Former CIA Director John Brennan said that the Federal government should create an independent commission to regulate the digital domain.
Brennan said that the commission should be made up of former government officials and private sector engineers to ensure that there are representatives of both backgrounds.
“The last thing I would want is the government to take control of that digital domain,” Brennan said at the Gartner Security and Risk Management Summit on June 14. “Innovation by building walls and other types of things is just feckless.”
The independent commission would be the best venue to discuss the intelligence community’s use of zero-day exploits to gain information about foreign adversaries without notifying the companies of these vulnerabilities. Recently, this dilemma has been discussed due to the WannaCry ransomware attack, which allowed hackers to exploit a Microsoft vulnerability that was known to the National Security Agency.
“This is where there is this understandable tension,” Brennan said. “The government and the private sector is going to be continuously challenged by the digital domain and what we need to do together and that’s why I continue to harp on the idea of bipartisanship.”
Join us at GovProtect17 on June 21 for a one-day, collaborative discussion on how agencies can gain actionable insight into the increasingly complex security risks facing a modern government. Click here to learn more.
Brennan said that the group could discuss the potential benefits to the intelligence community, such as stopping a North Korean missile, versus the potential disruption or theft of data from private sector companies.
Brennan said that during his time at the White House, many agency heads were daunted by the scope of the digital sphere. Brennan contributed in establishing the National Counterterrorism Center after 9/11 to safely and quickly share data on terrorism with the intelligence and defense agencies. Brennan also reorganized the structure of the CIA to work more collaboratively with the growing digital world and stood up the Directorate of Digital Innovation.
“Every organization needs to have a digital strategy, not just a cybersecurity strategy,” Brennan said. “The U.S. government needs to do a lot more than it’s doing to date.”
Brennan said that the government needs to continue to discuss how to pre-empt cyberattacks, how to deter attacks, how to punish actors, and what level of attack deserves a response. The government would consider responding to an attack on a private sector company; however, it’s difficult to tell where the attack came from and whether a foreign government had knowledge of it or if the hacker was acting independently in the cyber realm, according to Brennan.
Brennan said that he’s investigated attacks where governments in China, Iran, North Korea, or Russia didn’t order an attack from a private citizen, which makes it difficult for the United States to form a response. Brennan said that the collaboration between individual hackers, organized crime, and foreign governments will increase over time.
“We are a nation of laws,” Brennan said. “I don’t think we want to necessarily stoop to the level of what the Russians are doing.”
Brennan said that as the digital sphere grows the number of attack vectors also increase, including spear phishing, cyber weapons, and insider threats.
Brennan said that at the White House he was continuously deploying systems to filter out emails with malware and telling people “not to click on that damn link or attachment.”
Also, cyber weapons, unlike physical weapons, can now be quickly developed and deployed. They can also be stolen and used against the United States. Brennan also affirmed that it’s possible to apply the Second Amendment to the digital sphere, giving people the right to bear cyber arms.
Brennan also was aware that all of his employees at the CIA continued to “honor their oath.” As adversaries continue to develop weapons in the digital sphere they still rely on people to do some of the damage.
“Moreover we find people–not just at CIA but other places too–who didn’t realize the negative impact of what they were doing,” Brennan said. “They were just doing somebody a favor.”
Brennan said that the growth of the Internet of Things and automation will affect all parts of daily life, but the government doesn’t have the right authorities and plans in place to manage them successfully. Industry can emphasize the importance of digital challenges by involving the senior officials at every company.
“You cannot relegate this issue to your technical experts,” Brennan said. “Those COOs, CEOs, and boards need to become intimately involved.”