Tom Bossert spends a lot of time thinking about hacking. The former Homeland Security Advisor to President Trump who also served as the country’s Chief Risk Officer and Senior Advisor on cyber, left his White House position in 2018.
It happened just after Bossert spoke at The Cipher Brief’s Annual Threat Conference. He returned to Washington to find that under then-incoming National Security Advisor John Bolton, Bossert’s services were no longer needed. So, he went private.
Over the past year plus, Bossert collaborated with other cyber experts, many of them with government experience who had also entered the private sector. They wondered whether cyber experts focus primarily on end points alone as security targets, made sense. They speculated about how it would change the cyber threat landscape if they could focus on a relatively small number of capable hackers as well. How much of a difference would it make if they could disrupt the efforts of those hackers?
The Cipher Brief’s Cyber Initiatives Group recently caught up with Bossert to talk about lessons learned from both his time in government and in the private sector and about his new plan to hijack the hack.
Our conversation, which includes questions posed by Cyber Initiatives Group members has been slightly edited for length and clarity.
The Cipher Brief: Welcome, Mr. Bossert.
Bossert: Thank you. Since my last time talking to you formally was my last official public speaking opportunity while I was in my White House job, I am glad that my first public speaking opportunity now in my new startup is with you so, thank you for having me back.
The Cipher Brief: We are very excited to have you. Let’s talk about lessons learned both from your time in government and in the private sector. Since leaving government, what are some of the most developments in cyber that concern you the most?
Bossert: In the cyber security realm, I am struck by something in the existing cyber security strategy that came out shortly after I left, and that is a very small but very powerful sentence that suggests we still need to do work to determine the various roles and responsibilities – not only among and between different federal agencies – but among and between private actors, private sector and public sector, if you will.
For us to now be 15 or 20 years into this experiment and still not have a general sense for who should be held accountable for various forms of security in this space, really strikes me as a profound concession. I think at the technical level, most of your readers have a pretty deep understanding of what’s achievable, given the laws of physics and so forth, but the responsibilities for various investments and security standards at this stage are so spread and there are so many different opinions on them, that I am almost struck by a sense of impossible consensus building. In my new private role, I’ve come across customers that range in their views in such a dramatic way that some value security and some take active steps and measures to make it almost impossible.
The Cipher Brief: What about the more ‘aggressive’ approach that the U.S. government has taken when it comes to nation state threats in cyber? Will it make a difference?
Bossert: I’m not sure what I’m being asked to support. If there’s a criticism in that answer it’s not meant to be direct or stinging. I’m not trying to make news, but I suspect that the questions that would have to be answered before I could tell you that I fully support or don’t support all of those assertions in that strategy would end up taking most of our time today. Let me explain what I mean.
Tom Bossert, Former Homeland Security Advisor to President Trump
A lot of attention has been brought to this increased muscular language of offensive, almost ‘first strike’ type of cyber effects operations that it seems to imply. I’m not entirely certain that’s what this strategy is meant to imply. Perhaps it is suggesting that we should be unapologetic about taking steps to defend ourselves. If that’s the case, I support it whole heartedly.
If perhaps it’s a little bit of rhetoric to indicate to our adversaries that we won’t be tolerant, if that’s the case I support it whole heartedly. But if it’s instead meant to suggest that the United States is going to change its value set or scheme in such a way that it would justify our first act or our first move or use of cyber capabilities to cause physical effects in foreign countries for the purpose of achieving some larger geopolitical objectives, then I’ve got deep reservations.
It’s not within the standard value set of America to disrupt the power grid or bring down the operations of some foreign government unless they deserve it and there’s a pretty well keeled set of discussions that go into use of force, justification, proportionality, and so forth. What I don’t know entirely, and I think there’s some legitimacy in not knowing, is how much strategic latitude or ambiguity was intended by our current strategy. As a result, what will be interesting to see – but I’m respectful of its classification levels – will be what they’ve replaced the Obama era policy with. We know that they’ve replaced some of those classified directives, we just don’t know what those replacements say.
The Cipher Brief: What is your assessment of today’s cyber threat posed by China, and what will it take to manage that threat more effectively?
Bossert: Vulnerabilities remain, and they abound. Various companies have various capabilities and they’re all in some ways incapable of keeping up with a determined, Chinese intelligence collection operation. What we’ve seen with the Chinese was something that still consumes a lot of the intelligence community in their debate.
The first thing we saw was what seemed to be a reduction in their state sponsored cyber operation against the United States in particular in the commercial realm after the Obama, Xi Head of State agreement that garnered so much bipartisan support. I think a lot of people were tempted, including myself, to believe that there was a causality there. There was a linkage between that agreement post OPM and the Chinese reduction, not their termination of, but their reduction in their cyber operations. Subsequently though, we’ve seen that they used that time frame, whether by design or by opportunity, to re-organize, to improve their capabilities, and to streamline the approval process in the authority scheme inside their own government to make their current use of cyber effects operations more, effective.
There’s some beauty in the effectiveness of even the bad things that they do to us in some perverse way. As a result, we’ve also seen the uptick of their bad behavior. So, the question now remains, is it motive or was that their design all along? If it’s motive, is it because we’re now in some trade war?
Tom Bossert, Former Homeland Security Advisor to President Trump
I’ve often reminded people that cyber security is just an issue surrounding a tool and it’s not the entirety of the entire geopolitical risk management spectrum. I think the Chinese are using this tool again against us because they’re frustrated. I think they’re using it against us in the commercial sense because they perceive themselves to be in a commercially motivated trade war.
I think President Trump, at times chooses to reinforce that belief and at other times chooses to frame his trade speak with them in different terminology. And because he’s inconsistent, I think they’ve taken that as a green light to hit us harder on the commercial gains side, meanwhile paradoxically they’re increasing their IP protections within their own country for things that they don’t care as much about that are not in their 2020 and 2030 outlook strategies.
What do we do about it? I think that takes me to the first question you asked me, I am pretty comfortable increasing our gray space, people use different colors here, but using our current offensive discussion more aggressively. I just want to stop short of cyber effects operations that makes us as bad as the bad guys that we’re criticizing.
The Cipher Brief: You mentioned something about this recently at the World Economic Forum in Davos when you told the crowd that you wanted to introduce policies that would let the U.S. government get its hands around the necks of enemy hackers who cost the U.S. billions of dollars every year. What does that mean exactly, when it comes to hackers?
Bossert: The vast percentage of really high-end intrusions – the code, the programming and the payloads that are used against U.S. companies and U.S. interests – are developed by a smaller set of highly advanced code writers, call them hackers in this case. But there is a larger group of people than that who use those capabilities even within our own scheme of governance. The U.S. Cyber Command is made up of a large number of people that will use tools and elegant, exquisite capabilities developed by a smaller subset of essentially, weapons designers in this analogous world. What you have to do is figure out who are those people that really develop the cool and new capabilities against us, the exploitations that run against the vulnerabilities that we are constantly discovering? Then figure a way to either discourage them or to remove them from the game space.
I was perhaps, too lax in my terminology there and what I stated in Davos drew some criticism. What I was trying to do was explain that there is a lot of money being spent by the representatives and their companies in attendance at that royal economic event and that all that money was being spent in a defensive manner and that the government had a slightly different role and a larger remit and that the government could spend some of its authorities and money and resources on trying to actually get to the root of preventing or reducing some of these operations. I said colloquially, “We might be able to get our hands around the necks or the wallets of the smaller subset of these hackers.”
What I meant was the really smart ones that are developing the exploits as opposed to the larger pool of people that were using those exploits. Afterwards, the criticism was thoughtful. It came largely from the U.S. community and British community who said to me, “Are you suggesting that akin to the nuclear arms race, that we’re going to start seeing hackers killed in foreign use of force operations the way we’ve seen nuclear physicists killed in the Middle East? I suggested that that was not my intent and that I didn’t want to have all of our NSA Advanced Acquisitions hackers targeted for physical violence so, I had to pull that back a little bit.
Tom Bossert, Former Homeland Security Advisor to President Trump
My point was that the government could go after the root cause a little bit more easily and that private industry right now is left in a very costly defensive posture.
The Cipher Brief: That’s exactly how a lot of private sector companies are feeling. Let’s explore that just a bit further. You have said publicly that you do not support hacking back, why not and what are the risks as you see them?
Bossert: The hack back debate has been re-tread several times. Of course, the short answer to that is vigilante-ism never really pans out. You’ve got all the things that go into it. You’ve got potential miscalculations on attribution and then obviously our adversaries are fairly savvy and they look to obfuscate themselves and maybe even draw attention to third parties that they would enjoy putting the blame on, so our companies would get into an increasingly costly, increasingly risky, and increasingly disruptive practice of global or international vigilante-ism. I just don’t think it is a productive thing to engage in.
Every country is going to operate with their own set of rules and there are going to be mistakes made and tensions and escalations in the process. There are capabilities in the commercial sense, and I’ve joined a team of people that have found one of them, to improve the odds for the defenders in this case. For the companies that can’t hack the hacker and do something that would put them into this vigilante posture, they nevertheless need something that’s more effective, proactive, and that can allow them to increase the work factor on these bad guys, not increase the physical threat to the bad guys.
The Cipher Brief: You now serve as Chief Strategy Officer for a company called Trinity Cyber. To the best of my understanding, you are trying to hack the hack itself, not necessarily the hacker, by implementing a number of strategies to do that. What are those strategies?
Bossert: I can explain it this way – if you take the enormity of the problem, the increasingly large number of end points, users, and the complexity that goes into all of those things that make the internet easier for all of us to use – for example, when is the last time any of your readers has ever had to think about setting up a printer? That used to be a very complex task and we always valued our IT guy in the office who could do that.
Nowadays all of the complexity is obscured from the user. The number of end points are growing, the number of connectivity points are becoming different to manage, and of course, the Cloud has grown to consume not just data but all the compute power that goes into the online world in which we live and the enormity of that problem seems difficult.
What we did was ask a different question. What would it take for us to focus on that relatively small number of capable hackers that I alluded to earlier? What would it take for us to make their job, their mission, difficult? As opposed to focusing, not that we dismiss or don’t focus at all on the end points and the various applications and operating systems and so forth, but let’s not look at that.
Let’s make the math work in our favor and look at the relatively small group of advanced hackers, their tradecraft, and how we might disrupt it in a way that would induce into them, not a pain point, because that suggests some kind of hack back threat, but introduce some type of increased failure rate, work factor and frustration level for them?
Because remember, they’re bad guys to us because they’re good guys to the other foreign nations that pay their bills and they’re really just operating in a work environment where they have time and money like every other human being. As Chris Inglis used to say, “Human beings are the coin of the realm, not really budget.”
The human beings on the other end of this problem are smaller in number, smaller in volume, and their tradecraft and their methodology for hiding each new exploit is really not that different than it was two, three, five, or even 10 years ago. The team of people that we’ve amassed here, I joke on our website but it’s true, are actual geniuses. They’ve all passed their aptitude tests, have really big brains and have developed the capability to literally interrupt, and the key to this is in ways that should remain invisible, adversarial tradecraft in transit.
The Cipher Brief: We have a question from one of our members, who says ‘We hear a lot about business to government, government to business information sharing. We don’t hear as much about cooperation on offensive operations. Can you comment on what you see as the proper role for the private sector to interact with the government?’
Bossert: The premise of that is offensive, which could get me in trouble. If the private sector were to start providing a list of targets to the government, which is often the first response you get when you get into the vigilante question, they say, “Well if I’m not allowed to go and take matters into my own hands with the bad guy, I’m going to give you the name and number of the bad guy and you go take care of them.” If that’s the question, then I think the answer I will give might frustrate the questioner.
I think that it’s going to be a very difficult inflection point. I don’t think the U.S. government, at least at this stage, will entertain hacking back on behalf of the victims, they’ll first prefer to use other means and tools available to them from law enforcement, to information, intelligence, and diplomacy before they get into imposing a direct tit for tat consequence. Now that’s not to say though that they won’t take other – what I’ll call technical measures and steps – to try to interfere or influence or make harder the life of that bad guy that the private sector has identified.
I want to encourage the continuation of a reporting loop and I’d like to, and again I’m not being critical, but I’d like to motivate the current administration to develop means and methods of sharing that information without putting it behind the law enforcement cloud. A lot of companies, and I understand exactly where they’re coming from, have no interest whatsoever in calling a law enforcement entity because they’ve had some negative experiences in the past but they’d be more than happy to call a technical cyber security entity and report to them what they’ve experienced. The difference becomes what they will and won’t expose in their own networks to various authorities that might have some other law enforcement remit that could get them in trouble. The answer is we (USG) could do a lot better job on the receiving end of this reporting cycle. That goes for not only reporting threat information or sharing it back out, but also for reporting those larger tradecraft issues. If your questioner was asking about the, “Here’s the bad guy, well go do something about it,” I think the government can do more, in that it should find a better way of intake. I’m not knocking the FBI here, but I do know that there are limitations to how they receive information.
The Cipher Brief: What about commenting on what you see as the proper role for the private sector to interact with the government? Is there a proper acceptable level of information sharing between the two that we should have achieved by now or we may be able to achieve in the foreseeable future?
Bossert: Information sharing is almost an old cliché. It’s frustrating for those of us that have followed this for so long. Information sharing was encouraged, and it still should be, for the purpose of enabling a better collective defense if you will. Let’s think about how this works in the cyber world.
There are various ways companies subscribe to these different threat reporting services. Some of them come in through government services depending what sector your company might be in, and they take that information and they use it to essentially create a ticket that they put into their system that they then close. That’s a very simple way of saying that it’s a highly reactive response and remediation cycle that we’re in and we call that cyber security when it’s really a responsive form of resilience.
What we’re not doing is achieving that philosophical objective of sharing information so quickly that patient zero never becomes patient one or patient two. I’m not entirely sure we ever will. The better your system, the better your people are at ticket management, then the more advanced the technicians are that can look at the vulnerability and think through patches and solutions, then maybe the faster we’ll solve that problem. But there’s still the requirement that you have a person taking a ticket, managing it to some fruition, and then maybe a putting patch on.
I think that the information sharing game is important. It should continue, but I think that we need to start upping our game in a different way and that’s a little bit of what I was alluding to with the Trinity Cyber approach.
Tom Bossert, Former Homeland Security Advisor to President Trump
Looking at the methodology for hiding the new vulnerability instead of looking at that new vulnerability itself and then trying to take action on it in transit is a proactive approach, but it’s also a different methodology for detection. It’s to not focus on the algorithmic streaming, packing identification that might be bad, that might have a high false positive rate, and or relying on this better, perfect, efficiency point of information sharing under the notion on threat reduction. I think there’s a better way.
There are always efficiencies that can be gained if the government would intervene to help where information is concerned, but I also think we have to redefine what we mean by sharing and I’m glad that the reader asked about it in the context of offense. So, in other words, some of these high end SOC stats that we see, are really fun to work with in the position I’m in now. When I was in government, they were very different to work with. They would only provide that which they absolutely had to with their guard up. Now in this private solution space, we’re a vendor but we have a little bit of a different relationship with our customers.
The Cipher Brief: You started off this conversation talking about sorting out roles and responsibilities between the government and the private sector and the new cyber security strategy. Are there other countries you could point to that are further along in this process than the U.S. or are all states equally struggling with this division on labor?
Bossert: That’s a great question. All of these have been very good questions. I think the answer to that unfortunately is, I’d like to be full of bravado and say The United States of America is par excellence, number one, but in this case the British were out in front of us on the willingness to take gray space action, as long as it was sub-provocative I’ll call it, so that doesn’t constitute the level of annoyance that might start a war, but I think they were also ahead of us in their organizational concepts. Now they’ve got some different authorities there, they’re not quite suffering from the same federalism concerns that we are and there are pros and cons of course on a bigger analysis but, the British are probably just a little bit out in front of us in terms of how their staffed, organized, and resourced.
The Cipher Brief: Give us an actionable item we can walk away with. When you’re sitting with your family at Thanksgiving dinner in a couple of weeks, what advice do you give them about their own personal cyber security?
Bossert: My first advice is to not talk about cyber security at the Thanksgiving table.
My second advice, honestly, maybe I’ll take the first half of that question. The mistake being made by some pretty senior policy makers in this country is to complete this belief that we’re moving towards, and I believe we are, the return of what we call a major power conflict with a belief that cyber security is somehow an unrelated symmetric tool only used by small players. In fact, the cyber security vulnerability and the cyber security threat is increasing for the very purpose and for the very reason that the people that are most adept at using it are the people that are resourced within these major powers that are engaged in this conflict. The major power conflict that we’re returning to is a Cold War era struggle in which almost every other country is smaller and less capable than The United States and therefore motivated to use these asymmetric tools like cyber security to disrupt us.
I’ll give an anecdotal example of what I mean. The Iranians used to come after us with low level, not very sophisticated, denial of service type attacks, maybe in the 2010 to 2013, time frame. They went after some U.S. banks, notably, because they were very upset with our foreign policy and they thought they could influence change in it by doing so, but they were really, really unsophisticated. They then, post the JCPOA, the Iran Nuclear Deal, decided that they would change their behavior. They stopped coming after our U.S. companies, but they took their time like the Chinese did, to regroup and to increase their capabilities and their sophistication. They had that increased capability and sophistication and they didn’t use it against us during that relatively short period of time at the end of the Obama administration. Now they’re frustrated, rightly or wrongly.
I’m not defending the Iranians. I think they are a very destructive force. I think the President was right to call them out in a lot of regards, but post the JCPOA or this president’s decision on it, they had decided to take their capabilities, their highly advanced ones, and start coming back after us for saboteur purposes instead of the theft of intellectual property or some financial gain.
What terrifies me now is that their geopolitical motivations and their increased cyber capabilities are going to turn them loose on us in a way maybe just shy of an act of war but highly disruptive and costly. We’re starting to see them stuffing certificate requests and DNS requests and things that allow them to key harvest. That is a harbinger for bad things, and I am very hopeful that our U.S. capabilities are focused on it.
The Cipher Brief’s conversation with Tom Bossert included questions from members of The Cyber Initiatives Group. Find out more about joining this public-private group of cyber professionals focused on sharing ideas, information and techniques to make cyber safer for everyone.