HELLO FUTURE: Are We Under a Cyber Invasion?

Speaker 1 (00:07):
Is America under a cyber invasion? Our nation state actors
and sophisticated cyber groups already inside America's most critical networks?
And are they quietly mapping infrastructure, stealing data and preparing
for disruption? Hello Future, It's me keV. This is a
dispatch from the Digital Frontier. The planet is Earth, the
year is twenty twenty six, and my guest today is
someone who knows all about America's digital infrastructure and national security.
Her name is Leslie Beaver's. She is the former Acting
Department of War Chief Information Officer and she's had a
host of other titles and now she advises some incredibly
notable companies as well. She briefs policymakers currently in her
past as well, and she's had a fascinating career. So
General Beavers, can I.

Speaker 2 (00:58):
Call you Leslie lately?

Speaker 3 (01:00):
Well, thank you so much for being here.

Speaker 1 (01:02):
And you've really been like the Paul Revere of this
cyber invasion movement. When I caught one of your interviews
and have been following your career in recent months and
what you've been saying, I was like, I've got to
have Leslie on the show. I guess first and foremost,
before we talk about America being under a cyber invasion,
which you say we are, tell us what did you
do at the Pentagon and what do you do? How
for us folks who are not in your world, how
would you describe your job?

Speaker 2 (01:29):
I was fortunate to get to work on the interoperability
of our communications networks for the entire Department of War,
so across all the services, also out to our allies
and partners, and so making all of the satellite communications,
undersea cables, network it, cloud software, make all of that
work was part of my mandate in the CIO job.

Speaker 1 (01:57):
Well, that's like a huge responsibility because I can barely
get my Apple Watch to sync with my treadmill when
I'm doing my run in the morning, and to have
to use all of these different technology systems, I mean,
it sounds incredibly complicated. And then I caught an interview
of yours where you were saying, America's under a cyber invasion?

Speaker 3 (02:14):
What do you mean by that?

Speaker 2 (02:15):
Yeah, let's talk about that a little bit. Because cybersecurity
was something that I had tangentially been aware of until
I went into the Chief Information Officer role. And then
it seemed like every day I was getting hit by
another breach and another attack. It surprised me and it
probably shouldn't have. But since then I've come to realize
we are actually under a sustained cyber invasion. So let's
peel the onion on that a little bit. Let's talk
about what actually is an invasion. From a military perspective,
it's considered like the forceful entry of armed forces into
a territory controlled by others. But what does that mean
in the cyberspace. In the cyberspace, it's really an intrusion
that follows along the cyber kill chain. And when I
talk about the cyber kill chain, I'm talking about the reconnaissance,
the which is scouting the networks and looking for the
weak points. Then the exploitation, in other words, using those
weak points to gain some access, and then changing things
within the network so that you get to hang around
and can maintain your access over time. And then also,
and this is kind of a really important piece, is Okay,
you get into one device now being able to move
to other devices on that same network and then either
expel trait data or be prepared to execute some kind
of a malicious act like ransomware or something like that.

Speaker 3 (03:43):
The Chinese Commonist Party, the Russians, who else.

Speaker 2 (03:45):
The normal sophisticated actors in this space. The Chinese, the Russians,
the Iranians, and the North Koreans are very active in
cyberspace in exploiting weaknesses in our networks and pulling out
data or stealing cryptocurrency, doing all kinds of nefarious activities,
and you hear about it from time to time when
news breaks about like salt typhoon and our telecommunications networks,
fault typhoon in our critical infrastructure networks, that's what we're
talking about. And then you get you know, individual companies
have been hit. There was a very famous one at
sony years ago from the North Koreans where they compromised
their email system and it was very embarrassing. So this
has been going on for years.

Speaker 1 (04:33):
So that's what I don't think people are realizing. And
we hear about these spasms of hacks or whatnot every
now and then, but you're saying, this is a sustained,
organized cyber invasion by America's adversaries. And what I guess,
I as just resident average Joe trying to figure out
if the Chinese Communist Party was going to Wall Street
and sending you know, human beings to Wall Street to
rob a bank. That would warrant a very strong that
would be a physical attack on a brick and mortar,
to use Layman's terms. But because they're doing it in
the cyber domain and wreaking havoc, why aren't we defending
ourselves in a in a stronger way. I mean, we
have the strongest military in the world, and small businesses,
which I think are even more exposed than even some
of the big businesses. They're really on the front lines
of this cyber invasion.

Speaker 2 (05:35):
They absolutely are on the front lines of the cyber invasion.
We're losing about one hundred million dollars a day in
intellectual property rights and data from our networks. But it's
kind of in pieces, and it has so far remained
largely under the radar because when something like this happens,
companies are very reticent to share the information that they
have been hacked or breached or lost something. And it's
also happening in kind of little parts all over our network,
and our approach to cybersecurity has been to defend at
the perimeter and not pay attention to what is happening
within our networks, within our companies, and that's what's changing.
And the zero trust push that the Department of War
has been leading is largely responsible for that, and that
setting up your network with the zero trust principles enables
you to monitor what's going on in your network and
keep track of anomalist activity and find these cyber invaders.

Speaker 1 (06:44):
So what is the zero trust prints? Were you called
it the zero Trust Principles.

Speaker 2 (06:48):
Yeah, it's that there are one hundred and fifty two
different capabilities activities within seven pillars that are defined by
the Department of War, and they do things like making
sure that you you know your identity credentials and access management,
that you are logging, that you are actively reviewing those
logs and responding. So there's a whole series of activities
that have been defined and then based on your individual network,
you need to implement some to all. The Department of
War is going to be zero trust by FY twenty
seven at the target level, which is I think ninety
two of those capabilities or ninety one out.

Speaker 3 (07:32):
That's just for government, right.

Speaker 2 (07:34):
Right, that's for the Department of War, the federal government
where you're seeing this show up in the commercial world
is known as CMMC, the Cybersecurity Maturity Model Certification, and
that is the requirement that has been around for I
think fifteen or more years to if you're going to
be doing work with federal contracting information or contry rolled
unclassified information, you are required as a company to meet
the NIST eight hundred, one seventy one and one seventy
two requirements, depending on the level so pieces of those.
It's recently that that CMMC rule went into effect, and
that means that now is that clause saying you must
do this and we will check you is in the
contracts that get made with the government. But let me
add one thing here. That's just for a federal government.
But you are seeing coming out of the latest administration
notifications about activities that individuals should be taking, for instance,
getting routers out of your home networks that are foreign made.
Pay attention to those.

Speaker 1 (08:48):
And by the way, you've worked for Democrats and Republicans
and you're these are non partiesan policies that you're explaining.
You know, I covered when I was at Blomberg. Previously
was at Politico and other DC Beltway publicas before founding
meet the future MTF dot TV, and I remember covering
specifically Dodd Frank implementation and stress tests for banks and
the capital requirements that financial institutions following the two thousand
and eight financial collapse that they had to have. You know,
they call them stress tests and the banks are going
to be This is if you remember, folks, after Too
Big to Fail and that whole thing.

Speaker 3 (09:25):
What I'm hearing you call for, and I know you.

Speaker 1 (09:28):
And we've spoken offline before this interview, is if you've
really been a champion of creating some type of cyber
invasion defense commission that would be able to better prepare
small businesses, big businesses, and government as well. Do you
think that's where all of this is headed. How important
is that that America really create a framework to navigate
not just for government but for everyone. I mean, really
doesn't seem like it's in our culture zeitgeist to really
understand that we are under a sustained cyber invasion. And this, Folks,
is according to the acting CIO of the Pentagon who
just retired in December.

Speaker 2 (10:09):
Yes, absolutely, it's imperative that we as a society come
together and have a national led defense against this orchestrated
attack that we are under this invasion. It really needs
to be led I think, out of the federal government
with Congress on board, bipartisan, and you need to have
a very active participation by the commercial industry as well
to orchestrate because there are a lot of people that
know this is a really big problem and they're doing
a lot of good work. What our challenge is there
are without that national response and orchestration, you get seams
and gaps in our defenses. And when you have a
very sophisticated and orchestrated adversary, they find those seams and
gaps and pick us apart at our weakest links. And
so we need to I think, adopt the approach that
we're going to defend our networks all the way out
to the edge of the network and not wait to
defend until you get to the last door, before you
get into a small company or a medium company, because
it's even I think unreasonable to expect large companies to
defend themselves against an organized nation state.

Speaker 1 (11:34):
So the final question for you, why is it important
to have a cyber Invasion Defense Commission?

Speaker 2 (11:40):
Because you need somebody to pull together all of the
cyber assets that are working this problem, their authorities, and
the resources associated with Define the boundaries where are we
going to extend our defenses to It is at the
cable landing points that in our access points. What are
the boundaries? Figure out who's doing what, where and with what?
Identify within those boundaries, and then identify the gaps and
seams close and figure out the plan to close them
and put together the implementation plan for changing policy, changing authorities,
moving budgets, doing whatever they need to do to close
those gaps and seams, and then track that through to completion.

Speaker 1 (12:27):
Thank you so much for showing up to Meet the Future,
and remember folks, you can listen to all of the
latest Hello Future episodes on your iHeartMedia app and be
sure to check out where we post on our website
at MTF dot tv