NSC’s Neuberger on mitigating cyberattacks: ‘We should be using an operational approach’
Just five months after President Joe Biden tapped Anne Neuberger to be his deputy national security adviser for cyber and emerging technologies, the Colonial Pipeline ransomware attack took the country’s largest fuel pipeline offline for six days. It was something of a wakeup call: Across the country, gas prices spiked, fuel supplies plummeted, and there were gas lines up and down the Eastern Seaboard.
Neuberger, who was a top official at the National Security Agency for more than a decade before moving to the White House, has spent the last three years looking for ways not just to prevent attacks on U.S. critical infrastructure but also to mitigate the damage they can do if they happen.
Click Here spoke with Neuberger about her mitigation strategy, the growing cyberthreat from China and the White House’s latest cyber initiatives.
The interview below has been edited for length and clarity.
CLICK HERE: I wanted to start right away by asking you — is there a vision of a lasting, sustained management of cyber risk?
ANNE NEUBERGER: So traditionally we would think about cyber risk with questions like: How quickly has a network patched critical vulnerabilities? How much have they upgraded and patched their software? And I think we're thinking now more and more that we should be using operational measures.
For example, if a hospital is attacked by a ransomware attack, how quickly can they recover? If a pipeline is disrupted, how confident are we that they can be back up within four hours? So really bridging those traditional cyber risk measures with the traditional operational measures that we do to test the health of an organization.
Because what is most important to us from a cybersecurity perspective is preventing the disruption of critical services that Americans rely on, from water to pipelines to electricity. … We [also need] the right operational risk measures to ensure we're taking the right steps.
CH: So who picks up the baton in the physical world to mitigate the risk?
AN: The physical and cyber are interlinked. We lean on regulators who are responsible for understanding safety in their sector. So for example, the Transportation Security Administration looks at railways and looks at whether our trains are safe from a potential physical attack. [They] ask questions like: Are their signaling systems safe from a cyberattack? We need to bring those two together increasingly into one set of risk measures.
CH: So let me ask the question in a different way. If you have something like Colonial Pipeline, which had a ripple effect of crimping fuel supplies to the East Coast, how do you stop something like that from happening?
AN: Well, first, fundamentally, it begins with requiring the critical infrastructure owned and operated by the private sector to have minimum cybersecurity in place. The same way in the physical world, we'll have, for example, guards on windows on a certain floor so a child can’t fall out. Similarly, there are minimum practices. Like in the case of a pipeline, the network connecting the traditional corporate part and the operational part that controls gas flow [need to] have separations,so a hacker hacking somebody's email can't disrupt oil in a pipeline. So that's the first set.
[And then] if an attack occurs, how quickly can they recover? And what are things that may need to be in place — like storing oil and gas — to be prepared for this? Or practices like having truckers who can drive overnight so when we restart, we can get gas quickly to places where it's needed.
CH: I had heard risk management was going to be moving out of the Cybersecurity and Infrastructure Security Agency and moving into the Department of Homeland Security. Is that true?
AN: DHS is the overall coordinator for critical infrastructure and CISA plays a key role in that within DHS. There are two models of working on cybersecurity. One is the CISA model, which is voluntary public-private partnerships. CISA gives out very good advice on how to handle cybersecurity risks.
The second model is the regulatory model, namely organizations like TSA and the Coast Guard. TSA, for example, is the regulator for pipelines, for aviation, for rail. The Coast Guard is for ports.
They set required rules that private entities who are regulated by them have to meet. The power of DHS, increasingly, is bringing those two together. So the regulators can make sure that the excellent advice CISA gives about how to mitigate specific threats are actually implemented on the ground.
So right now they're within the secretary of DHS's authorities, and they're integrated within DHS. From a White House perspective, what we are doing is saying — for each of the … critical infrastructure sectors — does the regulator have the authorities, the skilled people, the knowledge they need to ensure that cybersecurity is at the level required to be one step ahead of the threat?
CH: We've been talking a lot about the Chinese and critical infrastructure in recent days. Are the Chinese getting the message that pre-positioning in our critical infrastructure is a problem? How do we know that?
AN: The big change that we've seen in China's cyber operations is a shift from espionage — the stealing of national secrets, stealing of corporate intellectual property — to pre-positioning in critical services like water systems and pipeline systems.
That's concerning because it potentially could give China the ability to disrupt operations, whether we're seeking to deploy soldiers during a crisis or there is some related deployment of military operations.
So as a result, we've had a three-part strategy to tackle that. Part one: ensuring that the critical services have minimum cybersecurity practices in place. And we've started that journey. Different sectors are at different places of maturity. It will take continued focus and partnership with the private sector who own and operate that. But right now, setting the minimums and using regulatory entities to hold companies to it [and] guide them on the journey — that's step one.
Step two is getting out focused mitigation — the good advice that CISA, the FBI and the intelligence community have been publishing, not only giving warning, but giving the practical steps companies need to take to be more secure.
The third part of that is discussions with the Chinese at high levels to convey and to discuss rules of the road.
CH: And is that third part actually being pursued now?
AN: There have been high-level discussions of that.
CH: And do the Chinese understand that this is not something that they should be doing?
AN: I can’t speak to that. What I can say is we’ve conveyed the message, and we are taking the steps to really harden our critical infrastructure [and] to convey publicly as well as in more sensitive channels to allies and partners — because we see some key allies and partners being targeted as well — about the importance of this, and to build coalitions to really harden infrastructure and communicate those rules of the road together.
We've talked about the threat from countries, namely China, and we also see significant threats from countries like Iran and North Korea, which are evading sanctions, hacking, and stealing a lot of money from the crypto infrastructure.
Some of the most significant threats in terms of disrupting hospitals and schools are coming from criminals. And the White House has put a real focus on bringing together the various tools we have in the U.S. government to make progress on that.
CH: Are you referring specifically to recently takedown operations or more than that?
AN: I'm talking about three sets of things. Piece number one is hardening our companies so they're more secure. Piece number two is disrupting the infrastructure, like FBI Director Wray talked about, as well as the movement of money. Things like our Treasury Department designating crypto mixers, the entities that mix good money and bad to enable laundering of bad money.
And then the final piece is building the international partnership. In October of 2021, the White House launched the International Counter Ransomware Initiative, then with 30 countries — it's grown to 56 countries, including Interpol and the European Union — to really tackle the threat together via both combined operations. So some of those disruption operations are done with other countries, as well as with setting common policies.
For example, a first-ever policy that governments won't pay ransoms. Because what we're working to do is, knowing that ransomware is really driven by financial gain, turn off the spigot.
Make it riskier, costlier and harder to conduct those operations and change the numbers.
Right now, for 2023, American entities paid more than a billion dollars in ransoms. Think about what we could accomplish if that money was spent on cybersecurity. We want to both incentivize spending the money to improve our defenses, as well as not allow criminals who are doing it for financial gain to incentivize the next attack and the next one after that.
Neuberger at the 2024 Munich Cyber Security Conference. Image: MCSC
CH: One of the things you said in your fireside chat at the Munich Cyber Security Conference was that you felt like the cadence of these takedown operations wasn't enough. And that even though we're talking about sanctions for mixers, these sanctions are kind of a Band-Aid operation. Can you talk a little bit about that?
AN: The adversary sets the pace. And when we see rising ransomware attacks, rising attacks disrupting hospitals, hospitals turning away ambulances, that tells us we [the U.S. government and the private sector] need to be doing more.
More disruptions of the infrastructure, more communicating with virtual asset service providers to make it harder to move money, and more partnerships among countries to reinforce the steps we need to take to make it harder for criminals to be successful.
And on the second point, my point was to say that criminals are creative, they're innovative, and they're persistent. Which means that when we do a designation — which we have to do so that an element of crypto infrastructure that's laundering money doesn't get the legitimate funds that allow it to do that laundering — we shouldn't expect it's a one-and-done.
Instead, we expect that that gives us three to six months of time where it is harder for an adversary to cash out, or we see the money frozen in the blockchain. And we need to keep iterating quickly and adapting as they are.
CH: So what does success look like for the federal government's role in artificial intelligence — which is obviously another one of your portfolios — short-term and long-term? And what do you think is a reasonable achievement?
AN: President Biden has talked about the promise and the peril of AI, and both are core to his approach.
[We] saw it in the president's executive order, which … included steps to encourage use of AI. For example, in areas like education where you have a classroom full of children, each child is learning a different way. Imagine the power of AI to tailor the questions that are being asked to the areas where the child is weakest or, eventually, [to] the style of learning.
On the peril of AI, in the president's executive order, it outlined certain approaches to loans and hiring to ensure transparency on the way data is trained and on the way those models are used. I think our obligation from a government perspective is both to drive forward with appropriate risk controls on the areas where AI has tremendous promise — the fields of cybersecurity, health, [and] education — as well as building risk controls in the areas where they have risks.
So one of the areas in the president's executive order, for example, looks at risks to critical infrastructure from [the] deployment of AI. And tasks different agencies to study those risks and determine what's the delta risk. What's the risk to use, for example, artificial intelligence in a water chlorination system to adjust those levels? And ask the agencies to look carefully at that and come back with their risk assessments so that we can look at what additional regulation [and] training may be needed in that space.
CH: And when are you hoping to get those assessments back?
AN: Those first-level assessments have come back. We're working through them now. Some sectors have done more deep work. Others have said that there isn't much deployment of AI in those sectors. So we're looking across all of those now as we really think through next steps, as I talked about.
CH: Did anything in those assessments surprise you?
AN: I think what was most interesting that agencies described was the way in different sectors AI has been deployed. In some cases, smaller, more innovative firms have led. In others, larger ones who've had the resources, who've been really thinking about training models and risk controls like financial services have led.
So it was interesting to see how the factors are not standard across different sectors.
CH: Has it been applied more rigorously or more deeply than you had expected? Have people jumped on this more quickly than you thought they would?
AN: I think that's what we're still delving into.
CH: When you first started your role, the nation was dealing with the SolarWinds hack. Then it was the Colonial Pipeline, and you were the only civilian cyber leader in place at the White House. And now these different threats have emerged. We've got AI. We've got different ways that China is starting to hack. How would you define your role today in the midst of the changing landscape in cybersecurity?
AN: There is so much work to be done in securing the nation in cyberspace. And I think one of the biggest challenges is rapidly improving [the] cybersecurity of existing deployed systems across the country, while also looking forward and saying, how do we use emerging technologies quickly? And how do we secure those emerging technologies?
For example, there are ways to poison AI models. So the balance between the two really takes the partnership of all of us. I've really greatly enjoyed partnering with the new national cyber director [Harry Coker]. We worked very closely together at the National Security Agency. He's a tremendous leader.
One of his first steps was to focus on workforce because that's a constant perennial challenge as we talk to state and local governments and say, “What's your first challenge in securing your county, your state, your city's infrastructure?” And they say, “Skilled people.” So that partnership has been powerful in terms of, practically, the role definition from a White House perspective. We set policy, we set the rules of the road, and then we check in with agencies to see how they're doing.
Agencies like CISA, like the FBI, like the Department of Energy, and regulators do the operational implementation. I noted the great work CISA does, often in partnership with the intelligence community and the FBI, issuing guidelines, [such as] what are the steps everyone should be taking to be safe.
Everything takes a team. And the team is made up of agencies playing different roles.
At the White House, we largely coordinate across all those different tools to say …what's the progress that we've made? Where is the threat? Where do we need to be? Where is the opportunity? Have we fully gleaned it?
CH: Microsoft has been in the news a lot lately about how it's failing on some cybersecurity fronts. How often do you talk to them, and why isn't Microsoft held to a higher standard given that basically they're ubiquitous across the government? And how will you address that?
AN: We talk to Microsoft frequently at multiple levels across the U.S. government. For example, the intelligence community has really made significant strides in sharing threat information with key elements of digital infrastructure in the United States because our education, our businesses, our government all rides on that digital infrastructure.
So it's a back-and-forth discussion. Microsoft and other companies share their insights regarding the threats that they're seeing. We clearly talk with companies like Microsoft as we buy technology, setting our expectations regarding the cybersecurity in that technology. And really, in the government, we've been improving the standards we hold companies to.
The president's Executive Order 14028, which was issued right after Colonial Pipeline, really set cybersecurity standards for the development cycle of software for the first time ever [by] applying some of the lessons learned from SolarWinds. And then finally, we talk about post incidents. When we ask hard questions about how did that happen?
Companies who are key [to] digital infrastructure in this country expect a lot because they carry a lot of national risk. So our expectations that they be at the cutting edge of cybersecurity – both because, as a government, we use their technology, and because as elements of American innovation and tech, they should do so – is certainly a conversation.
CH: There was a big controversy about logging and being able to see the logs yourself, whether you had a premium or regular Microsoft Office account. Has that been worked out?
AN: [Federal Chief Information Security Officer Chris DeRusha] took ownership of that issue, so we can check in with him. The federal CIO is at the White House because they were coordinated across the White House. The federal CIO and CISA kind of own dot-gov and are responsible for that work. They would be the ones who are most on point.
CH: You're doing new projects with schools. This initiative seems to get at the bigger picture you discussed — that cybersecurity is becoming a broader interest and getting other sectors involved. Can you talk about this educational program?
AN: Flashback to Labor Day of 2022, the Los Angeles School District – one of the largest school districts in the country — faced a ransomware attack. They weren't sure if school could open the next day. And we had an FBI team on the ground. The president was tracking it closely to ensure the school could open.
And it really highlighted to us the rise in criminal attacks against schools. In cases like L.A., shutting down the school. In cases like a number of schools in Minneapolis, stealing sensitive records of kids — kids who had gone in for counseling — and releasing that on the dark web. So following that, the White House convened an event: Back to School Safely.
This past August, the first lady hosted it. As a teacher herself, she takes this seriously. And among the programs we launched, one was free cybersecurity services for schools with less than 2,500 children. Now, there are 9,600 such districts in the country, and we want 9,600 such districts to be signed up.
Every school district with less than 2,500 kids [should consider] Project Cybersafe Schools, and figure out how they enroll to ensure their kids can be safe from these kinds of criminal attacks.
Cybersafe includes secure emails and secure protective DNS. Think of it as a perimeter. If there's an infected system beaconing out to a malicious command and control server, it blocks it.
Those are the services there. Because we see that those are the key ways that schools are often hacked – a spearphish email or an Internet connected system that is not maintained. The program also includes the Department of Education and CISA-published guidelines for how schools should maintain their systems, [and] bringing together superintendents to educate them on contract language as they buy school tech.
But the key one is the first, which really is hands-on cybersecurity protections.
CH: Are you actually going to be teaching them how to be good cyber citizens, or is that not part of it too?
AN: Yes. CISA does a number of evaluations of schools where they go into schools, help do assessments, and then guide on that.
CH: This is great. Thank you so much for doing this.
AN: Thank you
Dina Temple-Raston
is the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future News. She previously served on NPR’s Investigations team focusing on breaking news stories and national security, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were You Thinking.”
Cat Schuknecht
Cat Schuknecht is a senior producer at the Click Here podcast. She’s previously worked at Gimlet Media, NPR, and on shows like Hidden Brain, and Reveal. She was a finalist for the WGA Awards in 2023, and stories she worked on have been up for DuPont Awards and Pulitzer Prizes. Cat also teaches audio storytelling at Loyola Marymount University.