Cyber Expert Jason Healey Talks Defense

Former White House cyber protection director, Goldman Sachs vice chairman, and current senior research scholar at Columbia discusses how to build a defensible cyberspace

Jason Healey is a Senior Research Scholar at Columbia University’s School of International and Public Affairs (SIPA). He is the editor of the first history of conflict in cyberspace, A Fierce Domain: Cyber Conflict from 1986 to 2012 and co-author of Cyber Security Policy Guidebook. He started his career in the US Air Force, where he was the founding member of the world’s first joint cyber warfighting unit, the Computer Network Defense. He was Director for Cyber Infrastructure Protection at the White House from 2003 to 2005, and vice chairman of the Financial Services Information Sharing and Analysis Center at Goldman Sachs. He has taught at Georgetown University and Johns Hopkins School of Advanced International Studies.

Prior to joining SIPA, Healey was the founding director of the Cyber Statecraft Initiative at the Atlantic Council, where he remains a senior fellow. Healey is currently the president of the Cyber Conflict Studies Association, and has published over a hundred articles and essays. Healey has recently put together the New York Cyber Task Force for a SIPA report titled, ‘Building a Defensible Cyberspace.’ The interviews were conducted in Healey’s office in the first week of October, and have been edited for length and clarity.

Q: How did you first get into the cyber field?

A: While I was at the Air Force Academy, I turned down the pilot slot and instead applied for the intelligence one. At that time (shortly after the First Gulf War), a lot of things were happening within the Air Force intelligence. We had to protect our systems and eavesdrop on others in new ways. All the traditional tools of intelligence were becoming computerized. That’s how I got started.

Q: Many would love to know how you personally keep yourself protected from cyber threats. Can you give some advice for students at Columbia?

A: First, always have your computer up-to-date and keep it patched. Always use the two-factor authentication; so don’t use only passwords but at least have codes sent to your phone. Columbia’s secure Wi-Fi is way better than the regular one. If you log onto any open Wi-Fi, then anyone outside can read your traffic by using basic free software.

I recently started using this YubiKey [a small USB drive known as a “hardware token” to prove identity]. For the stuff I truly care about, sending me a text isn’t enough; it tells me to insert my YUBI key to prove my identity. The YubiKey is really cryptographically secure. I spend $10 a year on my password manager called Last Pass. It keeps all of my passwords. To log into my Last Pass, I have to type in a very long pass-phrase, and insert this YubiKey.

Two-factor authentication with hardware token and VPN [virtual private network] are inexpensive, and they make sure that my passwords are very secure. Columbia’s VPNs are free. Nobody can see what you’re doing.

Q: What do you know about the recent cyber attacks against Equifax?

A: Many of my colleagues seem to be hinting that the attackers were possibly Chinese.

Q: Has that been mentioned in the open source [media] yet?

A: No, but I also haven’t looked. My colleagues have said, “Man, if I were a data scientist right now, I’d want to be a Chinese data scientist.” Since they [the Chinese] have already stolen information from OPM [Office of Personnel Management] and UnitedHealth, they have this huge database of our medical information, personal records, and if that’s all true, credit history. Imagine what they’d be able to do with all that.

The implication for us [the Americans] is that, we have social security numbers [SSN], and use them as the basis of all bureaucratic information. SSN wasn’t meant for this. By law, we weren’t supposed to use our SSN as our authenticators. But, here we are.

Q: What do you think about the Russian hacking of the 2016 US presidential election?

A: At first, I was one of the least bloodthirsty national security cyber experts on this issue compared to most of my colleagues. Many wanted to hit back hard at Russia, but I thought it’d be too escalatory because we didn’t know the full extent of the damage yet. But once I found out more about what the Russians have been doing, I became more muscular on this than my colleagues. This needed to be about policy, not politics; this needed to be about defending democracy, not the Democrats. And we just failed at that.

Q: Since nuclear weapons first became available to the superpowers, they recognized the unprecedented amount of damage the weapons could do, and thus gradually created a deterrence framework. As cyber attacks become more destructive, and major powers (US, China, Russia) recognize the potential damages, do you think they’ll come up with a similar type of deterrence framework?

A: Yes. Try to guess what year we started to prepare for a “Cyber Pearl Harbor” [the type of cyber attack that would cripple major US infrastructures at once].

Q: Like some time in 1990s?

A: 1991. So we’ve been waiting for 26 years now. It still hasn’t happened yet, and that demands an explanation. We have been vulnerable to other types of cyber attacks, and many have been vulnerable to our attacks as well. So, why has there been no Cyber Pearl Harbor yet?

It’s the same with nuclear weapons. There are entanglements and restraints in place. No one thinks it is in their interest to actually carry out nuclear attacks. There is this threshold of death and destruction. I’d apply the same concept to cyber as well. To me, it seems like nobody wants to cross that threshold of possible death and destruction. Cyber deterrence is working fine for now…except we are getting closer and closer to the threshold every year.

It was the US that has taken the biggest leap toward the threshold with Stuxnet.

[Note to reader: in short, the US and Israel in 2010 hacked Iranian nuclear facilities to slow down their uranium enrichment progress by a few years.]

Russia has hit the Ukrainian power grid (in 2015). For now, every nation is willing to poke one another in the eye below the threshold. I’d say that ‘stability’ should be the goal. ‘Deterrence’ may be part of achieving stability.

Q: When you first entered the field, did you imagine what the cyber landscape would look like today?

A: Yes, to some degree. Technology has changed but the implications and challenges haven’t fundamentally changed. The first cyber conflict was in 1986, and there are many parallels between what happened back then and what is happening today.

[Note to reader: a West German hacker named Markus Hess was recruited by the KGB to hack a US National Lab to steal military information. Clifford Stoll, an American astronomer at the Lab, was able to capture Hess.]

The basics of how to fight and win haven’t changed significantly. For example, if you put fighter pilots from 1917 and 2017 together, they’re going to completely understand each other in terms of formations and tactics, even though the technology has changed so dramatically. Back in the Civil War, the Union army would capture telegram stations to send false messages to the enemy. Both the Chinese and Russians have been killing us with deception even before cyber technology. There are a lot of echoes from the past for sure.

Q: You emphasize the idea of “leverage” in your newest report. [Note to reader: according to ‘Building a Defensible Cyberspace’, attackers had an advantage in cyberspace previously, but it is now possible for defenders to have leverage.] Can you explain how you came up with that?

A:  Many have called for some sort of “Cyber Manhattan Project”. But in cyber security, we have made tremendous progress in technological, operational, and policy areas by consistent application of the right kind of innovations. The report’s message is that we don’t need a Manhattan Project but need to continuously implement small and quiet innovations across all enterprises. That is how we gain leverage.

Q: What is the biggest difference between the public and private sector in terms of cyber security?

A: Strengths. Governments [in the OECD] have great staying power. They have tremendous amount of resources and access to other levels of power. Private sectors don’t have that, but they have the following: agility, subject matter expertise, and hands deep in cyberspace. My friend who was in the Army and went to work for Verizon had told me, “Jay, we can create and recreate cyberspace everyday. We can bend the cyberspace!”

Think about it—the Air Force cannot bend the air in a way it wants to. But these companies can do that with cyberspace. Governments are now trying to do that too, but aren’t as effective as companies who have deeper reach. So the best solution is for each side to get out of stepping on others’ strengths, and actually try to bring the strengths together.

Q: Do you agree with the notion that data is the “new oil”? [Note to reader: just like oil in the last century, many experts believe that data will become the next key resource encompassing all aspect of lives.]

A: Yes, that sounds about right. But we got to think about where our national security interests lie. If data is the new oil, we’re rapidly weaponizing our cyberspace and attacking others’ oil well all the time. So we have to insist less on attacking others’ data and think of fundamental trade-offs.

If the Air Force decides to order 500 new fighters or 100 new bombers, that doesn’t fundamentally affect Boeing, United Airlines, or Newark Airport. But if the Cyber Command decides to keep 1000 zero-days, we’re fundamentally undermining Microsoft, AT&T, and security of what you and I use. This is unlike any other space. That is why trade-offs are different in terms of cyber security.

[Note to reader: Zero-day is a computer software vulnerability that is unknown to the vendor, which can be detected and exploited by the hackers first.]

Q: How do you deal with rogue states that have enormous cyber capabilities but won’t follow international norms?

A: Cyber capabilities are relatively easy to acquire, although not as easy as many make it out to be. These capabilities are easy to buy, and the US doesn’t want to shut down those markets either because we have to buy them too for our own interests. That’s where the national security trade-off comes in again.

We can’t stop nations from developing the capabilities. There is something called the Wassenaar Arrangement, which put restrictions on export of military technology devices. I was talking to some major cyber security companies, and they said right now, they need 10 export licenses. This one company was involved in Stuxnet. Its team in Europe would analyze the code, then pass it onto the team in the US, who would further analyze what’s going on, and pass it onto the team in Singapore. Under Wassenaar, they need licenses to do all that because they’re exporting.

This is one of those things that don’t have leverage; in fact, it is the opposite of leverage. It puts enormous amount of costs on defense but very minor amount to the attackers. That would only help rogue actors. It’s one of the stupidest things that have ever come across in public policy.

Q: What would the next major cyber attack look like?

A: Well, it would be very interesting and I’d hate to know. It’s going to be from North Korea or Iran, because both countries understand dirty tricks. But is it going to be against finance or master lease of publicly available information? We know the direction it is coming from but not when or how it will hit us.

So let’s take Pearl Harbor. We already knew the Japanese would try to attack American assets, but we didn’t know it would be on carrier strike groups. Instead, we thought it might be in the Philippines. So I think this question is the classic Pearl Harbor case. We wouldn’t be surprised who carries out the attack, but we might be surprised when and how.