Aspen Cyber Summit 2022 — Live Coverage

Good morning from New York City! We are here today at the 92nd Street Y, bringing you live updates from the Aspen Cyber Summit where The Record is serving as the Presenting Media Sponsor. You can watch live online to see Dina Temple-Raston, host and executive producer of our Click Here podcast, moderate panels throughout the day, or follow our live coverage below from reporters Martin Matishak and Jonathan Greig. We will be posting stories, analysis, and interviews throughout the day, and you can view the full agenda here.

Stay tuned for more updates...

ONCD hoping to grow to 100 employees in early 2023

By Adam Janofsky

Updated 5:02 p.m. EST

Kemba Walden, the principal deputy national cyber director at the Office of the National Cyber Director (ONCD), is delivering the closing keynote address and giving a one–year update on the Office’s status.

ONCD, which was established in 2021 by the National Defense Authorization Act, currently has close to 70 employees, “which gets us to initial operating capacity,” Walden said. She added that the Office is “hoping to get to full operating capacity early next year” with about 100 employees. 

Last fall, National Cyber Director Chris Inglis said he wanted to have a fully-staffed office of about 75 workers within one year, but ONCD faced initial hurdles when lawmakers didn’t include dedicated funding for the Office.

ONCD is tasked with developing the Biden administration’s national cybersecurity strategy, which was reportedly expected to come out in September but has faced delays — Walden said she would not comment on when the strategy would come out, but added that ONCD has been hard at work on that and other projects.

“We’ve been sprinting a marathon,” she said.

Canadian cyber leader laments lack of ransomware reporting

By Martin Matishak

Updated 4:45 p.m. EST

The head of Canada’s top cybersecurity agency said a lack of reporting by ransomware victims remains an issue.

“The challenge we have in Canada [is] ransomware continues to be underreported,” Sami Khoury, director of the Canadian Centre for Cyber Security, said during a panel discussion.

Canada issued the latest edition of the government’s national cyber threat report just a few weeks ago. It described ransomware as a persistent threat, but only 304 incidents were reported, according to Khoury.

“We don’t have an official government policy on the payment of ransom,” he noted, though the government does recommend victims don’t pay.

Still, “there is value” in reporting, Khoury said, including potentially better understanding of such attacks, identifying the perpetrators and updating official government advice and guidance.

Intelligence officials discuss the growing role of public-private partnerships

By Martin Matishak

Updated 4:06 p.m. EST

Key U.S. intelligence community officials said their relationship with the private sector against digital threats has grown as their own agencies continue to emerge.

The clandestine community’s approach to cybersecurity was “kind of a mess” at first, Andrew Boyd, director of the CIA’s Center for Cyber Intelligence said. “I think we’re farther along” now but “that didn’t happen organically, the private sector has to be part of this because they own all the infrastructure.”

Bryan Vorndran, the head of the FBI’s Cyber Division, said the silver lining to the SolarWinds breach was that the victim contacted the government with “immediate transparency.” The entities that best weather publicized intrusions are those that “stand up with broad shoulders and say, “Hey, I'm going to share immediately and transparently because this is in America's best interest,” he argued.

Vorndran said within the government there has been a “maturation of process among the national security agencies — and U.S. Cyber Command and the Cybersecurity and Infrastructure Security Agency (CISA) — that has made responses to digital incidents more “collaborative.”

Morgan Adamski, chief of NSA’s Cybersecurity Collaboration Center, said the COVID-19 pandemic forced the electronic spy agency to change how it shares data with private sector partners. She added the intelligence elements have also “really started to figure out what works” in terms of how and what to share with the private sector.

Boyd also said the run-up to Russia’s unprovoked invasion of Ukraine — where agencies shared details of Moscow’s months-long build up of forces — has boosted the relationship with industry, as well as the general public. “We don't like to share classified material with the press, but we did.”

A cyber post-mortem of the 2022 midterms

By Adam Janofsky

Updated 2:53 p.m. EST

On stage: Chris Krebs, founding partner of the Krebs Stamos Group and former director of CISA, with Jigsaw CEO Yasmin Green and Forescout Vice President of Security Intelligence Rik Ferguson, talking about the 2022 midterm elections.

"We stole that shamelessly from FEMA," @C_C_Krebs confesses about @CISAgov's rumor control that launched in 2020 and saw some activity during the #Midterms2022.#AspenCyber

— Martin Matishak (@martinmatishak) November 16, 2022

TSA chief praises critical infrastructure briefings, says they should have started sooner

By Jonathan Greig

Updated 2:07 p.m. EST

David Pekoske, the head of the Transportation Security Administration, said the government should have always been providing critical infrastructure organizations with classified briefings after holding its first meeting on the topic at the White House this fall.

He also emphasized the role that the Cybersecurity and Infrastructure Security Administration (CISA) plays in terms of the government's response. "We view CISA as the clearinghouse for cybersecurity in the executive branch."

Russia’s cyber personnel has ‘underperformed’ in Ukraine

By Martin Matishak

Updated 1:55 p.m. EST

A senior Pentagon official on Wednesday said that Russia’s cyber personnel “underperformed” during the initial invasion of Ukraine, prompting it to ultimately rely less on digital attacks during the now months-long conflict than was expected.

Speaking at the Aspen Cyber Summit, Mieke Eoyang, the deputy assistant secretary of defense for cyber policy, said Moscow “was not prepared for the conflict to go on as long as it did” and noted the Kremlin had sacrificed “intensity and sophistication” in order to rebuild its arsenal and avoid potential conflict that would draw in NATO.

“We have to understand how those factors play against each other,” Eoyang told the audience.

Read the full story here.

FTC's Bedoya: More resources are needed to enforce privacy violations

By Adam Janofsky

Updated 12:30 p.m. EST

Privacy officials and experts said that privacy laws in the U.S. are moving in the right direction, but Alvaro Bedoya, a commissioner at the Federal Trade Commission, said he's concerned that the agency does not have the resources to adequately enforce new privacy legislation.

"Frankly for the Commission, what would be most helpful is resources," said Bedoya. "Congress passes a law and says FTC, you enforce it... and yet our staffing is lower than what it was in the 1980s. The law Congress is considering is terrific... but for me my main concern is that if Congress tells us to do something, they give us the resources to do it."

States have largely created a patchwork of privacy laws in the absence of federal rules, but in recent months lawmakers have taken steps to enact new privacy legislation.

"People have wanted this for a very long time, and there are not many issues where you have democrats calling for it, republicans calling for it, businesses calling for it," said Alexandra Givens, president of the Center for Democracy & Technology.

Although it's unclear what new resources might be earmarked for the FTC to enforce such a law, Matthew Platkin, New Jersey's attorney general, said some states are already bulking up their privacy staff — though states could also use additional resources, he said.

"We are aggressively building out our data privacy team... and are expending it rapidly," said Platkin. "We need to be providing state AGs with resources" so we can be effective.

Cyber apprenticeship sprint pays off, says ONCD official

By Jonathan Greig

Updated 11:46 a.m. EST

Camille Stewart Gloster from the Office of the National Cyber Director said the cybersecurity apprenticeship sprint led to 2,000 orgs wanting to learn more, 194 new cybersecurity registered apprenticeship programs, over 7,000 apprentices hired during the 120 day sprint.

Thousands came from private sector, 27% POC, 28% women. DoD invested heavily, having the largest apprenticeship program.

Camille Stewart Gloster from @ONCD said the cybersecurity apprenticeship sprint led to 194 new cybersecurity apprenticeship programs, over 7,000 apprentices hired during the 120 day sprint
27% #POC, 28% women. #DoD had largest program@TheRecord_Media #aspencybersummit

— jon greig (@jgreigj) November 16, 2022

Solving cybersecurity's workforce challenges

By Adam Janofsky

Updated 11:34 a.m. EST

Craig Newmark, founder of Craigslist, is on stage talking about how he decided to contribute more than $50 million to cybersecurity workforce efforts so far.

He said growing up in the "duck-and-cover" era made him more aware of the need for a whole-of-nation response to major threats. "We need everyone to play some role in defending the country if they can," he said.

Newmark emphasized the need to start workforce efforts early, adding that he's working with groups like the Girl Scouts and Girls Who Code to reach kids as young as 7 years old.

"I'm not the nerd you want, but I'm the nerd you got," he added. You can read more about Newmark's efforts in this interview he did with Click Here in April.

Cyber lessons from the war in Ukraine

By Adam Janofsky

Updated 10:32 a.m. EST

Next up — The Record's own Dina Temple-Raston moderates a panel on the cyber lessons learned from the war in Ukraine. She's joined by Mieke Eoyang of the Department of Defense, Oleh Derevianko co-founder of ISSP, and Gary Steele, president and CEO of Splunk.

A big topic was the surprising impact of non-state actors, such as the IT Army of Ukraine and Pro-Kremlin hackers.

"You don't have a lot of non-state actors who have theater missile systems, but in cyber you do see non-state actors who have the capability to rival that of non-state actors. It does mean it becomes a very complicated thing to defend against," said Eoyang. "It complicates attribution, because how do you engage in deterrence or response when you're not sure if the people who attacked you are state actors or non-state actors?"

Ransomware attacks at 'unacceptable levels,' DHS official says

By Martin Matishak

Updated at 10:23 a.m. EST

Rob Silvers, Under Secretary for Policy at the Department of Homeland Security, weighed in on the overall threat landscape when it comes to digital attacks on the rest of U.S. critical infrastructure.

"I wouldn't get too complacent," said Silvers, kicking off the Aspen Cyber Summit. "We see enough attempted intrusions and successful intrusions every day that we're not letting our guard down even a little bit,” he said when asked about the lack of high-profile breaches like the ones that marked 2021.

"I don’t really see a pause.”

Ransomware attacks are also at “unacceptable levels,” according to Silvers, who referenced the recent assault on CommonSpirit Health.

Silvers, who chairs the Cyber Safety Review Board that examined the Log4j vulnerability, teased that the group’s second investigation would be announced “very soon.”

"We've now built up significant permanent staff. We have procedures in place," he told the audience. "We're really going to be able to hit the ground running in a collaborative way with companies who share information with us."

Kaseya, Colonial Pipeline responses touted as a success

By Jonathan Greig

Updated at 10:14 a.m. EST

The Department of Justice's Eun Young Choi touts the department's work with Kaseya as a positive example for victims wary of coming forward after ransomware attacks.

Choi also said the ransom from Colonial Pipeline was seized just one month after the ransom was paid

Choi said victims should contact the FBI, CISA, or DOJ.

Treasury official: Sanctions on hackers are a 'financial death penalty'

By Adam Janofsky

Updated at 9:58 a.m. EST

Officials from the Department of Justice, Treasury Department, and the Institute for Security and Technology take the stage to talk about virtual currency regulation and combatting cybercrime.

Eun Young Choi, Director of the DOJ's National Cryptocurrency Enforcement Team, highlighted two seizures this year — a $3.6 billion seizure in February linked to the 2016 Bitfinex hack and a $3.3 billion seizure earlier this month that was originally siphoned from the Silk Road darknet marketplace.

"We're getting better at this…" said Choi. "We're applying that not only to ransomware to the broader operations of cybercrime as well."

Eun Young Choi from the #DOJ says more than $3 billion in crypto seized from exchanges and #darkweb this year #aspencybersummit @TheRecord_Media pic.twitter.com/w1M4uR0nyb

— jon greig (@jgreigj) November 16, 2022

Heather Trew of the Treasury Department's virtual currencies division, flagged how the Office of Foreign Assets Control (OFAC) has been ramping up sanctions on cybercriminals and nation-state hackers.

"We'd be remiss to not mention sanctions, they're a critical action…" she said, adding that there have been around 11 such designations. Doing so is like "applying the financial death penalty to designated persons or in some cases jurisdictions."

Read more insights from the panel here.

DHS's Silvers: 'We can and should have confidence' in election security

By Adam Janofsky

Updated at 9:12 a.m. EST

The event kicks off with Rob Silvers, Under Secretary for Policy at the Department of Homeland Security, who is being interviewed by The Wall Street Journal's Aruna Viswanatha. First topic of discussion: election security.

There was"no specific or credible threats to election infrastructure on election day..." Silvers said. "We can and should have confidence in the integrity of the election."

"I wouldn't get too complacent," @DHS_Policy says when pressed on the cyberattacks on U.S. critical infrastructure. Notes the govt sees "enough" attempted and successful intrusions to be on guard. #aspencyber

— Martin Matishak (@martinmatishak) November 16, 2022