Valerie Plame: U.S. government cyberdefense must be improved

Former CIA officer Valerie Plame believes the U.S. government hasn't done enough to prioritize cyberdefense, and that Americans could soon be paying the price for that decision.

Plame, who worked for the CIA for nearly 20 years, specialized in preventing the proliferation of nuclear weapons and other weapons of mass destruction.

She spoke about the dangers of cyberattacks and nation-state hacking at the recent Cloud Identity Summit in Chicago. Plame called attention to the lack of attention on cyberdefense within the U.S. government, which she said has traditionally focused on cyberoffensive operations and capabilities, as well as the increased aggression from enemy nations.

While the problem may seem insurmountable given the size of the federal government, Plame talked with SearchSecurity about how to solve the issue, and why the public sector should let the private sector lead when it comes to infosec. She also spoke about how the threat landscape has changed, and shared her views on the allegations of Russian election hacking.

Here are excerpts of the conversation with Plame.

It seems like the U.S. government is very good at cyberoffensive operations, but not great at cyberdefense. Why is that?

Plame: We're not good at cyberdefense, no. We've been fixated on how we can use it for our own national security prerogatives, but we're definitely playing catch up on defense.

In this case, the tip of the spear is Silicon Valley; it is not Fort Meade [the National Security Agency's headquarters]. So I've made the argument that the government needs to be supporting the private industry in cybersecurity much more robustly.

Silicon Valley doesn't need directives from the Department of Homeland Security or other agencies. It should be the complete inverse; those agencies need to be supportive of what the private sector is doing, which is way more efficient and effective than the government.

That relationship between the government and the private sector has been a bit rocky lately. There's been some sharing of threat intelligence between the public and private sector, but it doesn't seem like that's caught on as much as it should.

Plame: We're going to have to get a lot better -- and when I say we, I mean the government -- at leveraging the incredible resource of threat intelligence that we have in our private industry, and not do a top-down diktat, because that's just not going to work. And it won't work for several reasons.

One reason is, if you're really good in this field, you're probably not working for the government. And I don't mean to disparage the people that do -- there are a lot of good people working at the NSA, but you can make way more money working in the private sector, and that's where a lot of them go.

So I'd like to see the inverse of what we currently see, and have the private sector be the supported party rather than the supporting party.

Then is the problem with the government's defensive cybersecurity posture? That it doesn't have enough talent or skills? Or is the problem more about strategy and bureaucratic red tape?

Plame: It's probably a bit of both. We've been so focused in the U.S. government, over the last decade at least, on cyberoffense for military and intelligence operations. And we're human; there's only a limited amount of resources, and if you're spending a lot of time on offense, then you won't have as much for defense. But it's not just the government.

It's still stunning to me, in this day and age, how corporate America is still so lax and naïve about cybersecurity. We see almost every week a major new data breach, and yet, a lot of companies still think to themselves, 'Oh, we'll never get hacked. It won't happen to us.' They think they're not targets and that hackers don't care about them, but that's the wrong way to think about this.

I'm on the board of directors for a couple nonprofits, and there's still some of that thinking. They think that because they're a charity that saves children in Africa that no one would want to hack them. But the donors' information is precious.

They may be a low-value target, but if a hacker gets into their network and starts putting all the pieces together about their private donors, then why would they ever give us one more penny? I've been banging the table on this for a while, and they've set up some task forces for cybersecurity, so they're really beginning to understand [the risks].

Do you think the threat landscape has changed in that regard? Instead of hacking into an organization to steal money, it seems attackers are more interested in the actual data and information they can obtain.

Plame: Absolutely. Just ask John Podesta. The hackers could have cared less about his credit card number. They just needed to be John Podesta for a day. And it worked.

If what we assume is true about Russia and the election interference, and that the Russian government has infiltrated [the Trump administration], that's far more valuable in the long run than breaking into a bank and stealing millions of dollars.

What do you think about the Russian hacking allegations from the intelligence community?

Plame: I still have some questions. I'm in a lot of chat rooms with former intelligence colleagues, and there are a lot of them that aren't totally convinced it was the Russian government. There are people that feel it hasn't been proven yet, that we only have the intelligence community telling us it was Russia, and they don't totally believe the intelligence community.

Are you skeptical of the claims of the intelligence community? For example, at one point [former FBI Director James] Comey testified that the signs to Russia were fairly obvious, and that the attackers didn't seem to care that we knew what they were doing.

Plame: Sure, there's Fancy Bear and other signs. There's two ways of looking at it. The first is, if it walks like a duck and talks like a duck, then it's a duck. Then there's another theory that questions if it's too obvious. This is the challenge.

I have a little bit of background in this, but I'm a private citizen, and I have no way of knowing who in the NSA or CIA is sitting down and tracing this back and coming to the intelligence conclusion that Fancy Bear really is linked to Russian GRUs [Russia's Main Intelligence Directorate]. I can't evaluate that, so it's really hard.

I think it probably was Russia behind these hacks, but I'd like to see more evidence.

When you see what's happening today with nation-state cyberattacks, do you think threat actors are becoming more brazen, and that attacks will escalate?

Plame: Definitely. They're more audacious. I'm surprised we haven't seen terrorist organizations take more advantage of cyberattacks. But I definitely think we've seen nation-state cyberattacks ratcheting up with really aggressive action, whether it's North Korea, China or Russia.

In light of that, what should be done to improve the U.S. government's cyberdefense?

Plame: I think it starts at the very top, where the government recognizes that we do not have the capacity to react as quickly as we need to. I'm sure there are many, many task forces, but it will take that kind of strategic thinking to turn the usual order of things around and put more focus on cyberdefense [instead of offense].

If you're the head of the NSA or head of the U.S. Cyber Command, you need someone above you to say, 'You need to relinquish some power.' And that's hard because you always want more money, more people and more power. You need the President to direct those things. And, unfortunately, this White House has zero strategic thought going into this issue.