Royal Hansen

December 8, 2022 (Episode 230)

Taped December 6, 2022

 

BILL KRISTOL: Hi, I’m Bill Kristol. Welcome back to CONVERSATIONS. I’m very pleased to be joined today by Royal Hansen, Vice President of Security at Google, someone who’s worked at high levels on the issue of cybersecurity at many financial services firms and tech firms, and has given this a lot of thought; briefed people on the Hill and journalists, as well as obviously working with his peers in the area on all the interesting questions, many of the interesting questions, at least raised by the real challenges of cybersecurity. I look forward to getting educated on that today and I’m sure our audience does as well. So Royal, thanks for joining us.

ROYAL HANSEN: Thanks for having me. Looking forward to it.

KRISTOL: I really appreciate it. You’re a busy person, so I really appreciate you taking the time. So cybersecurity, the name, it just gets thrown around a lot. What is it? Or what are the threats that we’re worried about and how serious are they? And give a little bit of a brief briefing on this for those of us who aren’t in the middle of that world.

HANSEN: No, it’s a good starting point because that word has come to mean a lot of different things to people. I like to think of it in two ways. The first is cybersecurity is relevant anywhere you’ve had technological or data driven innovation over the last 20, 30, 40, 50 years. So instead of thinking of cybersecurity as maybe air or land or sea, anywhere there’s technology that’s changed the way we do work, changed the way we live our lives, changed the conveniences, think of all the conveniences that have been brought to bear on the last couple decades, cybersecurity is the safety, reliability, availability of that technology. So that’s the one area, really it follows the innovations anywhere we’ve innovated, invested, changed.

The second part, and there’s a simple acronym people use, C.I.A., confidentiality, integrity, and availability. So oftentimes, we get focused on the confidentiality. You read about a breach. It’s most of what we have, someone stealing information. But really, that’s just the first step of safety in the broadest sense. We need availability, if these things aren’t available. An outage from a major platform is a huge deal these days. And then integrity, the even more subtle dimension, is, do we have confidence in the data, in the technology, that we’re relying on for all those conveniences? So put in together, everywhere those innovations occur: confidentiality, integrity, and availability. It’s almost like quality, you could say. Is this doing what I expect and not being abused or misused for other reasons? That’s how I think about cybersecurity.

KRISTOL: No, that’s great. That’s very helpful. So I think what we’ll focus on today, and this is less maybe individuals, the security of individuals, credit cards, which is not unimportant, or businesses who presumably can some degree watch out for themselves and are doing so, and we will touch on these of course. But really, for me, having been in government and we’re here in Washington and politics, it’s the political side. So what is the big picture cyber security of the United States, if you want to put it this way, the way we think of our security in terms of the seas and the air and space and of course land security?

So say a word, I guess, about that, because all these other parts are important too and it’s all, I suppose, related, but how much is it the same challenge that the US faces, that I, Bill Kristol, face, that someone could be stealing my identity or using my credit card or reading my emails? And how much is it just a whole different thing?

HANSEN: Yeah. No, it’s a great question and probably has multiple layers to it. And maybe even, as we think about it, it’s important to think of the data and technology that underpin a society in a world where every industry is modernizing: healthcare, financial services. The reason I started in financial services for most of my career was because the old adage, “that’s where the money was.” The bank robbers, the reason cybersecurity mattered to a bank is because you were protecting money, because money had been digitized first. But as everything is digitized, you have a cybersecurity dimension to it, including that of individuals.

So I think of it as almost a biological ecosystem, if you will. So each hospital, each family, each government, each small business, each public sector division has its own story, its own technology, its own data, and hence its own cybersecurity. But to your question, they do add up to more and more complicated questions.

And I think what’s most important is not to think of cybersecurity as if you can solve it technically and then go on with your life. Our lives are too technical and too digital now to not think of cybersecurity and safety as part of the same challenge.

So take an example. Let’s start actually with an individual. Oftentimes, identity theft is the experience people have, but that’s usually just the first step in a much more complicated set of — Think of the bad guys as having an operation. They’ll steal money or identity from an individual, but then they’ll take control of that computer. And then they’ll sell access to that computer to some organized criminals who will be aggregating all of these home computers to behave in ways that they will then sell to someone else who wants to take down a website, who wants to mine crypto. And so that then goes even further, and you might then see nation states who are hiring the hackers who broke into these computers and says, “You came up with something very clever. Can I buy that?” almost like it’s a weapon? “I’ll pay you for it,” and then I use it for my own purposes as a nation state.

So I think the important thing is, it’s all interconnected. And even when you read about identity theft, well, it might seem like just a mugging in one part of the world. It’s all part of that same ecosystem because on the internet everyone is connected to everyone else.

KRISTOL: Yeah, that’s so interesting. And I was going to actually get to this later, but I think we should do it now because you’ve raised it, really, indirectly, which is, I feel essentially if you’re in traditional national security, you’ve got your military and that’s part of the Defense Department and you’re worried about its security, you’re worried about the nation’s security, obviously against terrorism. So there’s civilian aspects of protecting civilian infrastructure as well and all that.

But basically, protecting the security of your nuclear weapons. Well, the government has the nuclear weapons. I feel like traditional national security is much more government centric, let’s say, though obviously it’s to protect the nation as a whole, not just the Pentagon or the Congress or whatever.

Whereas I do think one of the striking things about cybersecurity is just your account. And one thinks about it for a second, you could do a huge amount of damage to US national security by taking down the financial system of the US, which is 95% in private hands. You could take down the Fed. That would be bad too, but it’s almost as bad or maybe worse to take down Citibank and Goldman Sachs or whatever and steal whatever, destroy the interconnection— well you can imagine what people could do. So does that make it a particular challenge, that it’s the nation that has to be hardened against the threats, not just having good security at the military bases themselves, so to speak, or for the nuclear weapons wherever they’re stored?

HANSEN: Absolutely. And it’s the reason, again, back to why I spent most of my time initially in financial services, I felt like that’s where the action was, where I could help citizens be safe was at a bank because we were running the data center, we were running the website, we were making the money transfer. The same thing is true at Google and why I’ve enjoyed this next stage of my career is that cloud computing or Gmail — Gmail has billions of users. We protect 1.5 billion inboxes from 99.9% of the spam, which includes the malware and the phishing attacks. And you’re right, that has nothing to do with the government. It’s a purely private sector initiative.

Even if you look over in response to the invasion of Ukraine, for instance, when that occurred, we rolled all of the Ukrainian citizens on Gmail into what we call our Advanced Protection Program, which is a passive, behind the scenes heightened security. So while tanks were rolling over the border, they didn’t have to worry about, “Well, am I going to be the target of a Russian threat actor who’s taking advantage of the moment or an organized criminal?” You see, every time this ambulance chasing occurs too, there’s a crisis, people prey on the victims because they send them a phishing email.

And so you’re absolutely right. A lot of this, there was a statistic years ago, 80, 90% of the infrastructure is in private sector. There’s really no way to calculate such a thing, other than to just look around and realize that every hospital, every bank, every ISP — Google pulls undersea cables with other large technology players between Europe and Africa, between Asia and the US. Those are private sector initiatives and networks.

KRISTOL: So this being a free country and a pretty private sector heavy country, which is good, I think, how are we doing? It’s such a massive challenge that you’ve got to get this hospital system and that financial services firm and this university and this local police department and all these people to be attentive to cybersecurity­, because it can’t just be people sitting at the Pentagon a few miles from here who are worrying about it. So how does it work in practice? I guess I would even ask right now in terms of the government and coordination and then we can talk about what the threats are and how much we are doing and whether we’re doing enough. But how does it actually work?

HANSEN: It’s a complicated question, and I’m going to try and break it into a few segments. But I think the overriding story to remember — there was a paper written by Richard Danzig almost a decade ago at this point called, “Surviving on a Diet of Poisoned Fruit.” And it was essentially to use the experience of human evolution where we began to be able to eat fruit that had killed our ancestors, because they’re just poison enough or not poisonous enough that you could survive. It wasn’t that you needed a perfect world. I think you need to think of the internet as full of poison fruit.

But to your question of how we’re doing, in a weird way, we’re doing really, really well. It’s kind of amazing what has happened over the last couple decades. The things that are available, information that is available, even some of the things we were talking about just before this started. The innovations are amazing and they largely happen safely.

And so I think that there is this ecosystem that buffers one risk from another, even though there might be something poisonous about a certain technology, a certain company, a certain attack. But the ecosystem is incredibly powerful.

And in fact, that’s part of the power of the internet from the very beginning was to survive physical attacks, let alone technical attacks, was to be so distributed that you couldn’t bring it down. This was the origin of DARPA and the internet. So in that way, I think of it as an incredible story of human innovation that has brought us all kinds of things.

On the other hand, it is wildly federated. And so to your point, the biggest banks, biggest technology providers are pouring literally billions of dollars into keeping these platforms safe. Gmail or the cloud computing. But there’s still a ton of IT, information technology services that occur at local levels or in families. At that range between Google or a large bank and a small business, there are a lot of stops on the way, and the quality of that is different. So the ransomware attacks that you’ve seen over the last several years, in many ways, prey on the folks who are not investing with as much technology. It’s not their business. But they have adopted all this technology. And they haven’t kept it current. Something is not up to the standard of the kind of world class attacks that everyone’s subjected to.

But at the same time, Gmail, cloud computing is sweeping into those same spaces and saying, “Don’t hire your brother-in-law’s friend to maintain those servers under the desk in your printing office in a small town in Middle America. Put those on the foundation of a large cloud provider that’s maintaining them all the time, and by the way, is defending itself against nation state attackers.” You’re a relatively straightforward defensive strategy for them. And all of a sudden, they get out of that business and then get on with living their lives, productively, convenient. So again, back to this ecosystem, if we can keep that ecosystem open, free, safe, it does solve some of its problems with these innovations.

KRISTOL: Interesting. And how well are we doing on, I guess, the bigger aspects? That is to say one can imagine a situation where unfortunately, people are preyed upon by clever criminals the way individuals are and stores are and so forth, and it’s bad and something we should all work to curtail and to limit and to get rid of.

But it doesn’t pose the national security threat that taking down the financial system or introducing malware that confuses everyone’s accounts or that prevents hospitals from functioning or stops DOD from sending the correct orders to people out in the field or communicating among themselves on the battlefield if they’re fighting. It doesn’t pose that kind of threat. So on the more national security side of it, are we in pretty good shape? Do we need to be doing much more? Where are we in that spectrum?

HANSEN: It’s a good question. And I think the right way to think of it is we need constant investment in the safety of every innovation because it’s not static. We assume or think that there’s a moment where, okay, we’ve got hospitals, we’ve got banks, et cetera. But meanwhile you’ve got healthcare during the pandemic being delivered to people at home. And all of a sudden you need to think about, well wait a minute, what about the safety and integrity of home health visits? Not something that had been the focus, because that’s not the way healthcare had been delivered. So what’s really important is that there’s a dynamic capability.

Two other thoughts that sort of extend that: cybersecurity is defined by having an active adversary. So it’s not just that there’s this list of things that could go wrong, and for every new technology you say, “Okay, did we do A, B, C, D?”

Behind the attackers are innovators, and interconnected organized crime, or nation state spies who are thinking every time there’s an innovation, “How could I abuse that?” So I like to think of the old Mike Tyson comment that “everybody has a plan until they get punched in the face.” And so we want to think of it, yes, we’re in a reasonably good state in many ways. But that changes the next second, the next minute if we don’t stay ahead of what the adversary is going to attempt. So that’s one.

The other is the complexity does provide a certain set of, or some comfort or some safety. I worked in a bank for a long time where the CIO said to me, “I wouldn’t know how to steal money from this bank.” And by that he didn’t mean intellectually, he just literally meant he couldn’t have sat down at the computer and without anybody knowing written scripts and done things to transfer money. Banks are complicated entities. And so is society.

So I think sometimes we are lulled into thinking that, okay, it’s a ransomware attack or it’s stealing some information of a small business.

But I do think we need to keep worrying about the most sophisticated attackers doing the kind of things you described. But that’s a real escalation to take down a financial services industry or a stock exchange. It’s not to say those things aren’t possible, but they are very complex and they’re not something that one individual in a basement is going to be able to do. And so, really, I think of it as keeping pace with the innovations in each of these sectors. You need the safety of those to keep pace or we fall behind very quickly.

KRISTOL: And there’s an obvious kind of public choice, I guess we’d call it an economics, or a political economy problem of you’re depending on the private sector, Chase Bank or Citibank or whoever, to invest appropriately and to upgrade appropriately. But that’s their money, so to speak. They’re spending on it out of their revenues. And so unlike, again, if the federal government taxes us all to spend money on the military, well that’s a pool of money that is expected to be spent on that. How much do you feel like in general, the private sector, civil society, whatever, I mean, I don’t know. Maybe we do require them to do more? I don’t know how the laws work. But do you feel people are doing most of what they should be doing? Or is it a real problem that people are always thinking, “Oh, why should I be spending an extra large sum of money on this?”

I guess in some cases they have their own incentives. You don’t want to be the bank that gets the reputation of having its customers’ money stolen a lot. But some of these things are not visible or they’re longer term. I mean, you wouldn’t know that people had underinvested until disaster happens.

HANSEN: And again, I think it varies widely. I think you’ve got lots and lots of individuals and small businesses and companies of reasonable size who struggle to keep pace with the innovation, for sure. I think you’re right at the big institutions, where they spend billions of dollars on technology, this has become a board level issue. And it’s actually one of, I think, the ways in which this continues to get better.

But regulation, you touched briefly on it. At a bank, cybersecurity is a form of examination in the broader regulatory framework. And so each sector has added cybersecurity or other technology-related exams or standards as the banks or the entities they regulate have digitized. So I think in a way, that system has worked reasonably well.

Now the question is what things are common and should be done in maybe one standard way versus things that are unique to healthcare or finance or telecommunications. So I think there’s healthy dialogue in open and free countries about how to get that right. But it’s still an open question about the right balance. But people are in those spaces.

KRISTOL: And I guess it’s not as if these things are confined by country. As you’re speaking I’m thinking they’re not confined by national borders either. I mean, if we’re interconnected, obviously there are financial transfers flowing all the time between branches of institutions of different nations or institutions of different nations or national banks for that matter if you want to explain the financial side. And so if Great Britain goes down, we’re in a lot of trouble here. I mean, so I suppose there’s that kind of public choice, so more like a NATO alliance problem of everyone has to invest enough to make sure the alliance as a whole is strong enough. But the alliance here is kind of almost everyone, right?

HANSEN: That’s right. So I was thinking back to one of the earlier questions on infrastructure. What is a nation in cyberspace? It’s not an obvious answer. Is it the corporations and the technology? Is it the data of the citizens? A lot of these questions are being worked out. What does an individual expect? What does a corporation expect? What does a government expect?

And so you’re absolutely right. We are, as a company, because we’re a global company, we have relationships where we talk about infrastructure with companies all over the globe. And I think it’s incredibly important that we continue to keep that open and safe because you will see some countries try to impose their view of the internet for their country in ways that break up the conveniences, the freedoms, the safety of this interconnected infrastructure. So it takes some sophistication and thoughtfulness to not break those things, because the technology is complicated as you go down the stack.

KRISTOL: And I guess I’ll try to ask this question in the right way. And obviously you’ll answer using publicly available data and so forth and not proprietary or national security stuff. But I mean, how much are we talking about sort of bands of robbers, some of them very tech savvy or even parts of nation states kind of causing a lot of trouble, let’s just say. Which could be deadly trouble if a hospital system goes down or if it messes up our internal DOD communications or whatever. But still sort of trouble, bad trouble ranging all the way to actual biggish or whether they’re big or not but strong nation states, or strong in this area nation states, really building up offensive capabilities that could be an effective act of war as other kinds of offensive capabilities give them the opportunity to launch an attack. Is it more the first or is it all the way to the second?

HANSEN: Yeah, it’s all of the above with, again, that same division. So you have large players who you would expect, given their budgets and size and complexity, to be operating at levels that should be considered offensive in the way a war could be.

And look, they’re already used as part of hybrid operations. It doesn’t always have to be, again, this isn’t cyber as a completely separate domain. You would always see heavy coordination between the cyber part of a government and its military during a war. We already see that.

But on the question of, just thinking back to where you were on the —

KRISTOL: Yeah. Just sort how much of it is, are we deterring small countries from doing damage in small ways? Or are we deterring the Soviet Union from attacking us? I mean, what’s the sort of reality out there?

HANSEN: Yeah. On the great powers view, there are the people you would expect, these are the great powers, the sort of large countries.

But what’s interesting about this space is, and we have a couple of good examples which we could share recently where we see corporations, small corporations, in jurisdictions where they can operate with some freedom, developing weapons and selling those weapons, these cyber weapons, to smaller governments who can’t invest the way the large players can, so that they have capabilities that begin to look like the largest players.

So again, the continuum develops and an ecosystem develops around it. Again, it’s almost as if it was a technology project. A technology project, you got to have experts who know how to break into things and then share information. That whole ecosystem exists. And you see a lot of people who live between the worlds. They make some money working for organized crime. And they may sell on their services to a nation state through a series of transactions as well. So the lines are very blurry. But everyone is trying to be a player in this space.

KRISTOL: Yeah, I guess this makes me think of, I think the military historians will often say that there are periods where the offense is dominant and then the defense kind of catches up, and then you have trench warfare for 50 years or something like that. And then there’s a breakthrough, the tank and the offense takes over again. And obviously we’ve seen that in the air and so forth. Well, does that even make sense in talking about this area and cybersecurity? And have there been such sort of oscillations? And are we in a particular moment right now?

HANSEN: It does. And I think as you go back to the birth of the internet, most PCs, most personal computers were developed to be personal computers. So the computational powers and the storage swept in, but would never contemplated the idea that they would be exposed to nation state attackers. They were just in your living room. The moment those started to be interconnected with this explosion of personal services or corporate services on the internet, I do think you see a bit of a frontier moment where everyone’s working out how to do the innovation, but also how to attack.

I think we’re also now seeing though, if that’s the world we’ve been living in, cloud computing is, in a way, a return to the original computers. The original computers were giant computers in warehouses where they could be cooled. And you would get time shared on them or you’d maybe be connected to them and you’d get a little slice of the computational power. You might even submit your punch cards and then you’d get them back. And so you were sharing that.

But the beauty is you didn’t have to maintain the ENIAC’s patch level. That’s not what an individual did.

Cloud computing is this sort of unusual moment where all of that low level infrastructure—storage, computational capabilities, network, some increasingly sophisticated capabilities—you don’t have to have an IT shop. You don’t have to have a personal computer to do it. You can outsource that in a sense. You outsource the security of it to the big cloud providers.

And the beauty of it is that that’s not a security project. That’s an economic and innovation project. So I think that the good news is we’re at a unique moment, to your point about where we are in the history, where the innovation and the security are the same efforts.

So if we’re smart about this and we invest in ways that sort of have this continually updating security, we actually set ourselves up very nicely for the future. If we keep working where every company and every person has to do everything themself, we’ve already lost is the truth.

KRISTOL: That’s so interesting about, I hadn’t really thought about cloud computing in that way. I don’t know much about it anyway. But I mean I sort of had this vague, there’s the internet and then there’s a whole set of new challenges. But of course when you think, I mean, I think it’s very good the way you explained it that, yes, there will be moments where the internet works in a way that’s friendlier, as it were, to security or helps the defense maybe, if the defense is intelligent at least —

HANSEN: That’s right.

KRISTOL:  — as opposed to the offense. And I guess the other thing military historians, just to go down that parallel for one more example is we’ll say, I think, is that there are times when being bigger, wealthier, bigger nation, either land mass or industrial capacity, gives you a massive advantage. I mean, if you’re in the US and you can produce a plane, a fighter plane every day, you’re going to ultimately be in decent — If you’re fighting a big world war, that’s a good thing to be. And similar with land mass in sort of older times if you’re Russia in 1812 or something. But there are other times at other technological advances that tend to level that playing field some. I mean, drones I guess, as opposed to producing massive complex F-35s. And so does that analogy also work here a little bit? I mean, with —

HANSEN: It does, and in good and bad ways both, to your point. In the nuclear comparison, you need nuclear scientists and you need incredibly sophisticated machinery to enrich uranium or I’m not at all versed in this, but I know enough to know that I don’t know.

But in cybersecurity, back to this point of selling weapons between groups, it’s kind of copy/paste. If you can copy and paste the text that is the code, or that is the vulnerability or the way you exploit the vulnerability, you can sell that to anyone. And so it does, I don’t know, democratize, is maybe the wrong word, but it certainly levels the playing field. Everyone can play some role in this. It’s often surprising when you see these attacks and they haul some teenager out of the basement who’s living with his mom. It’s not what you think.

So there’s definitely that element of it. It is why, and you’ll let me talk about this for a second, is that —

KRISTOL: Please.

HANSEN: It’s why the infrastructure and the investment as a country or of an open society is so important, because there is a dimension in which this has made it easier for small players to cause trouble broadly in society. In the same way that small players can help, that a small company can provide an incredible innovation. It also works in reverse.

So it matters a lot who is building the networks, running those cloud computers and who can keep the platform safe. Because we rely on this continual baking in of security and safety. If we were left to run on everybody’s home computer, sort of by proxy, the variation would be way too great to keep safe and secure. You’d be back to that surviving on a diet of poison fruit, eventually that poison would kill you. But if you build capabilities that allow us to survive with some tolerance for the messiness, for that copy paste attack, but takes away whole classes of vulnerabilities. No one’s maintaining a server anymore. No one’s maintaining an email server. Then you’ve eliminated a lot of the low hanging fruit for these bad actors and you make them be more sophisticated than the banking system, that CIO who can’t steal money. Even if somebody can hack into one computer, can they steal money from the bank? Can they manipulate the data in a hospital? It’s a much more sophisticated problem if you’ve invested in the infrastructure.

KRISTOL: And if I understand you, I think what you’re saying also is that if you, again use the military analogy, that after 9/11 we spent a lot of time learning how to fight counter-terrorism and that was pretty small unit focused, and a lot of, whatever General Petraeus did Iraq and so forth.

And then everyone decided about 5, 6, 7, 8 years ago, “Oh, that’s okay. That’s sort of under control.” And anyway, now US isn’t really engaged on the ground in the Middle East, but China. So now we have to go to the other extreme and worry about genuine great power competition, and of course the military and the government does both. It has to do both. Because you don’t know exactly, you do have both threats.

But it sounds to me like it’s a pretty full spectrum. That you can’t sort of downgrade one side of this challenge or another, partly because I think of  — I don’t know what the right word is. There’s not a strong barrier between one or the other quite as much as there is maybe in the real world. Either you’re a big nation or you’re not. If you’re not a big nation, you can do terrorism, terrible, but you can’t do certain things. And if you are a big nation, probably other things you’ll focus on in terms of your taking advantage of your enemies. But here, it seems like it’s more of a continuum.

HANSEN: It’s definitely more of a continuum. And just last week, I was in Washington DC and the digital minister of Ukraine was in the US for a variety of meetings. And it was interesting to hear them talk about how important it was, not just to be safe and secure, but to make the Ukrainian government IT services, in the way Ukrainian businesses operated, take a step function forward in the innovation and the capabilities. So even countries that are being attacked or in a war are thinking about their technical capabilities, not just through the safety lens, but how do they get ahead of these technical risks? So I was surprised to the degree that they were that forward-thinking about technology, even in the civil society, not just the military sense. It’s incredibly important for their future. That’s indicative of it.

KRISTOL: No, go ahead. I’m sorry.

HANSEN: No, that’s good.

KRISTOL: So speaking of Ukraine, what lessons do you take from that? I remember when in February when the invasion was imminent and people were wondering about it, there was a lot of talk about it. Russia seems to be pretty both advanced and aggressive in the cyber space. So will they take down the Ukrainian system or take down our connections even to Ukraine conceivably, or escalation obviously? And so there they are, they invaded and it’s brutal, and big land war in Europe, biggest one since ’45. What lessons are there on the cybersecurity front, would you say generally speaking, in the almost year since that’s been going?

HANSEN: That’s right. So the first is that that cyber war began in 2014 with the annexation of Crimea. So again, you can operate in kind of an asynchronous or less obvious way, and many of the biggest attacks we know of in the last eight years have their origins in Russian threat actors attacking something in the Ukraine.

And we saw a step up in that set of attacks, but it was again, a continuum, not as if the first time someone was trying to attack the Ukrainian systems. So that’s the first one.

The second is, and I talked a little bit about Gmail accounts in Ukraine and how people’s personal computing and small businesses computing matters enormously to their lives. It’s not like these were luxuries that they could put aside while there was a war.

So for instance, one of the things we did was we took the protections that we put in front of Search or our largest apps to keep them up against any kind of attack. And we had designed them to be deployed to small entities, so news sources or philanthropic or refugee websites that began to be attacked to take them offline. And so we put that, called Project Shield, in front of these small businesses. What was amazing is how quickly all of this happened. So the Gmail protections happened overnight. These Project Shield, putting in front of websites that citizens needed, happened over the course of days and weeks, because they were available, like we talked about before in these large technology or other services.

So A, the Ukrainian defenses had been practiced for many, many years on this front, and B, we have options. I’ve heard on your podcast several times how important it is to have options. It’s not to have every plan worked out, but it’s to have options depending on what happens. And I think in this case, you saw Ukraine take advantage of a lot of those technology options, and that’s a large part of why they’ve done well.

I think the other thing to remember is the sophistication required to perform a really complicated attack takes a whole lot of planning and operational planning as well, which isn’t to say it will or won’t happen, but that’s not a button that somebody’s waiting to push. Just like invading a certain part of Ukraine takes a whole lot of operational planning, so does a really sophisticated attack. So I still worry that those could happen, but I think it’s an escalation and it’s a level of complexity that is different than just saying, “Let’s take down some websites, or let’s take over some Gmail accounts. Let’s attack someone.”

KRISTOL: Yeah, that’s interesting. But I suppose deterrence works too. That is to say if one were advising Putin, God forbid, but whatever. And you’d say, “Look, NATO’s doing all this stuff. Can’t we disrupt NATOs internal coordination or communications or US-Ukraine connections?” But I suppose at that point you do have the somewhat normal and international relations deterrence and the threat of retaliation, or does that work too in cybersecurity?

HANSEN: Yeah, I think it certainly does. It’s not the world I really live in, but that’s my sense. The capabilities, anything you can imagine you can do, you have to assume others can do.

That’s the other thing that sometimes we think in this world that the vulnerabilities or the problems we have, we could keep secret. And I think given that copy/paste nature of what we’re doing, you have to assume that any problem you have or any vulnerability you have is going to be made known and you need to defend against it rather than pretending you can keep it secret.

KRISTOL: And when you come to Washington, but I wouldn’t even make it that specific. But if you come to Washington, how much  — Well leave that aside. If you were briefing people in the executive branch or Congress, I guess, what would be your top two or three things they should worry about? What would you say? “Look, you know what? This is in pretty good shape. Just keep funding it the way you are, or keep the current legislative or regulatory structure in place.” And what two or three things when you do come here, do you tend to say, “This really needs some more work.”?

HANSEN: Yeah, so I think the first is making sure the country’s technology is secure by design or by default, is the only way we’re going to tackle this problem. So back to my cloud computing example and modernization. If what we’re going to try and do is patch or protect every personal computer and every mobile phone and every server and every network in the country: that’s not a scalable problem. That changes tomorrow, let alone the scale. So we have to invest and adopt modern technology platforms. It’s just like an infrastructure project, in a way. You got to keep a modern infrastructure if you want to run a safe, open society. So that’s the first one.

The second is the workforce, and we spend a lot of time thinking about how do we bring citizens across the country into this world? Not everyone’s going to become a hacker. Not everyone’s going to become a software developer, but increasingly people are actors in this space.

The choices they make about data, the choices they make about technology providers matter a lot. And so we think about the digital literacy work and how do we bring more citizens along, and all the way to how do we hire people into jobs where they can be productive in the private sector or public sector, but private sector is every bit as important, as a cybersecurity person. Demystify that, make it a job, make it a career. So I think the second piece we talk about a lot is workforce. How do we develop the citizens?

And then the third is that, and we alluded to it a little bit along the way, but the infrastructure, just like the banks, if you think back to the way the world runs. The world runs on large financial services institutions, largely a dollar reserve currency. At the moment, the world runs on western open technology infrastructure, but that’s not a foregone conclusion.

A lot of this technology is still being built out. And it’s important for an open and free society, which the US is built on and relies on in that interconnected way, that the foundations, everything from the networks, the hardware to the software and the data be running on rails, in a railroad analogy or undersea cables, that are provided by companies that support those same open and free ideologies. And so I think that’s the third one is that this is not just another market, we’re laying down the infrastructure for the 21st century, and it’s not all done. It’s not over.

KRISTOL: Yeah, that’s so interesting. And maybe we can close with that set of reflections on that, because on the one hand it’s so globalized and so international and obvious  — not obviously, but I assume it would be somewhat self-destructive to be cutting off trade or not using minerals from all over the world and so forth and selling stuff all over the world. On the other hand, as you say, it can’t simply be  — you sort of care that reasonable governments and friendly governments somehow have control of enough of the core infrastructure to make sure things don’t go wrong. How much of attention is that, and do you feel like we’re doing a decent job of handling that?

HANSEN: I think we’ve done a decent job and maybe even a very good job to date, and in large part because we’ve followed the innovations and investments and conveniences of the internet age. But I do think your points are correct, and I look to the political landscape a bit for lessons.

We’re not saying that one safe set of technologies is the only way to survive, that would defeat the purpose of this interconnection and letting people innovate and share. So I think there’s a tension that we need to use society’s, an open and free society’s capabilities to keep finding that balance of secure infrastructure but still allows it to plug in to innovative with new offerings.

And I don’t think that’s a destination, that’s an ongoing process. But what you can’t do is lose that lower level foundation because you lose control of everything above it.

KRISTOL: Yeah, that’s interesting. I’m so struck so much by the public discourse, the last few years especially, obviously, has been so hostile to big tech, from left and right really, used to be a little more left back 10 years ago and now both sides, with no apparent recognition that some of the things they complained about, they may well be right to complain about, and some of the things are legitimate debates and real issues of sensible regulation and where to draw lines. A lot of very complex issues, obviously. But at the end of the day, we really should be happy, I think I’m right about this, right? That these big tech companies are mostly here, to be sort of parochial here, and American, I don’t know what, patriot or nationalist or something here. Just kind chauvinist. It’s good that we  — I mean the people here, invented these things or were able to get the capital to develop them when they were invented abroad, as I’m sure many were. The individual inventors are not necessarily all by any means American. And that these companies are headquartered here and susceptible to US laws and regulations. And obviously, they employ people from all over the world, and that’s good in my opinion. But the certain number of the key people making decisions are US citizens. I mean, the nation state doesn’t go away, right?

But I am struck how little kind of senses there is that that’s a pretty big asset of the United States of America going forward in 21st century. Right? And it needn’t be. It’s not only just that these companies could be in China and Russia, and I guess China is a more interesting kind of obvious competitor right now, but they could also be scattered all over the place. And that would itself be, it’s very lucky in a way that we were the heart of the tech boom for various reasons, I don’t know.

HANSEN: It’s why we up and moved the family from New York to California, because to work on that question felt to me like the most important thing a cybersecurity person can do. But if you’re talking about laying down the digital and technical kind of data-driven infrastructure of the 21st century in a safe way, where else would you do that? To me, it would be a tragedy to lose that asset and that sort of underpinning that we all benefit from in this open and safe internet.

KRISTOL: But I think your point here is — It’s not like, well, can we establish that like railroad lines? Once they’re built, you don’t have to worry too much about being the place that railroad engineers want to work for the next 50 years. You need to have enough people to repair them or upgrade them. It’s probably good to have new ones occasionally, but leaving that aside, in some senses, it’s much more of a — you can afford a lull in other areas of industrial development, let’s put it that way and —

HANSEN: I think that’s fair. There are standard —

KRISTOL: Right.

HANSEN: Yeah, there’s standards and capabilities which are being laid down for the first time in many cases here, and they will last for a long time.

KRISTOL: But also, the character of the internet, as you’ve been saying, is that it’s always changing too so that you can’t just relax and say, “We’ll let the Chinese have the next 20 or 30 years.” That would not work out well.

HANSEN: That’s right. That’s right. That’s exactly right. I mean, think of the debates about 5G, 6G, there are a few examples of this debate. I think though that this debate extends into the very mundane just compute network data centers.

KRISTOL: And if there were one or two things you would say people really just don’t see that they should see, or I mean, be aware of, even if they’re not going to become experts on, people who are watching this or whatever, what would you sort of urge them to educate themselves about a little bit more? You can mention particular books or websites if you want, but I’m just generally speaking, what is it that people don’t know that they should know? Or I guess what are their myths they believe that maybe they should be disabused of?

HANSEN: Yeah. I think the first is, and just sort of speaking even more personally, that your digital identity and your ability to authenticate with a website, with your email, just in terms of keeping yourself and your family safe, implementing what we call two-factor authentication where you get that code or you have another means of authenticating. Just again, it’s a lot of these step functions: it makes you so much safer. So that’s the first thing.

The second is I think the supply chain of technology and the supply chain of data I think is an area people can look more closely at. You don’t have to understand exactly how everything’s done, but where does this software that you run on come from? It’s a supply chain and it’s sort of cobbled together at multiple layers. And same with the data. Where is the data managed and where does it go?

And I think there’s an interesting, there’s business policy, understanding better the supply chain. I could pass along some papers on this and the associated data supply chain. To me, those are human, societal, political questions, not just the technical implementation. You don’t actually need to understand the firmware, but you can figure out, well, where’s the code coming from? And what’s the quality and security of that? What’s the safety of the data? And that, to me, is industry-specific, person-specific, policy-specific. People can do that.

KRISTOL: Yeah, that’s interesting. And in terms of the threats, during the Cold War, there were always these, “Oh, you hawks are making the Soviet Union 10 feet tall.” And the hawks would say, “They’re stronger than you think. Just because they’re behind in some consumer goods doesn’t mean that their weapons don’t work as well as ours,” and stuff. I mean, to the degree you can discuss, I mean, how much are we in peer-to-peer situation? How much are we a million miles ahead and we just have to just make sure we stay ahead? I assume it’s somewhere between, but I mean, what’s the truth about that?

HANSEN: The good news is that same investment in technology that we talked about and sort of the strength of sort of US or Western or others or the friends in this space are very good in this area.

The other thing though to keep in mind is the asynchronous nature of it. You don’t need a lot of people. This is not the nuclear analogy. Small numbers of individuals can be bad actors. And maybe they can’t pull off the taking down the entire grid, but they can, as we’ve seen, real critical businesses have been subjected to ransomware attacks that were not necessarily performed by the most sophisticated actors in the world.

And if you just extrapolate from that, the most sophisticated actors could do much more. So I don’t think there’s a one-size-fits-all answer there in that you really aren’t ever safe, because the adversary is innovating. And the adversary could be a small number of people. So it’s almost less about country to country and more about keeping the ecosystem safe.

KRISTOL: So I suppose if this is a big country that’s kind of hostile and has some territorial ambitions and has a well-educated large population of which they can draw very capable people, that is a real threat, right? I mean, China is maybe a little bit unique almost in sort of being —

HANSEN: No, I think that we often talk about Russia, China, North Korea, Iran as being very active in this area. But I think even to that point, Iran and North Korea look nothing like China, but they are countries investing in this kind of capability. So those are typical countries that you would hear people talk about.

KRISTOL: Yeah. And of course they can exchange just as with weapons and with nuclear programs, as we know, Pakistan is not as advanced a country as others, but guess what? They have a nuclear program because they were helped by others. And so I suppose there’s that question too of then the other guy. The bad guys can cooperate on both states, but also criminal groups almost, right? So.

HANSEN: That’s exactly right. I mean, this is back to this, and there’s been a lot of attention on it this year, and we even testified in Europe on this front, that this ecosystem of companies who were selling those weapons into second or third tier or size states to sort of prop up their capabilities is a real problem.

KRISTOL: Interesting. Last words, stuff that we didn’t cover that we should discuss or that people need to know about or, again, disabuse us of any myths that we might believe in?

HANSEN: No, I think the two things are, one, this laying down the infrastructure for the 21st century, super important. And then the second is, and back to this data and the supply chain, it isn’t as magical or mystical as maybe we want to think of it. It’s all grounded in — everywhere you can think of an innovation, of a new website that does something creative to help people, that’s what we’re talking about on the other side. Some bad actor is saying, “Oh, how do I take these technologies and combine them in a bad way?”

And so it’s not magic and it’s not space travel in that sense. This is just people using the innovations against us. And that sort of, I think, makes it more natural for a regular person to think, “Okay, well, wait a minute, how could this be used against me? It’s a neat website or this is a neat app, but this could also be used in the wrong way.”

KRISTOL: Now, I think that’s very important because I myself not being very techy tend to think as, “Oh, it’s sort of both the Wild West and extremely sophisticated technologically and scientifically, and therefore how could one even think to follow or track, if you want to put it this way, the supply chain of bad actors and see where one could intervene?”

But I guess what you’re saying is that it’s a little more like other — If you want your poison to get back to your poison fruit, if people are poisoning fruit, sometimes it’s hard to find who did it. And if you’re very clever, you can disguise maybe where you are when you do it, but there are ways to track such people down.

HANSEN: Yeah. And I think we choose the websites we use, we’re starting to choose the apps and the habits we build. It is worth understanding more about where that software, the data is coming or going.

I think we sometimes, because of that fear of the complexity, people assume that they have no role in making some of those decisions. And I think people increasingly can make those decisions and participate in the where is that software coming from? Where is that data? Who is this company, this website that I’m using to help run my family schedule on?

KRISTOL: Interesting. That’s terrific. Well, Royal, thanks so much for taking the time to educate us, and a lot to think about here. But I really feel that at least I think I understand the playing field a little better. And the challenges are real though. And I guess that’s my main take-away, that one of my take-aways is you can’t just solve it and then wash your hands and say, “Okay, well security’s done, now we can go back to something else.” Right? I mean, this is much more than even normal situations where you can’t of course wash your hands, you need a police force 24-7 and so forth, even if crime is down.

But here it really is, the bad guys aren’t resting and things keep innovating and changing and the dangers are real, right? That’s the other thing I guess one should just maybe stress. I mean, one’s own personal experience of this is so much annoyance or inconvenience. I have to get a new credit card because someone got the number, and luckily they reimbursed me so it’s not that inconvenient. I mean, there are more serious versions of this of course. But you are talking about fundamental threats, not just inconveniences?

HANSEN: Absolutely. I mean, I think it is very well said. And again, as you think about the areas of society and life that depend on the quality of the data, those are big questions. Those aren’t just conveniences anymore. Those are our lives.

KRISTOL: Yeah, it’s not just being able to get tickets to, what’s her name, Taylor Swift’s concerts because of whatever, Ticketmaster.

HANSEN: Exactly.

KRISTOL: That was a big topic of conversation. As you can tell, I’m kind of clueless. It took me a while to find out what they were talking about at some gathering recently, but.

HANSEN: Yeah. That’s good. Healthcare, travel, logistics, I mean, everything is underpinned by this at this point.

KRISTOL: Yeah. The way of everything working and production of food, actual fundamentals of survival and wellbeing, yeah. Royal, thank you very much for joining me today and taking the time. It’s really enlightening and interesting conversation.

HANSEN: Thank you. Thanks for having me.

KRISTOL: And thank you for joining us on CONVERSATIONS.