Three takeaways from Verify 2022
First, while public-private partnerships have been something of a buzzword in cybersecurity for a very long time, several examples from the on-the-record conversations at this year’s Verify point to a qualitative shift in the importance of these partnerships for protecting networks, devices, and the people that rely on them. In an opening night interview with Dina Temple-Raston of the Click Here podcast, Rob Silvers, the Department of Homeland Security’s under secretary for strategy, policy, and plans, pointed to the recently formed Cyber Safety Review Board, which he chairs, bringing together leaders from both government and the private sector to review major cybersecurity events and make recommendations for needed changes. Such partnerships aren’t new, of course, but Silvers was highly complimentary of the “luminaries” on the board — people like national cyber director Chris Inglis and NSA’s Rob Joyce, as well as Katie Moussouris of Luta Security and CrowdStrike co-founder Dmitri Alperovitch — and described himself as “really pleased with the level of input we’ve gotten from a wide range of companies,” open-source software foundations, and security researchers on the board’s first “after-action review” on vulnerabilities in the Log4j software library. Their report will be issued later this summer.
And while the proof of the board’s effectiveness will come in that first report, other examples shared during Verify show the increasing integration of private companies into nation-state cyber defenses. Kori Schake of the American Enterprise Institute, for example, pointed to Microsoft’s role in supporting Ukraine’s war effort during a panel conversation with other national security experts on the geopolitics of cyberspace, citing the “willingness of American tech companies to take a side” as an important “source of strength” in democratic nations, along with contributions from civil society, philanthropy, and even “mischievous actors” like Anonymous as all making important contributions to the war.
Similarly, Microsoft’s Matt Masterson pointed out, during a panel on election security in the 2022 cycle, the role that large companies like Microsoft and their peers are playing in moving beyond simple information sharing with the thousands of local election authorities in the U.S. to providing “real-time support, incident response services, and threat intelligence” to help those local officials deal with the threats.
What starts online doesn’t end there
Another theme was how increasingly difficult it is to separate “cyber” as its own siloed domain. As more and more systems move into a fully online, integrated world, the impacts of, and responses to, cyber incidents are sometimes most visible offline. Mieke Eoyang, the deputy assistant secretary of defense for cyber policy, made this point responding to a question from Lawfare’s Ben Wittes during a live podcast taping at the event. Eoyang challenged Wittes’ framing of cyber in the war in Ukraine as a “dog that didn’t bark,” pointing out that in the U.S. Department of Defense’s concept of “integrated deterrence,” there may be “elements of conventional power that may deter cyber attacks,” or “cyber responses that come in response to kinetic attacks.” The question, then, is “how do we think about all elements of national power and best tools to respond” in a given conflict, rather than looking for evidence of a much-predicted “cyber war.”
Another example of the real-world impacts of online activity involved election security. Both Rob Silvers and the Cybersecurity & Infrastructure Security Agency’s Kim Wyman shared that their biggest concerns about this year’s elections is rising physical threats to election officials. Wyman, who served as Washington’s secretary of state from 2012 to 2021, also spoke about the climate of fear and threats of violence that are causing many long-time local election officials to leave the field.
The nature of the cyber challenge
A final theme that came up for me at the return of our Verify conference is the sheer scale of the challenge posed by cyber threats, and the difficulty governments, in particular, have in responding to them. Answering a question from Temple-Raston about how ransomware “ends,” for example, Silvers was clear that it doesn’t and it won’t. The most we can hope for, is to “whittle the problem down” through concerted effort against the underlying cryptocurrency-based financing of ransomware operations, including direct seizure of cryptocurrency wallets and sanctions against crypto exchanges that facilitate criminal transactions. The goal is to “manage the risk down” to a level where it is “more an irritant than a scourge.”
Similarly, in an interview with Aruna Viswanatha of the Wall Street Journal, which closed this year’s conference, Matt Olsen, the assistant attorney general for national security, pointed out “that national security law and policy lags behind technology, and that’s always a challenge.” Speaking in the context of the Director of National Intelligence’s Annual Statistical Transparency Report, released just prior to the interview — which, for the first time, estimated the number of FBI “U.S. person queries of the section 702 database” — he noted that while “the technology that enables our adversaries is moving very quickly,” providing enough information to Congress and the public to justify the authorities that U.S. law enforcement and national security agencies rely on to do their work will always be difficult.
So while the challenges associated with cybersecurity remain large and daunting, and the potential harms increasing in size and complexity, the conversations at this year’s Verify event pointed to a maturing, increasingly integrated field of experts evolving to meet them.