Former CIA Director John Brennan On Criminal Hackers, 'Ignorant' Elected Officials, And Russian Interference In U.S. Politics

Our Nation At Risk

The United States faces a multitude of cyber threats ranging from social engineering, to collaboration between foreign intelligence services and criminal hackers, to lackluster communication between the U.S. government and the private sector, according to former CIA director John Brennan.

Brennan told the more than 120 attendees at SecureAuth's INTERSECTION 2018 event in Washington, D.C. Wednesday that the need for an independent commission to examine challenges in the digital domain came across during recent Congressional hearings about cybersecurity and social media platforms.

"Unfortunately, I think a lot of our elected representatives are rather ignorant – maybe through no fault of their own, because of their generation or experiences – about the digital environment and the complexities of it," Brennan said.

Afterward, Brennan spoke with CRN about the most significant cybersecurity advances made by America since 9/11, the potential for interference in next month's U.S. midterm elections, and the biggest cybersecurity concern keeping him awake at night.

How concerned are you about hacking in next month's midterm elections?

There are a number of concerns when it comes to elections and trying to interfere in them. Clearly, there are efforts to try to intrude into systems and networks of particular parties or particular candidates. We know that foreign actors have capabilities to do some of those things, whether it be via social engineering or spear-phishing or whatever.

The U.S.-wide election system is a rather eclectic one, where states really own the voting rights. There has been increased interaction between federal and state officials over the last two years. But there's also the issue of information operations that I think a lot of Americans are concerned about.

What might some foreign actors try do to present themselves in social media environments as U.S. persons or U.S. organizations as a way to present their stories and their narratives that are based on misinformation or disinformation, trying to skew people's perspectives?

I can sympathize with a lot of Americans who don't know what to believe when they look at their news feeds on their mobile devices. Which one should I believe, and which one should I not? It's tough, and that can influence the electorate's views and distort elections.

What should be the biggest lesson learned from the 2016 presidential election?

Nobody should doubt that the Russians are going to continue their efforts to influence U.S. politics, and they're going to use that digital environment as a means to influence U.S. politics. But also, the Russians do that with a lot of other countries around the world. I think they would much prefer to shape political developments in countries insidiously through various digital and non-military means than rolling tanks across borders.

The Russian interference is also more symptomatic of the broader concerns about just how exploitable that digital environment is to a variety of malicious actors, whether they be foreign or domestic. To me, it should have been a clarion call for the government and the private sector to seriously tackle these problems. I'll harken to the call for an independent commission.

This environment, the digital environment, is exploding in terms of its breadth and its capabilities, and will continue to when we go to increasing automation, artificial intelligence, machine learning. And it holds tremendous potential, but it also holds tremendous challenges.

​

What is the biggest cybersecurity concern that keeps you awake at night?

I was detecting more and more collaboration between foreign intelligence services such as the Russians, the Chinese, whomever, and organized criminal hackers. It's a way for foreign intelligence services – large and small services – to take advantage of the growth of these criminal networks that develop malware, develop different types of attack vectors and techniques.

But also, it allows a lot of these foreign governments and intelligence services to distance themselves, to attenuate the relationship between the perpetuation of the attack and who actually authorized it. Trying to mask their forensic fingerprints is critically important.

So if you can get these international criminal hackers to do the work for you. A good example is in March of last year, there was four individuals who were indicted for the hacking of Yahoo emails. Two of them were well-known international criminal hackers, and two of them were active-duty members of the Russian FSB, the Federal Security Bureau.

That collaboration model I'm seeing more and more, and it should worry all of us.

How can the United States defend against that?

They're looking at all of those different types of attacks, and the features of them, and they need to adapt to it.

How has America's cybersecurity posture changed since 9/11?

The nation is much more secure from a terrorism perspective in terms of being able to connect the dots.

On the cybersecurity front, I think there have been a number of unfortunate penetrations of systems in the United States. There have been a lot of lessons that have been learned by government agencies. And as they implement new technological capabilities, there is a constant effort to try to understand what the cybersecurity issues are that accompany those new technological innovations.

So I think there is greater recognition of the need for cybersecurity, but I think we still are a fairly long way from being able to deal with it as effectively as we should. Even though there are mechanisms for interaction between the private sector and the government – sharing information back and forth, the sectoral-based ISACs, the Information Sharing and Analytics Centers in the financial, electrical and retail areas which helps facilitate interaction. But I do think we still need to do much more.

Why do you support the formation of an independent commission?

One of the first things is to do an inventory of all of the issues and challenges and problems that are out there in the digital environment, taking into account this country's increasing dependence on that digital domain. Have the technologists and engineers and futurists and businesspeople and government officials come into the commission and talk about their issues and their concerns.

This is a way to have a more comprehensive appreciation of what we're dealing with in that digital environment, and how we're going to ensure it's still going to be an engine of economic growth and entrepreneurship and ingenuity. But at the same time, we're trying to make sure that it's going to be as secure, as reliable and as resilient as possible.

I don't know of all the issues and the questions that need to be addressed by a commission, but I know a commission needs to be pulled together in order to identify the universe of those problems.

Why is this better than relying on the President or Congress?

First of all, on congressional committees, the jurisdiction is fractured. There are dozens upon dozens of committees and sub-committees in Congress that have some jurisdictional responsibility for cybersecurity. Having a bi-partisan, independent commission that is going to take two or three years pulling together what it is that we need to be aware of in terms of the continuing evolution of the digital domain.

And then, come up with some recommendations about how the government and the private sector can work together more collaboratively to better safeguard that environment. There have been presidential commissions over the years, but it's been my experience that the Congressional independent commissions are the ones that are most effective.

I point to the 9/11 commission and the WMD commission – they were impactful, and their recommendations were implemented.

Why are so many elected officials ignorant about concerns around cybersecurity?

It's a very complex and complicated issue, even for those who are intimately familiar with the technology in the digital domain. And it is even more daunting for individuals who do not have technological background. I don't mean to fault individuals that grew up in my generation and didn't have the great benefit of technological savvy.

But I do think that, as this country and as our day-to-day lives are increasingly dependent on the health and the security on that digital environment, it's incumbent upon our elected representatives to understand the threats and the challenges in that environment. Just as they are aware of the threats that a China or a Russia or a North Korea poses to us, that digital environment needs to be very familiar to them as well.

How can elected officials better educate themselves around cybersecurity?

There are many different opportunities for digital literacy. Just asking questions and meeting w/ people who are deeply schooled in the digital domain. Sometimes the ignorance is born out of unfamiliarity. I'm not saying they could become technological wizards. But what I'm saying is that they could have a better sense of just how important that digital environment is to this country's future, but also understand what that actually means. There are ways they can increase their knowledge and their understanding.

Do you believe the United States would benefit from a law similar to GDPR?

It's a worthwhile consideration. Anything like this will have its upsides and its downsides. The United States is a big, powerful country. And just like the EU with its data protection initiatives, we need to be thinking about what we can do to optimize privacy, but at the same time optimize security. It's striking that appropriate balance, and that's a tough, tough call.