the like. So I think all things said and done, the threat comes in various shape, sizes, flavors, and forms. But if you were to get to the top of the threat spectrum, we're obviously dealing with nation states within that, four that I think are of greatest concern to us national interests. China, which in many ways plays an existential concern. Russia, who's been pretty active in the cyber battlefield and cyber domain. North Korea, which if you look at a map at night and you look at it from space, you won't see a whole lot of lights in North Korea. But the reality is they punch well above their weight. And whereas traditionally, organized crime tries to penetrate the state, I think in North Korea's case, it's the state penetrating organized crime. They're largely a state sponsor of crime because they've been largely cut out of the traditional international economy. And then, of course, Iran, who has been an active player in cyber. And we're seeing some of those implications play out as we speak. And when you look at cyber, we still tend to look at the world through our own boxes and charts. And the reality is cyber doesn't know borders the way we traditionally think of borders. And what happens somewhere way over there could be a preview of a movie coming soon to a theater near you. So I think it really begs the need for not only collaboration within our own Alphabet super government agencies, most importantly with our private sector partners, because that's where the solutions are going to reside, but also some of our international partners, and very difficult to delineate and bifurcate our national security considerations from our economic security considerations today.
Ann Johnson: I think that's really well said. Everything that you said, the increase in nation states, we talk a lot about how, and I'll use North Korea, which was your example, how when there are sanctions applied, that we see an increase in nation state activity, or nation state subtly sponsored activity, like ransomware attacks, right, to try to just fill the coffers when folks are having financial issues because of sanctions. So thank you for illustrating all that and talking through a bit of the nation state actors, because it's helpful context for everyone to hear it again and to get a refresher. The industry has been thinking about the cybersecurity of critical infrastructure for quite some time. I don't know that our maturity level is where it needs to be, but there's certainly been significant improvements in awareness and capabilities over the past several years. But can you give us a sense for what is typically included in the definition of critical infrastructure? How has that definition evolved over time, from the time you started working post the 9/11 attacks until now, and what needs to evolve even further?
Frank Cilluffo: That's a great question, lots to unpack there. I'll start with some of the definitional points, because by and large, at least the way the US government defines critical infrastructure, this was promulgated in a Presidential Decision Directive 21 has not been updated since 2013. World's changed a bit since then. In that designation, they identified 17 sectors to be critical. I think many of those sectors remain critical. Not all are equally as resilient and as secure as I would hope. But by and large, there is recognition inside those 17 critical infrastructure sectors to be able to move the ball. As we speak, the current administration is updating PDD 21, mandated by Congress. They're, I think, a little behind the eight ball in moving that forward. But all things said and done, this is an opportunity to sort of take a strategic look to see if we're on target and to see if anything has raised up to that designation of a critical infrastructure. I've got two that I think ought to be included. I know they're up for debate, but we did a pretty significant study last year on designating space as a critical infrastructure. Some would argue Cloud, and just its ubiquity in terms of use of the end user. Some could also say that they're cross-sectoral, so maybe they don't need to be their own sector. But net-net, I think we're close to where we need to be, but I do think it needs to be refined. And I had the privilege of serving on the Cyberspace Solarium Commission, and we were pushing very aggressively for what we were calling. Obviously, you can tell we're not in the acronym business. We were calling for systemically important critical infrastructure, the acronym SICI. Not exactly the best acronym, but the idea being, if everything's critical, nothing's critical. How do we double, triple, and quadruple down on those that are most essential to our national security, our economic security, public safety, public health and the like? So while all are critical, they're not all created equal. Some are more essential and critical than others.
Ann Johnson: That's incredibly a really good description and also a good description of the debates we need to surface and have. At what point does Cloud, which has become ubiquitous for our largest corporations and government entities around the world, at what point does that become something considered like critical infrastructure space? As we continue to see private sector going into space and doing space exploration, at what point does that become critical infrastructure? So I think that there is a lot to unpack there and a lot of healthy debates to have the tensions necessary in the system, because we have to keep evolving right as the society evolves. We can't just stand on definitions that we sided 10 years ago in 2013.
Frank Cilluffo: Well said, well said.
Ann Johnson: That being said, are there sectors of critical infrastructure that you believe are more at risk than others? And if so, why? And what should the leaders in those sectors be thinking about and be doing differently?
Frank Cilluffo: That's a great question. I wish there were an empirically based, simple response to that. But when you look at dependency and the essential nature of electricity, I think that has to be at the top of anyone and everyone's list. If you don't have power, I don't care what else is up and running, you've got issues. I do think you've seen massive improvement of the utilities and the energy companies, recognizing not only out of their own goodwill and hearts, but from scar tissue. They're seeing a lot of activity in that domain and are treating the risk commensurately. I would say financial services clearly is at the top of everyone's list. And again, not always because they are doing the right thing, but they're in the business of business and they've recognized the criticality of keeping the financial services in a good place. I think that one of the issues here is people tend to look at the sort of Pearl Harbor incident. I don't think that's a very constructive way to look at cybersecurity issues because I'm worried about loss of credibility. I'm worried about a run on whether the threat is real or not. If people perceive it to be as such, it can undermine confidence in our systems and the like. One that I'm very worried about, to be very blunt, is water. You've seen one water system, you've seen one water system. The reality is, unlike some of these other sectors, some are going to be private sector owned and operated, some are going to be federally, some are going to be municipalities. And I do need to tip a hat at your day job. Microsoft has really done some good work looking at how to shore up water. But if you look at and pull on a thread I brought up earlier, activities overseas could be coming to us here soon. The reality is you can't look at cyber in isolation of the geopolitical environment that's out there. Cyber is a means to an end. It's not necessarily the end in and of itself. It is its own domain, but it transcends air, land, sea, space. If you were to look at some of the regular occurring attacks on Israeli water systems by the government of Iran and its proxies, you should also be ready to know that we can be in the crosshairs as well. And I hate to say it as important it is to our public safety and to modern societies. I would not put that at the same level of security as I would say, utilities, financial services, defense, industrial base, and the like.
Ann Johnson: I think there's a couple of things in there that are worth unpacking. The first thing is water resilience is becoming a more critical conversation just because the climate is changing in a way, and whether you are bought into how it is changing in some way, which is making water stability a major global issue. So the ability to disrupt water supply in any part of the world via cyberattack or any other type of attack is going to be a critical attack vector. If you go back, and I'll give you the analogy I often use, by the way, I talk about ancient Rome, because I think it's a really worthwhile analogy to understand that one of the reasons that the attackers were successful is because they poisoned the water supplies coming into the city. So that is the same type of critical infrastructure attack you can apply to cybersecurity if you go back and talk about 9/11, a lot of that was a social engineering attack. The ability for those folks to actually get through airport security, get on the plane with the weapons, even though the weapons were minuscule, but the ability for them to actually, they were deadly weapons, for them to get through that system required a lot of social engineering, which is something we can also apply to cybersecurity. There are a lot of learnings we can take from history to understand how those things now show up in cyberattacks. And I think that's a reasonable summary of what you were saying.
Frank Cilluffo: And that was a great summary there. Lots of goodness, you know, one of my favorite quotes, "It may not fully be attributed to". I attributed to, maybe falsely to Mark Twain, but whereas history may not repeat itself, it tends to rhyme. And the reality is, we're seeing a whole lot of rhyming right now, and I think we sometimes. So from a risk based perspective, if you're looking at it at the meta level, from a national perspective, you want to get the biggest bang for the buck on what you can batten down risk and enhance resilience and security as much as you can on the most critical sets of issues. But we tend to forget that we're dealing with thinking predators who base their actions largely upon our actions. So the reality is, and you know this better than anyone, there's no end state. You can never say victory accomplished from a security standpoint, and you certainly cannot say that from a cyber perspective, because the threat comes in various shape, sizes, and forms. And the reality is, once we start battening down in one area, that obviously increases risk, likelihood, and concern in others. So I think, not to get all boring and wonky here, but we do need to take as much as we can, an empirically risk based approach, and always recognize that never means we're going to be 100% secure.
Ann Johnson: It's a thesis that all of our chief security officers and folks that talk to their executives need to understand. Because corporations understand risk, they know how to model risk. The board is risk driven, so being able to have a cyber conversation in the context of risk is important. And to your point, before we pivot and move into what we're doing today, I spent a lot of my career in bank fraud. And one of the things we learned in banking fraud is if you lock down one channel. So when we started locking down the mobile banking channel and we started locking down the phone banking channel and we started locking down the ATM and the web channel, people went back to forging handwritten checks. So that is the point you were making, that if you push on the balloon in one place, you're going to have the balloon explode in another place. And that's why you have to have what we call defense in depth. Right. And you have to have it across the entirety of the ecosystem. So thank you for sharing those thoughts.
Frank Cilluffo: Well said. And that still means you have to do what you got to do. It just means we're not ameliorating all risk. So, well said.
Ann Johnson: Exactly. Let's pivot a little and talk about what we're doing today and how we're trying to get our arms around these nation state actors, cybercriminals and the emerging threats. There was a national cybersecurity strategy that was released in 2023, and the strategy has five pillars outlying what the US government administration believes is needed to deliver a safe and secure digital ecosystem for all Americans. The five pillars all carry importance, of course, but I would love to hear from you. What about this strategy stands out to you?
Frank Cilluffo: Well, the first piece is something we touched on in different ways. And pillar 1 is defending critical infrastructure. Pillar 2 is disrupting and dismantling threat actors. So I think those are paramount and tantamount and just essential to any of the other pillars. And what I really appreciated seeing in the strategy is the recognition we've all been around report after report after report after report highlighting the importance of public private partnerships. But in this case, it recognized that the private sector is an essential, genuine partner. And how do you scale some of those activities, and how does the government, maybe not the way it normally does, feel comfortable of trying to control environments, allow some flowers to bloom and allow the private sector to take lead roles in some of these issues. So scaling public private partnerships is essential, which I think comes right into pillar number 2, and that's disrupting and dismantling threat actors. The reality is, and I'll shed a little more love toward Microsoft. There have been some amazingly good, not widely reported incidents where Microsoft has been a genuine partner with state, local, federal, law enforcement partners and our international partners to be able to take down botnets internationally to work with other companies in host countries. Because the reality is, again, we can't do it all on our own. And many of the bad actors are provided safe haven in two countries of concern, and I'll name them Russia, China. So the reality is there's a common thread there. So how can we get around some of those issues? Government on government, Alphabet soup agency, whether intelligence, law enforcement, diplomatic, that's only going to get you so far. It's going to require partnering with the private sector. And the reality is, I do feel we need to lean forward. So not to, again, philosophize here, because I'm not the philosopher. I'm more like Yogi Berra's version of that. But the reality is, when you look at cybercrime vis-a-vis traditional crimes, there's still this perception that we're blaming the victim. An incident occurs, you blame the company. And I'm not saying companies don't need to do more. They must do more in the cyber domain. But we end up blaming the victim, and the perpetrator rarely has any imposition of cost or consequence for their bad behavior. We really have to flip that equation. And to get to that point, we're going to not only have to scale our partnerships, the government's going to have to be comfortable working with partners that may not be government. And to me, I went far beyond what is laid out in the strategy, but I think it sets sort of a roadmap for where we potentially can go. Now, here's the problem. As we all know, with every strategy, we got to be able to translate those nouns into verbs. And it can't just be another document that sits on a shelf. It has to be implemented.
Ann Johnson: I think that's incredibly important. I also want to pull a thread on something that you said before. We talk about the private public strategy pieces and that know I talk a lot about being a cyber optimist. And one of the reasons I'm a cyber optimist is because I know all the work that Microsoft and other organizations are doing behind the scenes that never make the headlines. So for everything you see in the news, there's thousands of things that we've actually detected and defeated before they could ever become a real breach or newsworthy. And as long as that continues to be the paradigm, we're going to stay ahead. Cybercrime, to your point, is never going to be solved completely. It's just like when people ask me that, I say, well, it's the same thing as burglaries, right? No one's ever going to have zero burglaries ever happen. It's the same with cybercrime. It's baked into the infrastructure. But the more we stay ahead of it, the better.
Frank Cilluffo: I just want touch one point there, because, again, we're in violent agreement. The one ingredient that I have found over the years is 100% essential to any success is trust. Trust takes a long time to build and it can evaporate in nanoseconds. To your point, all the work that goes on behind the scenes, even if it's not directly having an outcome on a particular incident, it is essential to building that trust, because when the balloon goes up, you don't want to be exchanging business cards for the first time, and you want to have walked a little bit in someone else's shoes and at least understood a little bit of their pain points. So again, a hard thing to put your finger on and give a scientific answer to, but without it, we ain't getting anywhere.
Ann Johnson: Well, I'll do two thoughts and then we'll close this as we move into talking a little bit more about private public partnership. The first thing is, I actually am quoted as saying, and often say, "Trust is built in drips and lost in buckets".
Frank Cilluffo: Great. I'm stealing that. I'm stealing that. Ann.
Ann Johnson: OK, feel free. And the other one that's not original to me, is "the worst time to build a relationship is when you need one". So that was your point about exchanging business cards.
Frank Cilluffo: And we learned that post 9/11 in a mass scale kind of way. So, yes.
Ann Johnson: But let's talk about the private sector a bit, you know, the private sector will obviously play a huge role in elevating cyber posture and protection for the nation and the world, not just the US. What would you like to see more from the private sector specifically, and what sort of work needs to happen between the private and public sector so we can actually make progress and have an impact on this national strategy?
Frank Cilluffo: I'll start with the second question, because I think it feeds right into the trust. So, yes, we need more information sharing, but we need information that's actionable. We need information that can be used and stripped of some of the legitimate privacy considerations and concerns citizens have and holders of that data have. But all things said and done, what I would really like to see at a 30,000 foot level is for all boats to rise in this domain. I touched on a couple of what I consider the shining examples in terms of sectors that are moving the ball. But for all of those, you unfortunately have some laggards who are still not there. And in addition to some of our critical infrastructure owner operators that, again, are essential to building resilience in society, I am very concerned about small and medium sized businesses who just don't have the wherewithal, don't have the resources. And small and medium-sized businesses, that's the engine of our innovation in our country. So we have to do more to bridge that gap, which is a pretty significant one. Companies like Microsoft, you guys can get the best and the brightest, and you are getting the best and the brightest. But there are so many other companies that one day hopefully can be Microsoft's in their different fields and in their different sectors that quite honestly do not devote the resources and having a hard enough time making sure they get payrolls paid. So it's understandable. And then from a national security standpoint, many of those startups and smaller companies that are innovating at the true bleeding edge of technology, whether it's on the quantum side or whether it's on the AIML side or whatever it may be, they're not thinking about security. And you've got CFIUS concerns in terms of nation state actors that can steal intellectual property theft, but you also have the ability then to, you don't need a zero day if you're in the system from day 1. So I do think more needs to happen there as well. And one point, I am all in on some of these SEC reporting requirements. I was very slow. I was a mitigate before litigate or regulate kind of guy, and still am. But in terms of data breach notification, it's like a public health incident. You have a responsibility because so many people are impacted and affected to disclose. And one thing I would like to see come down the path, if we are moving in that direction, is also to synchronize some of these regulations. So one in particular, I'd like to see some of the SEC reporting requirements or others should be in a position to Trump, for example, every state having a separate data breach notification law. So that's just a lot of paper, and that's a check the box, and it doesn't necessarily buy down any real security. So those are some of the ideas I'd like to see. And also fiduciary board attention to these issues, you summed it up in a previous question that we had, but at the end of the day, cyber is like any other risk. It doesn't have to be treated as a black art and a black science. And I got a secret kind of stuff. Yes, there's always going to be some of that, but the truth is, when you can treat it as you can other risk, you have much greater likelihood of not only what gets measured gets done, but measuring what actually matters. And we need to make sure that not only publicly traded boards, but also other smaller, private boards are taking this seriously.
Ann Johnson: Yeah, and I want to pile on a little to that. Right. We are big believers in the cyber reporting requirements. We're showing leadership and sponsorship with the SEC requirement. We think it's a step in the right direction. And I personally am in violent agreement that we have to have some type of consistency. So, all of the different state reporting is well intended. Right. It's the best intended, but it does become onerous and does not necessarily fulfill the purpose of having a more secure future, which is what we're trying to build. So thank you for sharing your thoughts on that.
Frank Cilluffo: Exactly, exactly. It's the truth. And again, well intended is the key word here. But we also have businesses to run, right? So cyber needs to be part of that. It can't be all of that, or we won't have many business.
Ann Johnson: Like a lot of things that makes sense. So I know you're busy. You have lots of irons in the fire. I would love if you could share with our listeners a few of the exciting things you're working on right now.
Frank Cilluffo: Well, thank you. We do have a lot going on. I have the privilege now to direct an institute at Auburn. I have worked in think tanks for many years, was getting a little bored of just admiring problems. Wanted to be in the solution set and have a tech bench that can help implement some of these ideas. As hair brained as they may be, every once in a while they stick. But some of our coolest work right now, we're about to kick off an effort with Oak Ridge national lab around grid security in the southeast corridor in a region there to not only bring in all of the utilities, but also ensure co-ops and others are part of that solution set. So that's about to kick off. And then on the policy side, excited, going to be ramping up an interactive multimedia platform that, Ann, I'd love to pull you into, where we'll be doing a little bit of one-on-one, long forms, but also a little McLaughlin style where you can have constructive debate and not shoot the messengers, but disagree on some of the message. I feel like Washington's become way too polarizing these days. And the reality is, in my field, everyone more or less bleeds red, white and blue. And we've got to make sure we're continuing to focus on that. And then it's about, and this is not meant to be sort of another cheesy. It's about the future, but it is about the future. And the reality is we need to make sure that we are expanding who is part of the solution set, because tomorrow's workforce is not going to look very much like ours today. And at the end of the day, we want to make sure that we have the best women and men fighting the good fight. And to be honest, we don't have enough women. We don't have enough diversity in this field. And I think that has to change. And it's not only the right thing to do, it's a smart thing to know.
Ann Johnson: As a political science major who cut my teeth on the McLaughlin group, I love that reference. I would love the return.
Frank Cilluffo: We want you. Absolutely.
Ann Johnson: Yeah. That would be a lot of fun.
Frank Cilluffo: And still disagree, but in a constructive way. That may sound Pollyannaish or maybe I'm stuck, but I can complain about it or I can try to do something about it. So I'd rather try to do something about it.
Ann Johnson: Without going into any detail. I used to have really healthy debates with people who were very close friends of mine or family of mine on the other side of the political spectrum, and we just can't do that anymore. And I miss it. Right? Because I learn, by the way. You learn, too. You learn perspective. You think about their point of view, or like, maybe you moderate your point of view a little. It's actually healthy.
Frank Cilluffo: No kidding. I'm with you on that. And that's a lost art and a lost science. So you consider this an invitation for when we kick that off.
Ann Johnson: Thank you very much. I'm really looking forward to it. And I know my producer who produces all of my content is listening to this call right now, so he will make sure he makes a note. Thank you so much for chatting with us. Despite the rise in overall cybercrime, I've mentioned I'm an optimist. I think the cyber defenders are more often than not one step ahead of the bad guys. Tell me why you're an optimist, and I'd love to hear why you're optimistic about the future and your perspective and how we come together, public, private sector, everyone, to defend our digital world.
Frank Cilluffo: I am an optimist. I had friends over the years tell me a pessimist is an optimist with experience. I don't buy that. That doesn't mean we don't all have scar tissue. The reality is we need to learn from that scar tissue, and none of us are predicting futures. But all of us can play a small role in help shaping what we want that to look like. And if you just look at the amazing opportunities technology has brought to our country and to the world. I think it would be a shame to not build and shape what we want that future to look like. That said, we can't take our democratic beliefs, our democratic principles, for granted. Technology also allows autocratic regimes to have significant power in ways they haven't had. So this, again, is why we need to work with like-minded individuals the world over and make sure we win one for the good guys. So I will always be an optimist. Otherwise, I'm not sure what we're here to do. So thank you, Ann, for having me. Thank you for fighting the good fight and making a positive difference.
Ann Johnson: [Background Music] And thank you for everything that you do every day because this is a daily fight and people need to be reminded that occasionally. And thank you for making the time to join me today on "Afternoon Cyber Tea".
Frank Cilluffo: My pleasure. Thank you, Ann.
Ann Johnson: Many thanks to our audience also for listening. Join us next time on "Afternoon Cyber Tea". I invited Frank Cilluffo to the podcast because he is a resident expert on the intersection of national security and cybersecurity. Having worked in the White House during the 9/11 times and coming through different organizations like George Washington University and Auburn University, he is really a big advocate of public and private sector partner and sharing and understanding the implications of cybersecurity on both national security and economic security. It was a fascinating conversation that I'm sure all of you will enjoy.