We're responding in election cycles:' Niloofar Razi Howe on the big changes needed to prevent the next SolarWinds attack

In a hearing held by the House Committee on Appropriations last week, Niloofar Razi Howe described 2021 as "one of the most consequential years in cybersecurity—and it's only March."

Between the fallout from the SolarWinds supply chain attack, Microsoft Exchange vulnerabilities, and a surge in ransomware incidents, cybersecurity experts in both the private and public sectors have a lot to worry about. The Biden administration and lawmakers across party lines have made the incidents a top priority, with many calling on the U.S. to harden defenses and aggressively respond to nation state intrusions.

Howe, a senior fellow at the New America think tank who previously served as chief strategy officer at RSA Security, says it's an opportunity to rethink how the government handles cybersecurity and develop a long-term strategy. Although our adversaries are playing the long game, "we're responding in election cycles... We're never going to win this if that's the case," said Howe, who also serves on several corporate and government boards, including those of Recorded Future, Dragos, Morgan Stanley Private Bank, and IREX.

The Record caught up with Howe recently to talk about transforming government agencies like the FBI and the Cybersecurity and Infrastructure Security Agency, the need for new information sharing policies, and why going after ransomware actors will hurt adversaries like Russia. The conversation below has been lightly edited for space and clarity.

The Record: How do the SolarWinds and Microsoft Exchange incidents look in comparison to other cyberattacks we’ve seen in recent years, and what response do you think the U.S. needs to take?

Niloofar Razi Howe: There have been a lot of briefings and testimonies both in the Senate and House—I actually testified last week to the House Appropriations Committee, Defense Subcommittee, and we're going to have more inquiries as it continues to unfold because these are massive breaches, and because of a lack of mandate to disclose details, we haven’t gotten to the bottom of the scope of it yet. But from my perspective, one of the important lessons that comes out of SolarWinds is an understanding that implants in our supply chain are very hard to detect. You can't scan for them, you have to decompile and reverse engineer them. And when you listen to Kevin Mandia at FireEye or what Microsoft has talked about in terms of the number of hours it took to do this—doing forensics on thousands of machines in a few days, tens of thousands of files decompiling thousands of executables—that takes immense resources, and there are very few companies in the country that can do that.

In some ways, we're really lucky that the attackers tripped up the way they did, because FireEye and Microsoft had the capacity to do the work that it takes and put the human power against actually doing root cause analysis. So that's the first piece—finding implants in the supply chain is really hard, and we're going to have to address that issue in a purposeful way going forward. 

The second lesson that's come out of this for me is that we have to compel information sharing and cooperation even when PII [personally identifiable information] hasn't been breached. FireEye chose to come forward on this—but they didn't have to and if they hadn’t, Russia would still be collecting information. So we need to come up with an information sharing mandate that goes beyond PII. We need to come up with a scheme where infrastructure providers have an obligation to inform the cybersecurity community and, frankly, society when these massive breaches happen and provide the technical details necessary for folks to adjust their security posture. The government should require disclosure in their contracts and that could be a way to essentially force information sharing.

The third lesson from this—it's interesting to me that some people call this an intelligence failure. I don't see it as an intelligence failure because frankly we do not have the ability to gather intelligence on U.S. infrastructure, which is what Russia and China used to launch these operations. NSA Director General Nakasone testified to this effect last week. So it can't be an intelligence failure when the authorities don't exist for intelligence agencies to conduct intelligence operations. Now, I'm not necessarily advocating that we need to change that. Do we want the FBI to be listening in on U.S. infrastructure? Do we want NSA to be doing that? What if it’s the best way to stop Russia and China? It’s a good question to ask, and until we have the ability to track nation state adversaries through U.S. infrastructure without the current cumbersome process of getting warrants, we're going to continue having this problem. I’m not being cavalier about civil liberties or privacy—they matter immensely, and any solution we create has to be consistent with our values. But until we come up with a solution, and good ones have been offered up to Congress, we will have this blind spot, which is U.S. infrastructure, that our adversaries are exploiting—not just with SolarWinds, but for IP theft using U.S. infrastructure. Lawmakers have to start thinking about this, how do you raise the bar in terms of who gets to use U.S. infrastructure and spin up virtual private servers? Do you have an anti-money laundering-like schema where you have to know your customer so that criminals and nation state adversaries can’t use our infrastructure against us? That's all being discussed, and we're going to have to turn into that and come up with a mechanism to make it harder for our infrastructure to be used against us.

One last observation, we know that ransomware attacks are evolving from both SolarWinds and Microsoft Exchange intrusions. Reducing ransomware should be our top priority from a policy perspective. And ransomware is the thing that is taking up so much time for all the security practitioners and distracting them from finding more sophisticated intrusions. If we could reduce the noise on ransomware, if we could impose costs on countries like Russia for harboring Ransomware gangs, and you guys just did a great interview of a Russian ransomware gang leader who was bragging about his business, then we can have a win. I think the norms are pretty well established. I don't think there's anyone out there who thinks ransomware is a good thing or who wants to enable it. We can create rules of engagement around stopping ransomware and develop multilateral agreements to reduce, eliminate, and punish the people who are doing it and the countries who are harboring them like Russia. 

We need to come up with an information sharing mandate that goes beyond PII. We need to come up with a scheme where infrastructure providers have an obligation to inform the cybersecurity community and, frankly, society when these massive breaches happen."

TR: To follow up on your last point, law enforcement seems to have a difficult time arresting ransomware operators. How effective do you think it will be to prosecute more of these criminals?

NRH: It's interesting you say that because we recently came out with indictments against North Korea and the question was posed, well, what's the point of indicting North Koreans? We've also indicted a lot of Russians. We've indicted Iranians who do similar things. It does actually have a chilling effect when we show that we are going to come after you and we're going to name you and the world knows who you are. And by the way, now you can't leave your country because if you do and go to a country where we can extradite, we will extradite.

So there is value in criminally indicting folks who run these operations. Second thing I would say is we have a lot of tools of national power that we can use, not just against the people who are running these ransomware operations, but the countries that are harboring them, economic tools. And I think those are the tools that we need to use. And that's why it has to be a multilateral agreement. You are absolutely right—it’s a lot harder to go after the individuals who are doing it, who are living in countries where there's no practical negative effect for running these operations. But if you go after the countries that are allowing this to happen… We can come up with a scheme, we’ll need to have world agreement around it, we should not be doing this alone. But we can come up with ways to make it harder to do it without being traced, harder to do it anonymously and painful and expensive for the countries who choose to do it.

TR: You were talking earlier about supply chain implants and how that needs to be addressed. That's been an issue that lawmakers and cybersecurity experts have been aware of for several years, but I don't think that there's been that much traction. What would an effective plan look like to you?

NRH: Well, I started by saying this is a really hard problem to solve, but it doesn't mean that we shouldn't try to solve it. And you can see, for example, in the UK they've taken steps to try and do that—they have created this trusted list for vendors. To address the supply chain issue, we need to understand what our most critical systems are and make sure that the software that's being deployed in those systems, that there's a certification program for the vendors who provide that software, there's some basic check. We have to identify the critical software and subject it to even more stringent risk assessment. But we've always said in security: if you try and secure everything, you secure nothing. And it is about really understanding what are the critical parts of the supply chain and how do you make sure vendors are living up to a minimum certification requirements. Like I said, the UK is already doing some of this, so it's not impossible. Right now, we don't have this and we have to have it. 

The other thing you could do—there are industries where the regulators impose costs if you don't have the right cyber posture. If you look at financial services, for example, the regulators in the financial services industry will impose fines on the entities they regulate if they don’t maintain the right cyber risk posture. We don't have anything like this for our infrastructure providers. Now, I'm not necessarily advocating for doing this, but it is definitely a tool we have—to impose costs on infrastructure providers who get breached because when they get breached it affects a broad ecosystem. And now we have these heterogeneous environments with these complicated handshakes and no one else can do it. For me, if I use Microsoft services, there's nothing I can do about Microsoft’s security posture. Only Microsoft can do something about it. So do we start thinking about having oversight and penalties associated with not having appropriate risk posture? That would have an effect.

TR: Others have proposed that the government should play a more active role in securing critical infrastructure—essentially acting as the CISO for certain systems. How do you feel about that approach?

NRH: This is where capitalism comes out. Set the right market dynamics and market pressures and behaviors will change. So if you start creating a scheme where you oversee and penalize inappropriate security posture, organizations will move toward securing their infrastructure. But also, again, information sharing is really important here. If you look at this breach, there's no audit trail for Office 365 breaches. And so as an organization that's using Office 365, I'm 100% reliant on Microsoft to tell me what's going on. There is no law that compels Microsoft to give me information when no consumer data is leaked. I'm not a particularly pro regulation person, but there are places where I think it can make a difference. This we should at least explore.

TR: To take that point a little further, there’s been a lot of talk about things like software bill-of-materials, in which companies inform you of all the software that goes into their technology so you can better understand when you’re vulnerable to an attack. Do you think that kind of system could be created without regulation, because companies could see it as a selling point for their technology?

NRH: I think when it comes to critical systems and critical software within those critical systems, we need to set up a scheme and a certification program to make that work. We already have standards—NIST 800-53 set some really good standards for doing this. But we need to have a scheme for validating, for certifying, for enforcing. I don't think this is something that the market is going to embrace on its own because I don't see the market pressure for doing it even now. The other thing that's super hard is if you say bill of materials, how far am I obligated to go? Is it second party risk? Is it third party risk? Is it fifth party risk? Is it ninth party risk? There are some companies that have looked at, for example, supply chain risk within DoD systems and found that if you go far enough, our fighter jets are more than 50% Chinese made. So you've got to be able to go that deep to really figure it out. 

I don't think the right thing is to leave it up to every organization to figure it out for themselves. For example, take the energy sector, which we know is high risk. We shouldn't ask each utility to figure out for itself which vendors are OK and which vendors are not OK. We should have a scheme where either the Department of Energy or some organization defines what the critical systems are within a utility sector and creates the trusted list of vendors that are OK and have met the certification program and which ones haven't. It makes no sense to me to have every organization have to figure that out, to know for themselves. I don't think it's efficient to be that way and I don't think it's responsible or even doable to do it that way. And this is a space where the sector specific agencies can actually play a remarkably important role.

If [the Biden administration] could reduce the noise of ransomware, we can do everything in security a lot better. And that's a near-term win that should be fully achievable."

TR: And in some ways it feels like the system we have now is more about nudges—a government agency warns other departments about a company like Huawei, and that pressures private companies to take a deeper look at it. I feel like a system of trusted lists is probably just a more efficient way of reaching the same goal.

NRH: I think so. I guess maybe that takes me off the capitalist list. But we're talking about critical infrastructure. We're talking about specific use cases. I just think we've got to go there and that'll have a spillover effect into other industries as well.

TR: One last question around critical infrastructure: If you were asked by the Biden administration to give them your big moonshot ideas to secure these systems, what would you recommend?

NRH: If they could reduce the noise of ransomware, we can do everything in security a lot better. And that's a near-term win that should be fully achievable. If they can realign our agencies against real priorities to help the critical infrastructure sectors and especially figure out what role the sector specific agencies can play for the critical infrastructure sectors that they serve, I think that would be really important. I think figuring out how to regulate infrastructure providers so that they don't create systemic risk and how you compel information sharing becomes really important. And the last piece, of course, is we've got to solve this problem of being blind on U.S. infrastructure. It's just being used against us. 

TR: There’s been a lot of talk about reorganizing the government around cybersecurity—what changes do you think are most important?

NRH: For each of the agencies that has a role to play, the answer would be a little bit different. There are policy experts who are much better at all of this than I am, but what I would say is with CISA, we stood it up, Chris Krebs outlined some very bold goals for it, and we now have to operationalize it.

My true hope is that whoever ends up leading CISA understands transformation and organizational capability building because that's what CISA has to do. It has to define what it’s going to be best in the world at, how it's going to protect private sector and dot gov. Is it going to be the front door for those things? Is it going to develop incident response capabilities for dot gov? Is it going to partner with sector specific agencies or compete with sector specific agencies? Is it going to be responsible for creating the supply chain risk assessment framework and the vendor trusted list for that supply chain, or is it going to do more than that? You've got to really define what CISA is going to be best in the world at. 

To some extent, the FBI has to decide if it's in the prosecution game or in the prevention game. If it's in the prosecution game, and what it's trying to do is find criminals to prosecute, that implies that it's going to behave a certain way. If part of its job is prevention, then it might behave a different way. But the FBI is hampered with what it has to do legally in order to pursue warrants when we know adversaries are faster than our legal system allows law enforcement to be. And for DoD, I actually think it has done some really remarkable things that sets the example for how you do it right. It stood up and operationalized Cyber Command in 2010 at NSA. It is fully operational now and it's dual hatted, which has operational benefits. Another example is NSA standing up the Cybersecurity Directorate in 2019 to put a focus on its cyber security mission. NSA uniquely has the obligation to defend national security systems, our weapons systems and the defense industrial base. By standing up the cybersecurity directorate, it created a focus around it. They've been really good about becoming transparent about the metrics they're trying to hit and what they're doing and working with the cybersecurity community. So I think with respect to the DoD, it has shown that it can stand up a new directorate, stand up a new command—space command is the newest one—operationalize them, set a strategy, and go after it. And look, it's the military, right? To some extent they know how to do this. We now have to do the same thing with CISA in terms of really operationalizing it, figuring out how it doesn't compete with the private sector, but supports what the private sector needs. And we need to figure out how to make the FBI more nimble and agile in today's environment. 

And then we need to decide—again, broken record—what role do the sector specific agencies play here? How do each of these groups work together? For example, if CISA was responsible for creating the supply chain risk assessment and the critical vendor trusted list for critical infrastructure, who's doing the technical work to actually certify those vendors? Is NSA doing the technical work to do that? The NSA had historically set the building codes and standards for what secure technology looks like. Do we put them back into that role more broadly than they are in now? So we've got to figure all of that out.

TR: When you say the FBI needs to decide if it’s in the prosecution or prevention game, do they need to pick one or the other. Can they fulfill both roles?

NRH: Hopefully they can fulfill both roles. And I really hope that's the mandate, because so much of what we need to do right now is to prevent bad things from happening. And if you think about the private sector and you think about CISOs when they're dealing with a ransomware attack or they're dealing with any number of bad things that happen inside networks… prosecution is not high up on the priority list. You're just trying to get back to operation. You want operational resilience in terms of all the things you're doing.

So if the FBI wants to partner with the private sector in terms of having the same priorities, then the priorities have to be around that as opposed to prosecution. But you also need to impose costs for bad acts. And again, that's one where given that so much of the bad acts don't happen inside the U.S., we've got to be really good world actors, make sure we have multilateral agreements and we're going after folks together. And we do that, and it's brilliant, right? There's all sorts of bad activity we stop hand-in-hand with with other countries. And when the norms are really well set and everyone's aligned against it—taking down Silk Road is an old example—we can do it.

TR: Turning to CISA for a second, a lot of lawmakers and cybersecurity experts say that what is holding them back revolves around budget. Do you think that’s secondary to defining the mission and figuring out where it fits, or is that the first thing that needs to be addressed?

NRH: I don't think it's a budget issue necessarily. I do think it's about having the right leadership, setting the right priorities, and then energizing people to come work there. And you always do that if you have the right person in place for setting the right priorities and you believe it's the right thing from a career perspective. We have negative unemployment in the cybersecurity industry. Having said that, everyone cares about the mission. So if you can articulate the right mission, you can convince folks to come there. And it's got to be good for their career—you're going to have to set up the right training program and make it a win-win for everyone, because there's no question you're going to be taking a salary hit working for government in cyber versus working in the private sector. So what's the trade off? Mission can be a piece of it, training could be a huge piece of it. But there's ways of making it exciting and getting the right talent in place isn't hard if the mission is defined correctly and if the right leadership is in place to ensure success against that mission. People just have to believe that.

We also have to be able to bring people back and forth in cyber because there's things you can only do and see in government and there's things you can only do in the private sector, not just make money, but other things. And so the best thing is to be able to have cross pollination between those sectors, which gets me to a whole other issue around security clearances and fixing that problem so that folks can go back and forth much more easily, and having an on ramp off ramp program… but that’s a whole other conversation.

TR: This might also be another conversation, but it makes me think about how other countries, like Russia, have been able to recruit top cybersecurity talent to work in government.

NRH: You can also look at Singapore. The most prestigious jobs in Singapore are in the government. If you look at the NSA or Cyber Command, they have authority to do things that you can’t legally do in the private sector. You get to do some really cool stuff and you get to really appreciate what the adversary perspective is while still doing the right thing. That has huge value. 

TR: When we talk about SolarWinds and the federal cybersecurity apparatus, it seems like the U.S. is unprepared for a lot of emerging threats. What do you think needs to be done to stay on top of it?

NRH: Cyber underpins most national security threats these days. What we as a country need to be is clear eyed around the threats we face, whether they're in cyber or broader than that from a national security perspective. We need to be non-provincial in the way we deal with them, in the sense that we have to think strategically about the country we're building and how we want that country to thrive and how we want the people to thrive and be purposeful in terms of the strategy we build to address it. I know I'm being very high level and theoretical right now, but we've got to lay out the tactics to go against it. What happens now is we're responding in election cycles as opposed to having a long term strategy. We're never going to win this if that's the case. 

If you look at China, for example, China is playing a very long game and they will play a generational game. Xi wants to bring Mao's vision of bringing China back to its rightful place as a world leader. He wants to make it a reality, and we need to understand that. The Chinese have a very long view of how they're going to go and accomplish this. So if we're working in two to four year election cycles, we're never going to be able to stand up to our adversaries who are playing a very different game and using soft power, hard power, sharp power to to achieve their goals.

We're responding in election cycles as opposed to having a long term strategy. We're never going to win this if that's the case."

That to me is the beauty of democracy—one of the hard things about democracy is you don't just get to define the strategy and go against that regardless of what the people think. You have to bring the people along through the process. And how we lead this next turn is really going to make a difference because we have committed adversaries who are using all their tools of national power, including cyber, and they are doing it with a speed and agility that is truly breathtaking. And not just against us—they're using it broadly against the world. China is committing two simultaneous genocides. They're committing a cultural genocide against both the Tibetans and the Muslim Uighurs. They're trying to push their surveillance platforms, selling them throughout the world on predatory lending terms, and we're sitting back and watching this happen. What are we doing about it? How do we think about it? How do we respond to it? What's the world that we envision and how do we make sure that that world, which is hopefully just, prosperous and inclusive, actually survives through all this?

TR: How do you see the relationship between China and the U.S. over cyber security developing under the Biden administration?

NRH: It is yet to be seen. We—and by we I mean all democracies around the world—have to be clear eyed about what China's goals are. And it was a little bit disheartening to me how Biden was treated in the Munich Security Conference recently, where both Macron and Merkel didn't quite embrace what he had to say, partially because of China. And they're not willing to walk away from China, which supplies a ton of goods to both France and Germany. And it's very short sighted to me because there is no question in my mind that if we don't stand up to what is happening in China right now, we will end up on the wrong side of history. And again, I'll go back to they are committing two simultaneous genocides in addition to everything they're doing in cyber, in addition to the surveillance platforms they're building. And when I say genocide, a million Uighurs have been disappeared, 13 million are being oppressed. Bosnia was 8,000 when the world was up in arms. When 3,500 Yazidis were captured by ISIS and used as slaves John Kerry declared that a genocide. And how we're not up in arms over this—the largest mass internment since WWII, I just don't understand it. 

I hope that we as a country, we as a people, we as all democracies, have an understanding of what China's long-term goals are and that we are purposeful about the policies that we put into place and understand that it's not benign. IP theft to surveillance to all sorts of norms that we just aren't aligned on. We have got to be thoughtful, purposeful and take the long view standing up to China.