Ex-Defense Chief on Cybersecurity: 'We Are Our Own Worst Enemy'

In 2015, Secretary of Defense Ash Carter unveiled an ambitious strategy to beef up America’s cybersecurity.

Among other initiatives, he announced that the Pentagon would assemble a 6,200-strong Cyber Mission Force of military, civilian, and defense contractors, and partner with Silicon Valley’s best and brightest to create R&D incubators like his Defense Innovation Unit-Experimental (DIUx).

It was a major step forward, but that momentum has since stalled. The Pentagon’s investment in cybersecurity remained flat at $9.8 billion annually during the Trump years, and President Biden’s budget only boosted it to $10.4 billion—a paltry 6%—in 2021.

Meanwhile, cyberattacks on U.S. public and private interests have escalated sharply. China, Iran, and Russia  all tried to hack the 2020 presidential election, according to Microsoft. Corporate payments for ransomware attacks reached $400 million in 2020, more than four times the amount in 2019, according to the U.S. Treasury.

Worst of all, the SolarWinds hack, allegedly executed by Russian foreign intelligence, exposed the Pentagon and Department of Homeland Security, among other government agencies, to a malware breach that went undetected for months.

Watch: Ash Carter at Tanium Converge 2021

Since exiting the Department of Defense (DoD) in 2017, Carter has kept a close eye on the cyber landscape. This is no surprise, given his background as a technologist and scientist (he has a PhD from Oxford in physics) as well as his more than three decades devoted to securing the safety of American citizens.

In April 2021, Carter brought his experience in cybersecurity to Tanium when he joined its board of directors. On Nov. 17, he will be a featured speaker at Tanium’s three-day Converge 2021 conference. In advance of that, and shortly before the Biden administration ordered federal agencies to patch hundreds of cyber flaws, Carter sat down with Endpoint for a frank and far-ranging discussion. He spoke about cybersecurity threats facing the U.S. today, how the pandemic has raised the stakes for endpoint security, and why he joined Tanium’s board.

The conversation has been condensed and lightly edited for length.

What do you consider to be the biggest cybersecurity threats facing the U.S. today?

We are our own worst enemy. Many companies and government agencies are awake enough now to know that unless they’re willing to make adequate cybersecurity investments, they face huge risks. But the fact is that they have inadequately invested in it for a very long time, which has two consequences. First of all, their networks are ill-prepared. Another consequence of underinvestment is that they don’t have the people they should have for security.

Some people don’t want to call a cyberattack an attack. That’s
a mistake.

We’re being attacked by foreign countries, and that threat is underestimated by some people who don’t want to call a cyberattack an attack. That’s a mistake. As secretary of defense, I would always say an attack is an attack.

Whether it’s Russia or China stealing information about U.S. government employees or industrial secrets, whether they are promoting or allowing ransomware, whether they are interfering with our domestic politics—that’s an attack. In my view, as a member of the Obama administration, we never did enough, and Trump never did enough. President Biden, although he has excellent people and excellent judgment in this field, isn’t doing enough yet, either.

In the early days of the pandemic, 87% of DoD employees and civilian contractors shifted overnight to work from home. Even now, 20 months later, we have a million DoD employees working remotely. What impact has that had on endpoint security?

It’s a big deal. Much more of the day-to-day activity of all kinds of enterprise, including government, has migrated out to new endpoints with people using personal and mobile devices. These are not [like] the office desktop that you were issued that was bought and configured with security in mind. These are, by definition, ill-prepared and vulnerable.

Should we have been better prepared for the pandemic?

Personally, the potential for a global pandemic has been on my radar for 25 years. Even before 9/11, we had some warnings. If you remember, there was a Japanese cult in the 1990s that attempted to scatter anthrax spores from a rooftop in Tokyo. They failed and they went to plan B, which was to distribute sarin in the subway.

We knew that weaponizing biology was a possibility, and you don’t have to go far from there to the realization that it doesn’t have to be an enemy. It could be God or Mother Nature who distributes a pathogen, and we always knew that a respiratory pathogen was the worst thing because it spreads naturally.

After 9/11, we had several infectious diseases—Ebola, Zika, H1N1, SARS, MERS—that we were concerned could become epidemics. We at DoD were called into service by our government to help, which we did, and they were successfully smothered. The one that wasn’t smothered broke out in Wuhan in late 2019 and spread throughout the world.

Despite people thinking about pandemics for a long time, I don’t think they thought about all of the collateral effects in society. Four years ago, if you had said there’s going to be a pandemic of a respiratory disease and we’re all going to have to work from home, you might have said, “That’s interesting,” and given it five minutes of thought, but it wouldn’t have sunk in how deeply that would affect employment, the economy, and cybersecurity.

What are your thoughts about government and industry collaboration around ransomware? Does government have a role in actively preventing it?

Yes. Government-industry cooperation is necessary to tamp it down. Ransomware is a microcosm of cybersecurity as a whole, in that those who are to blame are those with poor enough hygiene that they got caught by these guys.

Two can play at this game. I know that’s a controversial view, but
it’s common sense to me that you push back.

At the same time, I think the government has some critical responsibilities. The first is to help promulgate the standards and practices that are necessary for good hygiene, and to implement them in government, which they can then impart to industry. That’s what DoD, Homeland Security’s CISA, and Commerce’s NIST are
all doing.

These ransomware attacks originate in Russia and Belarus. I’d like
the government to put pressure on [those nations]. The other thing
I expect our government to do is to claw back ransom that is paid through cryptocurrency exchanges, or at least stop the bad guys
from getting it by shutting down exchanges that are facilitating criminal activity.

The last place where the government can be helpful is in giving some of these critical infrastructure players a sense of where they’re vulnerable in their supply chains through vendors. If vendors are sloppy, and therefore an avenue for bad hygiene, that’s a big issue. Obviously, at Tanium, our people know that very well and know what to do about it.

How might the U.S. government put pressure on countries like Russia and Belarus around ransomware and malware?

Beyond sanctions, which are always good, two can play at this game, and personally I don’t think we’ve done enough that has been offensively aggressive. I know that’s a controversial view, but it’s common sense to me that you push back.

Based on my experience with the Russians and Chinese, which goes back many decades, particularly with Russia, you have to push back. If you push back, you’ll slow the advance of the attacks. Otherwise, eventually they’re going to do something we can’t tolerate and you have the possibility of things getting really out of control.

What is your take on the SolarWinds attack? How is it possible the hack occurred months before we realized it?

We have an intelligence system that is very good. It is, however, tuned to the secrets and plans of potential enemies. It is not tuned to a bunch of punks in Russia or Belarus who are trying to extract money from some poor helpless hospital in the United States that is way behind the times in terms of its cybersecurity protection.

Even though I’m not in the Pentagon anymore, I still remain devoted to the cause of improving this country and its security.

Because of the Snowden effect—which led many citizens to believe that their own government and intelligence services were a danger to them—we steer well clear of any kind of surveillance of our own people and their networks and systems, and that is a fundamental reason why your government is not as helpful to industry in cybersecurity as you might think it should be given how good it is at certain aspects of cyber.

One last question. I’m sure you’ve had a lot of board opportunities. Why join Tanium’s board?

I am asked to join many boards. I don’t have all the time in the world because I have appointments at Harvard and MIT, which I take seriously. It’s only with the time I have left over that I can be involved in the corporate world.

I got to know Tanium over 10 years ago. I respect what it does a great deal. It’s important to me that whatever corporate interests I’m working with are good for our country because even though I’m not in the Pentagon anymore, I still remain devoted to the cause of improving this country and its security—and Tanium does that, both in the government and outside it. I believe its mission is a noble one.