Podcasts
Caveat
Ep 266
Caveat 6.26.25
Ep 266 | 6.26.25

Cyber offense in the hot seat.

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello everyone, and welcome to "Caveat," N2K CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hey there, Ben!

 

Ben Yelin: Hello, Dave.

 

Dave Bittner: On today's show, Ben and I are joined by our special guest, Andrew Boyd, former Director of the CIA's Center for Cyber Intelligence, and currently an operating partner at AE Industrial Partners. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. Alright, Ben, let's jump right in here and welcome our guest, Andy Boyd. Andy, boy it's a real treat to have you join us here today. We really appreciate you taking the time.

 

Andy Boyd: Thanks Dave and Ben. It's an honor to be on the show. I've been a longtime listener, and it's an honor for me as well.

 

Dave Bittner: Well, let's start off with your experience. Can you share with us, where did you get your start, and what led you to where you are today?

 

Andy Boyd: Well, I got my start in northern New Jersey, and headed off to the Air Force Academy for college, and then after graduating from the Air Force Academy, spent five years in Air Force intelligence, migrated to the State Department, fell in love with the overseas experience, and spent a decade in the field with the U.S. State Department, a variety of embassies across the middle east. I learned Arabic, among middle east focused foreign service officer, and then, a decade into my career in that arena, I went and joined the CIA. I started working on real concrete counter-terrorism issues, but eventually migrated into cyber operations, ultimately culminating at the end of my career serving for almost four years as the Director of CIA Center for Cyber Intelligence.

 

Dave Bittner: What is the primary mission that you had there as Director of the Center for Cyber Intelligence with the CIA?

 

Andy Boyd: So what I like to say is, you know, CCI is the Mission Manager for all things cyber at CIA. That includes offensive cyber operations, intelligence collection, and strategic analysis, writing products on nation state and non-nation state cyber threats for the Oval Office, and what we call the Presidential-President's Daily Brief, all the way down to, you know, specific analyses of cyber threats that probably would not be of interest to policymakers, but certainly would be of interest to threat hunters in the intelligence community but also in the other parts of the U.S. government-DHS, CISA, and folks that are defenders of our networks.

 

Ben Yelin: So you-just based on your experience-I think you're well situated to answer this question. One of the things that you told us before this interview is that there is a say-do gap in offensive cyber operations. Can you describe that a little bit? Because I think politicians in both parties, Presidential administrations, say that they want to improve offensive cyber operations, and nobody really knows what that means in practice.

 

Andy Boyd: So, yeah, this say-do gap, I think I stole that from some of my DOD friends who like that phrase. I mean, I take the new administration at their word. I mean, including John Radcliffe, who is the Director of CIA currently, who said that they want to expand offensive cyber operations against our adversaries. You know, in this administration. There has been other administrations, or other folks even in the Biden administration who had said something similar, but they didn't really know what they wanted to do per se, with those tools. And so that's where the say-do gap comes in. I think in part it comes from not really understanding what cyber tools can do and what they can't do. We use our cyber tools in the intelligence community and in cyber command, and you know, across the government, to collect information, to collect intelligence, but also under very specific authorities from the White House to disrupt or in some cases destroy networks that are of our adversaries, where we see a threat. I do tend to point to folks who say, you know, after the Salt Typhoon, Volt Typhoon experience of wanting to do the exact same thing to the People's Republic of China. I tend to think that you know, people are not really evaluating how the cyber tools work, and how that might not be practical. I also tend to point to February 2022, when we thought the Russians were going to do extensive cyber attacks against the Ukraine, during the invasion, and that really didn't come to fruition with the exception of an attack against the satellite network that was providing some communications infrastructure for the Ukrainians. So cyber operations that are hard to plan, they're hard to get right, and they have to be nested in a broader strategic policy, a broader national security strategy, and I just have not seen that yet come to fruition.

 

Dave Bittner: It has been sort of alluded to, I think offensive cyber is sometimes a fuzzy term. Sometimes a loaded term. I would love to hear how you define it, and how you think it's different from cyber defense or active defense?

 

Andy Boyd: I mean, again, I tend to define offensive cyber as two things-information intelligence collection on one side of it, which is frankly not just the United States, but a number of nations with capabilities do that. And then on the other side, the destructive and/or disruptive attacks using cyber tools to bring down networks. Now, there are some who consider, you know, cyber warfare to be a completely separate domain of warfare, like, you know, the Army and the Marines on the ground, the Air Force and Naval Aviation in the air, Space Force, you know, using space as a military domain. In my opinion, cyber, offensive cyber, is a supporting activity not unlike electronic warfare, to support whatever the strategic goal is of a military activity. Again, separate from my point on information collection, intelligence collection. Now, if you have a well-thought-out strategy, cyber attacks against a military adversary's communications grids, things like that, can be, you know, quite helpful. But in-- on its own, as a stand-alone discipline, I don't tend to think that it's extreme-or very helpful.

 

Ben Yelin: Just, for example, as we're recording this, tensions have erupted between Israel and Iran, and there has been discussion of U.S. involvement, and I think certainly a reticence to send active U.S. service members into the region for this type of conflict. Do you foresee some point down the line where our entire involvement in a conflict like this, even just supporting an ally, whether that's Israel, or a NATO ally, is going to be through our expertise in offensive cyber operations?

 

Andy Boyd: I don't think so. I mean, I think the conflict between Israel and Iran is proving that kinetic military activity, for lack of a better term, it is what wins wars. Again, there is-there is some indication that there has been some cyber activity on the Israeli side, onto Iran. Again, I think against a bank that was associated with the IRGC in Iran. That is a supporting element to the broader military operation. I think that the same can be said in the Russia-Ukraine conflict, looking at it, you know, three years hence, cyber activity supported in a very small way the Russian offensive against the Ukraine, and the Ukrainians, you know, similarly used cyber means, information collection, but also disruptive and destructive attacks, as a supporting element. If, in fact, the United States decides to use only cyber tools against Iran, and I'm not saying this is even in the offing-that would really, in my opinion, and this is not a judgment on any administration, it's just what I've experienced over my career, that would really just be a sort of crutch to indicate that we're doing something, because there is no concrete way to affect what's happening between Israel and Iran in comparison to the, you know, the air dominance that the Israelis have, and the attacks they've done on the leadership infrastructure in Iran. Now, I would caveat that by saying if given enough time to plan, and given enough targeting information, if a nation state did not want to go into full military conflict, you can effect change and destroy whatever component of that government's military capabilities are. But again, it's usually a temporary thing, because as you both know, nation states can recover quite quickly from cyber attacks.

 

Dave Bittner: I guess you think of Stuxnet, right? Of being able to-

 

Andy Boyd: Yeah, I mean, I mean there's-there is, you know, there's been a lot of open source reporting on that. One of my friends, Kim Zetter, wrote "Countdown to Zero," a fantastic rendition of that, I'm not going to confirm or deny any [inaudible 00:10:03] involvement in that operation, but I would point to that as an example of an operation that worked, that was well planned, but again, was a temporary setback, and during an [inaudible 00:10:17] when you know, we didn't want war, direct war, with the Iranians.

 

Ben Yelin: Do you think that this is a categorical limitation, like there's never going to be a point where our primary war-fighting capability is in the cyber realm? Or do you think this is a current technological limitation, like we just don't have the tools to effectuate the goals the way we do with a kinetic military attack?

 

Andy Boyd: I mean, I think the cyber attacks may, you know, increase in intensity. I mean, the three variables, speed, intensity, and control, in my opinion, drive how cyber operations work. You can't have it, you know, fast, intense, and under the control of the operator all at the same time. And that makes cyber operations extraordinarily difficult. But again, as we've learned from the Russian invasion of Ukraine, there's a lot of old school components of modern warfare, artillery tank battles, etc., there's a lot of new-school so-to-speak aspects of warfare, as well. I mean autonomous drones. I mean, the Ukrainians have basically, you know, proven that the rest of the world is way behind them on how to use autonomous drones, and whatnot. That being said, pure cyber attacks, I cannot picture being a primary element of warfare, because at the end of the day, you're not destroying on a permanent basis an adversary's war-fighting capability. [ Music ]

 

Dave Bittner: Andy, what do you see as the boundaries, or ethical red lines, for offensive cyber?

 

Andy Boyd: So, I would suspect Ben as an attorney may be better equipped to answer that, but I will give [chuckles]-give my opinion on that.

 

Ben Yelin: As an attorney, I'd just like to say I have no ethics [laughter], just kidding.

 

Andy Boyd: I mean, again, there's some sort of a mystery and magic applied to cyber that has always sort of mystified me, frankly. When it's really just another tool for intelligence collection, or again, disruptive or destructive activity. Not unlike electronic warfare, or any other inventions that we've had over the years. It's just that a lot of people, again, going back to our policy discussion, don't understand how it works, but handsets, our phones, our iPhones, android phones, end points on laptops, you know, small office home routers, all the end points you can think of, that's where the information is, so that is why, you know, cyber, offensive cyber, is such an important thing for intelligence collection. But also, you know, for other sorts of operations. You know, that in and of itself doesn't make it particularly unique. It's just unique in that, that's where we are in 2025, as opposed to where we were 20 years ago, where offensive cyber vectors weren't quite what they are today.

 

Dave Bittner: Do you think policymakers themselves are up to speed on cyber capabilities and how offensive cyber is actually used?

 

Andy Boyd: I think there are some. I think there are some both in the Senate, in the House, and in the Executive Branch, they're very cognizant of it. I mean, obviously there's, you know, professional, you know, permanent, non-political staff at the intelligence community, now at DHS, CISA, and elsewhere, who are very, very cognizant of all of it. And even some folks currently at the NSC in the White House who have been in this arena before, but I think writ large, I don't think we've really settled on what our strategic intent in cyber is, currently, and how that's going to nest into our broader national security strategy. Again, you know, and this is a very open debate in academia, in fact, I taught a course for a couple semesters at Johns Hopkins school the Bantz International Studies in the Alperovich Institute, on cyber policy and cyber strategy, and my-the whole thesis of the course was what is our strategy? And I posited to the students that we didn't really have one. That we had a lot of ideas, because I don't think we've really settled on the big part of that grand strategy of, you know, whether or not our cyber tools are what war fighting domain in and of themselves, or is it a supporting fire?

 

Dave Bittner: Huh. Yeah, it has been my perception that, you know, leadership, up to and including presidents, are reticent to draw red lines in the sand when it comes to cyber. And you can understand why that may be, but it seems to me like there is intentional fuzziness there, like maybe to not hold back capabilities, or perhaps not even reveal capabilities. Do you think there's anything to that line of thinking?

 

Andy Boyd: Well, I also don't think that debate is settled yet, either. I mean, there are some, in the previous administration, that believe that a disruptive or destructive cyber attack inside Russia post-Russian invasion of Ukraine, that that would be considered an act of war, because the activity was happening on boxes inside of Russia. There was a whole other group of folks in the previous administration who argued that was not the case, if no one was going to be injured, that that would not be an act of war. And I really do not think we've resolved that debate. And I think, you know, you all are familiar with the Cyber Solarium Commission, where a lot of these discussions and that kind of grew into the founding of the Office of the National Cyber Director. A lot of these ideas were discussed in there, and frankly the naming of the Cyber Solarium Commission linking it to the discussion in the 1950s about the appropriate deterrent capability of nuclear weapons. I just-the conclusion of that, I think, despite all the effort Mark Montgomery and others put into that, is inconclusive. And I think frankly with the Legislative Branch and the Executive Branch, we need a behind-closed-doors discussion on that strategy, and then a very open discussion including academia, as to where we want to go. Not unlike what we did in the 1950s on the discussion of our deterrent strategy back then.

 

Ben Yelin: You are now back in the private sector. What role do you think the private sector can play in all of this, as advisers to the government, as a way to enhance capabilities? Can you talk a little bit about that?

 

Andy Boyd: Well thanks for asking, Ben, yes. I think the private sector plays an enormous role. They're both on the defensive and the offensive side. I mean, on the defensive side, you know, the ninety percent or more, I can't put a real hard number on it, but the infrastructure is owned by the private sector, be it our telecommunications networks who were victims of assault iPhone, be it all 16 critical infrastructure sectors, oil and gas, transportation and whatnot, even our medical system, and our education system are vulnerable to nation state and non-nation state cyber, cyber threats. The private sector has to be deeply, deeply involved in defending those networks, and I think we're way behind the curve on that. On the offensive side, you know, we have a number of companies that do vulnerability research, and you know, under appropriate authorities of the federal government, or state and local law enforcement provide that vulnerability research, and then, you know, what we would call exploit development, to do legal activity, be it under DOD Title 10 authorities, intelligence community Title 50 authorities, or under law enforcement authorities, and the U.S. government doesn't have the capacity to be doing that vulnerability research on their own, and frankly, if the private sector is not deeply involved in that, we would be behind the power curve. What I always cite is that the People's Republic of China has hundreds of thousands of thugs in their intelligence service and their military, involved in offensive cyber operations. A sizeable portion of those are actually in private sector companies, where they may be fully working for the Chinese government, or they may just be moonlighting. American companies are going to follow very different and stricter ethical rules on that, back to Dave's ethics question, but the federal government, state and local governments, absolutely need the U.S. private sector to be involved in all that.

 

Dave Bittner: When we're talking about public-private collaboration, what sort of safeguards do you think should be in place to manage risks when these private entities engage in offensive capabilities?

 

Andy Boyd: Well, in the Biden administration, there was an Executive Order written, unfortunately named The Spyware E.O. which I just think is an unfortunate naming convention, you know, and I think that's going to be tweaked a little bit. But in large part, the current administration is keeping that, because it does add sort of left and right limits on the appropriate use of those tools and what sort of collaboration the U.S. government and others can have, you know, with foreign offensive cyber entities. Similarly, in the Defense Authorization Act of last year, similar limits were placed in there for DOD entities involved in offensive cyber. I think a lot of that was driven by the debacle of the NSO group and the Pegasus tool and how you know, Citizen Lab did a report on that of everybody points to how Jamal Khashoggi met his demise due to the Pegasus tool being on his handset. The Spyware E.O. lays out how that will not happen again if there are companies that are cooperating with the U.S. government, and I think by and large companies that are taken seriously adhere borderline in a religious fashion to that E.O. and any associated documents from defense legislation. [ Music ]

 

Dave Bittner: Where do you think we're headed here? Are there changes that you would like to see made when it comes to the policy, talent, the technology, or even the mindset to better serve our nation as we go forward with offensive cyber?

 

Andy Boyd: So, in the short-term, I would really hope that we slow down the discussion on separating the dual hat, the leadership of NSA, and leadership of cyber command currently under the leadership of the same person. I do not think if we want to head down the path of expanding offensive cyber operations, separating the NSA leadership from the cyber command leadership at the same time probably would not be a great idea. But I also, what I'd like to see in the median term is a broader public debate about the appropriate use of our cyber tools, and where we want cyber command and the rest of our cyber tools to fit into our national security strategy? I just think we're in a fairly vague place on that currently. And in the long-term, you made reference to talent. We do have to have a national discussion about how we recruit people into the cyber domain. Mark Montgomery has, again, back to the Cyber Solarium Commission, has recommended standing up a cyber force, and changing how we recruit people into the military. He has frequently cited that we shouldn't focus on physical fitness, we should focus on computer science and engineering capabilities. I don't know if that is the answer. I don't think standing up a cyber force is necessarily the right short-term answer, but we do have to have a serious discussion on how we hire and retain people with those sorts of skills, you know, hard engineering skills, hard computer science skills, into cyber command, into NSA, into the technical components of CIA, and on the defensive side into DHS, so an FBI cyber. We have not had a national discussion on that. Other countries have. And I think we're behind on that. I think the future of our capabilities is dependent on ensuring that our young people are tracked into important jobs like that, and they don't all end up directly into the private sector. Hopefully they can spend at least, you know, post-college or into their 30s supporting the defense of the United States.

 

Ben Yelin: Do you worry about any of the cuts over the past few months, to organizations like CISA or some of our perhaps strained relationships, with like Five Eyes Intelligence, do you think that has had an impact? Is going to have an impact? Is that something you're worried about, or does it not really change your perspective either way?

 

Andy Boyd: I'll start with the second one. I am not concerned, per se, about our Five Eyes relationships. Those will chug along as they have for years, managed by the intelligence community. I mean, obviously other components of DOD. But in the intelligence community context, I am fairly confident that those relationships will continue, and the collaboration on operations and analysis will continue. I am concerned, but hopeful, that CISA, you know, CISA has shed a couple of their missions, some of the countering disinformation stuff, which frankly that's okay. I am concerned, though, that they're cutting into bone when it comes to cyber defense. And I look forward to Sean Plankey getting confirmed by the Senate, and taking over the leadership reigns at CISA, so that we can have a more public discussion as to where we're going. But they have, CISA has frankly lost a great deal of talent over the past few months.

 

Dave Bittner: Andy, what advice would you give to the next generation of cyber leaders who are navigating this evolving offensive cyber landscape?

 

Andy Boyd: I mean, I think, luckily it didn't just evolve overnight. I mean, we've sort of watched this progress, and frankly, I always, I point to where cyber command was born, you know a decade and a half ago and really had a hard time standing up and getting the appropriate people to work. Now, again, I don't think they're ready yet for the divorce of the dual hat from NSA, but I think they're miles ahead of where they used to be. I mean, frankly back in the-I spent a lot of time a decade ago just trying to prevent cyber command from breaking things that were important to the intelligence community. Now it's a much more collaborative environment, and the leadership at cyber command is frankly second to none. And you know, I think leaders-the next generation of leaders, people who work for me, are going to continue on that path of understanding, you know, where the threat is. People always say-- there are people in the agency and outside of the cyber realm, in the Pentagon, always said, you know, cyber is the future. Well, cyber is the now, and cyber was the past. You all are just catching up [laughter], and I think our leaders, and again, I do worry about retaining talent in the intelligence community. We are losing some folks to the voluntary early retirement program that has sort of been in effect since the new administration came in, but I think, you know, I will take a step back, you know, five years from now and I think we'll have a very healthy cyber leadership in the intelligence community, DOD, FBI, and CISA. And I think the people we have coming up are very talented. They just have to keep that flow of talent coming in.

 

Dave Bittner: Before I let you go, can you tell us what you're up to these days? I know you're an operating partner with AE Industrial Partners. What is your day-to-day like?

 

Andy Boyd: So, my day-to-day as an operating partner at AE is continuing to manage their national security portfolio. They have a couple of cyber companies, Red Lattice and Case, on which I am on the board, and then, looking for potential opportunities to bring other companies at the nexus of national security and technology that are obviously good investments for aid, but are heading in a direction that is relevant to the future of our national security. It is obviously a very different domain than where I was until, when I, you know, before I retired in October 2023. But I do consider private equity companies like AE and a whole variety of other private sector companies to be directly involved in mission and in the defense of the United States, and that's a very exciting place for me to be.

 

Dave Bittner: Andrew Boyd is former Director of the CIA Center for Cyber Intelligence. He is currently an operating partner at AE Industrial Partners. Andy, thank you so much for taking the time for us today.

 

Andy Boyd: Thank you, Dave, and it has been great.

 

Ben Yelin: Thanks for coming on. [ Music ]

 

Dave Bittner: And that is "Caveat," brought to you by N2K CyberWire. We'd love to hear from you. We are conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There is a link in the show notes. We hope you'll check it out. This episode was produced by Liz Stokes, our Executive Producer is Jennifer Eiben. The show is mixed by Trey Hester. Peter Kilpe is our Publisher. I'm Dave Bittner.

 

Ben Yelin: And I'm Ben Yelin.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.