From Cyber War to Cyber Strategy with Jason Healey hosted by Michael Sikorski
Jason Healey: I was doing a Rachel Maddow one time, and they had a -- I was doing in a local TV studio in DC. And they had me staring at a statue of Beethoven, which was where, you know, they wanted me to be looking. It was just off camera. And it was like a 20-minute hit or something. And if you stare at a statue, dude was moving. Like, the face --
Michael Sikorski: -- starts to contort.
Jason Healey: Absolutely. You're staring at it for 20 minutes. Like, I was like, Oh, no. This is -- probably sounds crazy. It's kind of like a religious experience for a lot of folks, right?
Michael Sikorski: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm Michael Sikorski, CTO of Unit 42; and I'm taking over the Threat Vector podcast today as your host. I'm joined here with Jason Healey, senior researcher, scholar at Columbia University's School of International and Public Affairs. Jay, welcome to Threat Vector.
Jason Healey: Las Vegas, 9am, Threat Vector. This is the place to be. Threat vectoring.
Michael Sikorski: Exactly. Thanks for joining me today. I really appreciate it. You know, I've been teaching at Columbia University for I think it's 11 years now, and that's sort of how we first got in touch, although we did overlap together at the NSA, I believe, as well, back in the day. And, you know, I think it's really interesting how the computer science world, which is where I teach, and the School of International Affairs, where you teach, has a lot of overlap, right? And things really start to come together there, especially when we talk about -- I see you wearing your CYBERWARCON shirt. Can you give the audience some insight on your perspective as to how cybersecurity has evolved over your time? You know, spending time in the military, the White House. Now you're an academic focused on, you know, the threat at a bigger policy scale. Can you talk about that change over time?
Jason Healey: Yeah. Thanks, There's -- first it's just, like, you're right. It's incredible, this -- how amazing this field that we're in that we both teach in the same place. But you are on this super technical, reverse engineering. I'm dealing with policy students. But we're both trying to say, how can we make things better? Like, how can we how can we defeat the threat actors? How can we leave the world a better place? And the field is so big, right? We've had folks that are students that, you know, were sociologists. And they're working on Rikers Island with you as offenders before they came to us, to lawyers, to business school, to people that have, you know, CVEs to their credit. And it's a big field, and I think we're going to need to keep it big so that we can -- we can solve these problems. I've been lucky enough. One of my colleagues, Bill Woodcock, says lucky enough to start early and never look away and, in that, just been able to look at this from a lot of different perspectives. But to really answer your question, one of the things that I did was I did the first history book of cyber conflict. Came out 10 years ago. And it was just looking at, if we treat this as military history, right? I came into this through the Air Force. And how does the story look? And some of the quotes that I came across while I was doing that book I found really astounding, quotes like contemporary technology cannot secure a system in an open environment, right, that, if you have uncleared people and it's not locked away in its own vault, then you can't secure it. Quotes that say the red team always gets through. And those quotes were from 1970 and 1972. So it's been 50 years that we know that the attackers have these advantages, that the -- if the red team gets through, it's saying to some degree that the adversary, that threat actors are going to get through, that the threat actors have a lot of advantages in their favor. And just having that perspective, that, wait a minute. We're not 10 years or 15 years into this. Like, our grandparents were dealing with the same stuff as we are. And, unless we do better, our grandkids are going to be inheriting a worse internet and a worse cyber space than we have today.
Michael Sikorski: Yeah. That's interesting. I think -- I do think there has been some change in recent years. I think, you know, your talk at Black Hat specifically is -- focuses on some of the groundbreaking nature of the National Cybersecurity Strategy and the shift that's occurring. I've seen a noticeable shift when it comes to collaborative defense, where I think agencies are more willing to collaborate. There's a -- when we worked at the NSA, you didn't tell anybody you worked there. Now they have a Cyber Collaboration Center, which is a great thing. We see that going. What do you think, you know, triggered this really big movement the last couple years? Do you think without -- I think of SolarWinds and Colonial Pipeline, those two big events, like somebody seeing disruption to our -- to our gas lines and then also the speed and growth in which China and Russia continue to escalate and specifically the escalations in the wars in those regions. Do you think that's what's pushing it, or do you see it a different way as to why we're finally getting this doctrine that we were always missing and focus of, like, this is a real war that's going to have -- be more and more costly over time?
Jason Healey: Yeah. It's a great question. I never thought of it quite that way, right, because I suspect there's both supply and demand, right? I mean, there's both been, like you say, the wars that's getting, you know, the -- I mean, there's a -- there's a land war in Europe. And there has been for, you know, kind of like 10 years now, certainly since the full scale invasion of Ukraine by Russia. That is focusing. That is focusing attention. And I find that particularly important, because I think there's been -- when states with relative peace, right, in the Post Cold War era was the longest period of peace we've had. States, in general, were not causing cross-border harm, right? So I -- my side of campus, right, there's a lot of folks in international relations. And one of those astounding things they've found is that, post Cold War, every kind of cross-border violence has gone down. And so, to me, it hasn't been a surprise that we haven't seen nations using offensive cybercapabilities to really cause harm, right? We've been pulling our punches, and it's largely been an espionage game. So my concern is, yeah. As you pointed out, now that -- now that we're having more geopolitical crises, we're having states that are invading their neighbors for territorial gain, we have to start worrying about a PRC invasion of Taiwan, that states are going to be using these in a more -- in a more dangerous manner. And so, fortunately, I think that that's helped drive this. But it's also been, I think, a good supply. And by that I mean the agencies getting together, the White House. You know, when I was in White House the first time, there were four of us that were looking at the internet and cybersecurity. The NSC, even three years ago, they had maybe six people, eight people that were looking at defense. Now, with the Office of National Cyber director, you've got 70. That allows them to get in a lot more detail and focus in on things like budgets and skilled workforce and these other areas that we just didn't have the investment. We just didn't have the resources to invest in.
Michael Sikorski: Yeah. I found that -- I actually testified to Congress a few months ago at this point, and it was amazing the interest level and the questions that were given when it comes to educating the workforce, thinking about how to get ahead of that now for the future. And it was really awesome to see that the government's, you know, taking that turn. I think all of these -- this strategy has really been the impetus for that. And then these agencies realizing that, if they collaborate with each other, they could be more effective against the threat, has also been great to see. I want to talk a little bit about your Black Hat talk, which, you know, centers around is defense working. How are we doing from a, you know, offense versus defensive perspective? And one of the things that I tend to mention is I think we've actually -- are pretty decent at detection of attacks. One example I always give is SolarWinds and doing a lot of follow-on incident responses for that where Russia is running around people's networks. When we went in and took a look at their logs, they often had the detections of the threats that were happening. But they didn't -- weren't able to put it together. You know, just kind of curious about how your talk fits in with regards to, you know, how is defense doing against offense, especially, you know, being an employee of Palo Alto Networks, the biggest cybersecurity company. So just kind of want to get insights to you there and then maybe talk -- we could talk through some of the some of the framework that you've put together.
Jason Healey: Yeah. So to continue kind of the origin story, right, I said it's been 50 years. And so a lot of my work, including my last three Black Hat talks, were expanding on this idea of saying, Boy. The attacker has seemed to have had these advantages. What can we do? Like, what are the innovations that we can do at the greatest scale and least cost to shift that advantage to the defense? We've done this at Columbia University, our New York Cyber Task Force. And those ideas got picked up by the White House into the National Cybersecurity Strategy, which I helped draft, to say, good. How can we shift more advantage to the defense? So this talk is, all right. How do we measure that? How do we know if we're succeeding, not just -- you know, so many of our -- of our focus is on input metrics, like you talked about, where -- well, we're collaborating more. Well, that's nice. And it's important, but is it actually leading to the results? Is it actually disrupting threat actors? Is it reducing vulnerability? Is it reducing impact? And so that's what this talk is diving into and saying, boy. We need a framework so that we can dive in and understand the metrics and indicators that we have to see, not just are we collaborating more, not just are we training more cybersecurity experts but are we actually succeeding against the threat actors so that, again, our grandkids are going to have a better time than we do? And you're right. One of those mean time, to detect substantial decreases across the board, substantial, from hundreds of days to now something like 12 days. And that's not just one source that has that. And we've got that from multiple sources that have reported that. So good. We can -- we can say that's great. But what else would we -- would we expect to see if we're really disrupting threat adversaries, threat actors. And I don't mean just disruption in like, you're doing botnet takedowns but, you know, we're catching them earlier. We are -- you know, we're patching better, so we're not giving them enough -- you know, as much stuff. What would we expect to see if we're doing that on a large scale? Sure, we'd expect to see a decrease in mean time to detect in dwell time. We'd also expect to see the adversaries are forced to turn over their TTPs more frequently. We would expect to see that we're forcing them from the easy TTPs, logging in with valid credentials, and we're forcing them to hack. We would expect to see a more rapid turnover of vulnerabilities and, therefore, more zero days and a higher price for zero days. So, as far as I can tell --
Michael Sikorski: Right. Because they can't -- using the same thing over and over again, which is what they tend to do, right?
Jason Healey: Absolutely.
Michael Sikorski: Like, they don't upgrade. I remember the early days of doing -- you know, chasing China out of a lot of companies' networks. And you'd go in, and there'd actually be version control on the malware. And you'd be like, Oh, this is just version 1. They didn't even upgrade to version 2 in your network.
Jason Healey: Right, right.
Michael Sikorski: You haven't even made it that far. And I also think about the fact that, you know, I'm on the board of this Cyber Threat Alliance, which is how --
Jason Healey: Oh, great.
Michael Sikorski: Getting cybersecurity companies to collaborate with each other, which in and of itself I think is a big deal. However, we've been passing a lot of indicators around historically, and we're starting to realize that a lot of those indicators actually overlap with things we already have in our systems. And so how much of a difference is it making? And we're realizing that focusing more on the highly contextual stuff like you mentioned, TTPs, what zero days they're using and also sharing with each other when we're about to release, like, major research is super helpful to get protections in place. If you think about a lot of the zero days we've seen over the last year and a half and vulnerabilities being the number one way that attackers are getting in and in the incident responses that we're responding to in Unit 42, I see that ratcheting up. And it's because, you know, nation state starts with it. But then a POC comes out, and all the crime wires groups grab onto it. And then it's like wildfire throughout the world for that -- that vulnerability. But, by sharing those things early, we can get in front of it because it's -- patch management's very hard. But if you get a lot of these vendors to collaborate and they can put protections in place, like, with a lot of these major vulnerabilities, our technology could actually protect while the company is in the process of actually patching.
Jason Healey: Yeah. And can I say, yes. Absolutely great. And Cyber Threat Alliance is one of those things that I point to at succeeding at scale, right? One reason the attackers do so well is that so much of the internet favors offensive scale. Like SolarWinds, right? You hack one and you -- and you get access to 18,000; and you actively exploit 110 or so. Cyber Threat Alliance is one of the few places on defense that we've been able to get that kind of scale.
Michael Sikorski: Now, I totally agree with that. And you mentioned your framework of indicators to track, you talk about threats and vulnerabilities impact, which you just mentioned. Now, I think of myself as a as a security vendor. I have a lot of competing priorities. I really want to -- I think of you as a security ninja. But, sure.
Jason Healey: Yeah.
Michael Sikorski: Whatever, whatever. And I think -- and you mentioned in your abstract talking about mapping to the framework. You know, what are you thinking as far as, like, how the industry can adopt something like this so that it's not like, another tax? You know what I mean? It's like ingrained in what we do almost.
Jason Healey: Yeah. And defense at scale, right? What -- so the -- our work for New York Cyber Task Force out of Columbia University was looking at what have been the innovations across technology, operations, and policy have given the defense the largest advantage at the greatest scale and the least cost. So it's things like Cyber Threat Alliance, right? It's a new kind of organization. Most of our investment goes into technology inside the enterprise, right? If we -- you know, when you leave here and we walk around the vendor hall, 90% of what we're going to see down there, like, Palo Alto's business model, right, is -- and that's great. We need to do that because that's where we're feeling the problem. But we actually end up having at least as good a success when we do things like automated update, right? You fix it once, and a bunch help. Cyber Threat Alliance, this new organization, right, we had to invent the role of CISO in the '90s. We had to invent ISACs. We had to invent Cyber Threat Alliance. And we had to invent attack, the miter attack framework. And just think about how much -- how inexpensive that is to have the miter attack framework. Of course, Palo Alto is very reasonably priced and amazing as well. But, right, it's an idea for miter attack framework. And so what we want to do with this is that we just have a relatively light framework so that, when Palo Alto Cyber Threat Alliance is saying, hey, wait a minute. We've -- we're seeing a decrease in mean time to detect. We're seeing the switching of adversaries. That fits into a category. That's a bucket. And it's reported in time series because right now we have a great set of these indicators, but they're not reported in time series. And so now, in your normal kind of reporting, your annual threat reports, you could say, wait a minute. Out of what we're talking about, a subset of these help us think not just about the enterprises but about this large scale as defense being successful at a system-wide level. And let's make sure we report those in a time series. Once we have that, then it makes it really easy. For example, the ONCD, the Office of National Cyber Director at the White House, has to produce a posture report. That makes it easy for them to go and say, Hey. Wait a minute. They could pull it from -- absolutely. They can say, okay. So for threat actor operations, which is when I was talking about mean time to detect and change of TTPs, Palo Alto or whomever, Scientia, Verizon reported these great statistics on how we're doing. We're seeing the same information being report -- similar information being reported by multiple vendors, and they're all directionally consistent. And these ones are all going the right way. On impact, like, what are the economic costs and the national security costs? They're still going down. Like, they're still going badly in the wrong direction. So it shouldn't mean any specific, like, more work for the cybersecurity vendors, the others that have the data. But hopefully it's going to help us to tell the story better.
Michael Sikorski: You're actually reporting what you actually have.
Jason Healey: Right. In the same way -- in the same way that attack does, right.
Michael Sikorski: Yeah.
Jason Healey: This framework is not going to be as disciplined as attack right there. Everything is in there. Everything is in a single category and only one category. There's going to be a lot of overlap when we're looking at this is defense winning framework.
Michael Sikorski: Yeah. No. That -- I think that's awesome. I look forward to seeing how I could participate --
Jason Healey: OH, Great.
Michael Sikorski: -- from the Unit 42 side because I think that's a really important thing that could -- could influence policy and things like that.
Jason Healey: Oh, absolutely. Yeah.
Michael Sikorski: Final thing I wanted to kind of turn to is something we're both passionate about, which is education. And you were talking earlier about, you know, the overlap between Computer Science and School of International Affairs at Columbia and sort of lab of the overlap that we have there. And I'll say I got to participate in the Cyber 9/12 competition --
Jason Healey: Oh, great.
Michael Sikorski: -- as a coach. And for those of you -- well, you could give a few -- a few sentences of what that competition is would be really cool for people to hear. But the thing that was special for me is, like, I was always, you know, math guy, 1s and 0s. I'm a reverse engineer. So being able to come and speak in your class, awesome stuff. And then getting to, like, be in a cyber policy competition, I think that kind of diversity of mindset -- I remember being a coach for all these School of International Affairs students, right. And they're like, how do you know so much about Chinese hackers? And I'm like, well, I did a response for this, like, all day, every day. So they're like, Well, how do you know they this is the type of thing they might do or that they might do? I'm like, that's through all the technical things we found along the way. So how do we get more people involved from diverse skill sets working together? Do you think it's competitions like those? I always reference CTFs, 9/12 competition. Like, what do you think the best way is to kind of bring that momentum to, you know, cross mindset collaboration?
Jason Healey: Yeah. And, first, I want to give my thanks to the Black Hat team and informa because, for the winners of these competitions, they give scholarships to come to Black Hat.
Michael Sikorski: Oh, that's awesome.
Jason Healey: So it's really great. You'll see a lot of them around here. So, yeah. So I found the Cyber 9/12 Student Challenge 10 years ago, probably a little bit more than that, based on my experience at White House where you -- we had -- White House would have the technical folks come in. And they were sure they were experts on what was going on, right, because they understood the technology and what was happening. But they didn't understand how government worked and how to get things done in government, whereas the policy folks who understood how the White House works and how everything -- they didn't -- they had no clue on the technology. And the only competitions we had back then were capture the flags and the other technical, which are amazing. We have to have. So we founded this competition. And we called it Cyber 9/12 because I think a lot of us, you know, roll our eyes when we hear about Cyber 9/11 or something -- or something like that. So we said, let's make it mean something. What happens after the incident, right? How do we respond as a country or as a community? So we said, we'll call it Cyber 9/12 to think about the day after. So we'll be holding our New York competition in October, and it's basically getting these students together like they would in the Situation Room the White House. Mr. President, we think this was Russia. But nobody's died yet. We're still not certain about the attribution, so we recommend A, B, and C. What do you think? And now it's something like 15 cities around the world. It's Cape Town. It's London, Scotland. It's in France. They just did one entirely in Spanish in Costa Rica. So we've probably had 5-, 6000 students that have come through it. And especially because the students, you get a much more diverse set of students than I think you sometimes do in capture the flag because these students are coming out of policy schools, legal schools, and the rest. Also, let me do a shout-out for the class I have next semester with Charles Carmakal and Evan Wolf because we have students from the business school, from the law school, from the computer science department, and my students from the School of International Public Affairs to study the great hacks. So we've put them together into groups. And one group looks at Sony, NotPetya, Colonial Pipeline, and SolarWinds. I
Michael Sikorski: I worked on all four of those.
Jason Healey: Yeah. Exactly.
Michael Sikorski: With Charles. So it makes a lot of sense, right?
Jason Healey: It is -- and it's great to see these students all have to come together with the lawyers and the business folks and the rest, which they wouldn't normally do until they've been in the field for 10 or 15 years.
Michael Sikorski: Yeah. I think -- well, number one, I would love to have you come lecture at my class, as well, because one thing, my class is very focused on reverse engineering. And so we're like, 1s and 0s assembly code all day. And I try to end the class with, like, let's go much higher, like, higher level and talk about why we've been tearing apart computer viruses all semester long and actually -- so I'd love to have you at the end of the semester come in and really talk about, you know, the broader impact of what -- why what they're learning is so important. And I just -- I think the amount of effort you and I are putting in there to sort of influence the next generation is pretty awesome. And I want to just keep increasing that collaboration. I guess, finally, I want to close with, like, ask you a question about -- yeah. Go ahead.
Jason Healey: Before you jump on. And, you know, Columbia is great, and we have amazing students. But we don't have the scale. And I just real shout-outs to -- you know, I've seen some great community colleges and, you know, and other universities.
Michael Sikorski: And even some high schools now.
Jason Healey: Boot camp programs in high schools, right? You know, so we're -- we're really lucky to be able to do what we do. And so -- and just for the listeners of the podcast, right, I mean, it's super rewarding to get out and do the teaching. And so, yeah. I mean, like, look for opportunities at the high school. Look -- you know, a lot of these places have clubs, you know, to help mentor folks to study for their certifications tests and the rest. Like, there's a lot of these opportunities and a lot of folks that need the -- the step up and to really make it into this really amazing field, right? We are really lucky to be in this field, which has so many interesting problems and can really be the start of an amazing career.
Michael Sikorski: Yeah. No, that's awesome. I never thought I would get into, like, policy influence and stuff like that when I was starting my journey wanting to be like a video game programmer. But here we are. In -- you know, in closing, what -- what advice do you -- I guess you already gave the advice just there. I was going to ask you a question about what advice would you give to aspiring professionals who want to make more of a difference when it comes to some of this policy stuff, some of this -- you know, some of the things you're talking about with your framework? I think a lot of people are stuck in -- you know, they have their day job, but they want to have a broader impact. Is there any recommendations you have there?
Jason Healey: Well, first is just going to be keep our eyes on the big picture, right? We get so focused in on if controls are working or if you know this enterprise is more secure or less secure. And that's great. That's what -- that's what we need to do. But we need to step back and look at the scoreboard, right? And the scoreboard is not, you know, are we deploying more patches? Are we -- are we doing better at detecting signatures and the rest? It's are we actually defeating the threat actors and giving them -- you know, making them stay up weekends. Make the threat actors miss their winter holidays, which happens to us every year. Like, I want them to start feeling that pain. And we're not going to be able to do that --
Michael Sikorski: It's always a Friday when these big attacks drop.
Jason Healey: Right.
Michael Sikorski: And I think the blog on SolarWinds was published at 9pm on a Sunday.
Jason Healey: Yeah. And unless we start shifting that advantage to the defense, right, every enterprise, right, across the internet, across cyberspace as a whole, that's how we're going to be able to have that. That's how we're going to make sure that our grandkids have it better off than we do and that, you know, when, you know, our kids aren't going to be like, Okay, grandpa. Here's how -- here's how you protect yourself online, right, because we haven't done a good job in making this stuff easier.
Michael Sikorski: I like your optimism, especially for somebody who studies cyber war all day professionally and the history of it and especially since you're, you know, showing the trend over 50 years. So coming out with positivity, I love it. All right, Jay. Thanks. Thanks a lot today for joining us on the Threat Vector podcast. I think it was an awesome conversation covering education, cyber war, and everything in between. Look forward to collaborating with you more into the future.
Jason Healey: Great. Thanks to the entire Palo Alto team. You know, it's nice that we can zoom out like this sometime and have these larger conversations. So appreciate everything that Palo Alto's doing.
Michael Sikorski: That's it for Threat Vector today. Stay safe. Stay secure. Happy reversing. Goodbye for now.