Mr. Chairman and Vice-Chairman, thank you for the invitation to testify before your committee today. It is an honour to represent my company, Illumio, and to offer my thinking about the future of cybersecurity and national security policy planning.
I'm the head of cybersecurity strategy at Illumio, which provides microsegmentation capabilities for cyber-resilience, and the former head of cyber-strategy in the Pentagon, where I was speech writer to the deputy secretary of defense during the Obama administration.
If I may first beg your indulgence, I'd like to open my statement by honouring the memory of a great Canadian national security leader with whom I worked in the Obama administration and who died last year. We worked on cybersecurity together. I'd like to inform you about him briefly and register his name into the Canadian record.
Shawn Brimley's life has been celebrated across his adoptive home in the United States, including through a letter from former president Barack Obama and moving eulogies in our national press, but for his family and for our two countries, I'd like to enter this statement into the permanent record of the House of Commons.
Shawn Brimley was born in Mississauga, Ontario, served in the Canadian army and was educated at Queen's University. He later settled in Washington, D.C. with his wife, Marjorie Clark Brimley, and achieved more in his 40 years than most do in a lifetime of service. He went from serving in the Pentagon to the White House to running one of Washington's premier think tanks, the Center for a New American Security. He wrote the 2010 Quadrennial Defense Review, helped shape the U.S. pivot to Asia, ran crisis response and strategic planning initiatives out of the White House and was a leading thinker behind the third offset strategy for long-term U.S. defence innovation.
A loving husband and father, a great friend and a mentor, Shawn Brimley made all of us safer and more secure. For that, this House and this country, as well as mine, can be proud.
As he testified before the U.S. Congress in 2015, it is an honour to testify in front of this House today, especially on an issue that he and I started working on nine years ago.
In the years since I first entered the Pentagon, the cyber-threats have become a top-tier challenge to international security. Three trends make it so: the vulnerability of the networks and data of cyberspace; the overarching digital transformation of society; and, a lack of sufficient investment by organizations in the people, processes and technologies required to deter, defend against and recover from cyber-attacks. Governments and organizations have taken steps to improve their cybersecurity posture by building teams, developing options and adopting technologies, but progress has been too slow to keep pace with the threat.
Nation-states and non-state attackers steal, destroy and manipulate data in and through cyberspace. Adversaries flourish in what could be called the “grey space” below the level of outright conflict, and they appear undeterred in pursuing their goals in that way. To name just a few, consider China's continuing campaign to steal U.S. intellectual property, including the data of the joint strike fighter; North Korea's 2015 theft of $81 million from the Bangladesh central bank and the U.S. Federal Reserve; China's theft of 21.5 million personnel records from the U.S. Office of Personnel Management; and, Russia's disruptive attacks on the Ukrainian electric grid in 2015 and 2016.
Nation-states present the greatest threat because they have the resources to put hackers on salary. These people can go to the gym; they can work diligently over time to try to penetrate a target. In recent years, they have shifted their focus from theft and destruction to the data manipulation of political and media targets.
The Russian attack on the 2016 U.S. presidential election is the most notable example. As you're familiar with, on the express direction of Russian President Vladimir Putin, Russian military intelligence hacked into the networks of U.S. political organizations and political leaders and exploited vulnerabilities in social media business practices to spread propaganda and foment mistrust in the American population.
The Russian operation hit at three parts of the American “centre of gravity” during a period of acute political transition: the American people, the political leadership and the key technology companies. Other countries have since taken similar steps, including China's reported penetration of Cambodia's electoral system in 2018, which affords it the opportunity to manipulate the outcome of those elections.
Why is this problem so severe right now? There are three points, I would say. The first is increased urbanization. The second is the proliferation of dual-use technologies. The third is the interconnected nature of the world economy. This means that smaller groups of individuals can have an impact significantly disproportionate to their size. This is the high-consequence risk nature of modernity, which is what Anthony Giddens called it.
Examples include the 9/11 attacks by al Qaeda, the actions of the subprime lenders and their impact on the mortgage market and, most recently, Russia's cyberspace operation against the U.S. election. Just like the September 11 attacks when 19 men slipped past the security establishment and turned airplanes into missiles, a small group of Russian operatives found a seam in American security to conduct a high-risk asymmetric attack.
The Internet grew from zero to just under four billion users in the 35-plus years since its founding and access increased without a commensurate understanding of risk. Whether from the vulnerabilities of code or the impact of social media on political identity formation, network status and cloud environments are vulnerable to breach, and society is vulnerable to manipulation.
As a matter of priority, countries should focus on deterring nation-state attacks. Deterrence is a function of perception, and it works by convincing a potential adversary that the costs of conducting an attack will outweigh the benefit. Effective deterrence requires the ability to impose costs on an attacker through sanctions or military means; defensive tools to repel an incoming attack, like firewalls; and, in the event that a hacker gets through the perimeter defence, resiliency capabilities to limit impact, like microsegmentation.
Two propositions arise from recent history to inform your inquiry. First, adversaries have escalated in cyberspace, despite the U.S. government's efforts at deterrence. The United States and other countries must therefore take a more aggressive stance to deter aggression. In 2018, the U.S. government embraced this position, notably through the defense department's doctrine of defending forward in cyberspace.
As my colleague pointed out, adversaries have escalated, and the United States chose to indict or sanction as punitive measures. These actions, while reasonable, did not set a precedent or effectively deter escalation. For example, even after sanctioning Russia for its actions in the 2016 election, Russia reportedly continued to implant malware on the U.S. electric grid through 2018.
What does it mean to defend forward in cyberspace? If it has indications and warning of an impending attack, the United States must be able to push back against an adversary. This means penetrating the cyberspace infrastructure to conduct counter-offence hacking to blunt an incoming attack. Nation-states have the right to defend themselves in cyberspace, just as they do in other domains. To maintain peace and stability however, any operation must be conducted under the law of armed conflict.
The need for a more forceful deterrence posture is the first takeaway from the last 10 years of cybersecurity policy development in the United States. The second is the need to assume breach and plan for adversaries to penetrate your internal defences and gain access to your most vulnerable data.
What does it mean to assume breach? Most organizations focus on the perimeter defence, and they lack an internal security system to prevent servers from communicating with one another once an attacker has broken in. Once an attacker has penetrated a network, they can spend up to an average of six months inside a data centre or cloud environment, moving around unencumbered, implanting malware for whatever purpose they choose. An organization's crown jewel applications, like its key databases, are open game in that instance.
In the Chinese attack on OPM, for example, no rules existed to govern how applications and servers would interact internally. Thus, when the Chinese made their way inside, they could easily make their way to the database that held 21.5 million records.
Microsegmentation prevents breaches from spreading. At its most basic level, it puts walls around vital applications to segment them away from the rest of the cloud environment and data centres. An intruder may be able to get three servers, but not 3,000. In this way it's a deep foundation for cyber resilience and the last line of defence. For critical infrastructure sectors like the financial sector, if you have this kind of capability installed, it provides an element of resilience not just for the sector itself, but for the nation as a whole.
It is not a question of if but when a breach will occur. Countries need to proactively defend themselves against aggressors to achieve deterrence, but they also need to assume breach and implement defence in-depth strategies to withstand cyber-attacks. Leadership enables success against all parts of the cybersecurity project.
In his seminal essay, “The Challenge of Change”, historian Arthur M. Schlesinger said, “Science and technology revolutionize our lives, but memory, tradition and myth frame our response”. That is true. Our ability to manage technological change depends ultimately on the success of the leader and his or her ability to tell a story to make change. We have a crop of strong security leaders who have come up in Canada and the United States in the last 10 years. Technology's momentum and evolution may never end, but good leaders help society adapt and manage change, from the rise of aviation to the dawn of the nuclear age. Cybersecurity is simply the latest chapter in our story.
Ultimately, leadership is underpinned by analysis, and that's what makes this committee's work so important.
Thank you for having me. I welcome your questions.