Jeh Johnson: Critical infrastructure security “needs to be a focus for CEOs”

With attention fixed on the national security policies of President-elect Biden’s cabinet nominations, it's worth revisiting insights from a podcast interview with Jeh Johnson, 4th US Secretary of Homeland Security. Jeremy Davis spoke with Secretary Johnson soon after he rejoined the private sector in 2018. The discussion was wide-ranging, covering global risks and cybersecurity cooperation.


Johnson was seen as a strong candidate for a senior cabinet role in the Biden administration, although he told news outlets in December that he will not join the administration. His comments shed some light on the incoming administration’s approach to cybersecurity and national security. Johnson’s former deputy secretary at the Department of Homeland Security, Alejandro Mayorkas, was nominated to lead the agency as the 6th Secretary of Homeland Security.


Several comments from the conversation stand out in light of recent developments. Johnson highlighted prioritization in the private sector and government sector. He warned that critical infrastructure needs to be a primary focus for the CEO, not only the chief security officer. Budgeting for critical infrastructure security must be a central part of how executives “protect shareholder value” and protect “business information and assets.”


Below is the transcript of the interview, slightly edited for length and clarity.



Thank you for joining us. Let's just jump right into it. The world is a more complex risk landscape than we have seen in previous recent years and there's a lot to talk about. Risk professionals have primarily traditionally focused on financial, regulatory and quantitative model risks among others. It's fair to say that the risks that we face are far more complex and involve many of the other aspects that you've been concerned with at Homeland Security, including geopolitical risk, cybersecurity risk, socioeconomic, and there are many risks. We would be interested to hear your perspectives on how you evaluated this complex risk landscape during your tenure.


You are correct, that the world is a more complex environment in terms of risk and risk assessment and let me focus on two things in particular. One is counterterrorism and the other one is cyber security. I came to the Department of Homeland Security in 2013 with a counterterrorism orientation due to my experience as General Counsel of Department of Defense prior to that. I spent a lot of time assessing our counterterrorism capabilities and giving the legal sign off for a lot of the US military's counterterrorism operations. When I came to DHS, this was my orientation. I quickly learned that cybersecurity needed to be the other cornerstone of the department's mission.


We like to say counterterrorism is the cornerstone of the Department of Homeland Security's mission, I said publicly, and still believe that cyber security needs to be the other cornerstone. In terms of the terrorist threat, our military, along with an international coalition has done, in my judgment, a spectacular job , an outstanding job of effectively defeating ISIS as self-declared Caliphate in Iraq and Syria, and seriously degrading their ability to launch any type of serious terrorist attack on our country of the type that I will refer to as a terrorist-directed attack of the style of a 9/11 where leaders and operatives overseas, hatch something up, send operatives to the United States, get them across our borders to commit a large-scale attack ISIS’s ability to conduct such attacks has been seriously degraded. However, we now live in an environment of what I refer to as terrorist-inspired attacks where a so-called lone wolf actor will become inspired by something that they see or read on the internet.


To take an example, Anwar Al Awlaqi, who was probably the most visible member of al-Qaeda in the Arabian Peninsula, was killed by a drone strike September 30, 2011. But Awlaqi’s inspiration lives on, on the internet. Since 2011, terrorists still cite Him as their inspiration for attempting to carry out attacks, attacks by lone wolf actors who self-radicalized in secret and who very often grow up here and not born here in the homeland make for a more complex security environment. These types of self-radicalized smaller-scale attacks, whether it's with a gun, or a vehicle, or a pressure cooker bomb made from components that are lawfully obtained is very random, can occur as we've seen in places like the West Side Highway, West 23rd Street, that was an attempted bombing in September 2016, Chattanooga Tennessee garland city, Texas, Orlando, San Bernardino, makes for a more complicated environment requires a whole of government, state, federal and local law enforcement approach and we're challenged in this area and it requires a less than traditional approach.


Now on the cybersecurity front, my assessment is that the cyber threat to our nation will get worse before it gets better. We have yet to turn the corner when it comes to addressing and responding to cyber threats that cyber actors are increasingly aggressive, and ingenious, and tenacious and those of us on defense struggle to keep up. We had a serious wakeup call with the Russian government's attempt to interfere with our 2016 election that exposed the vulnerability of political organizations to the hacking of their private communications. But it also more significantly exposed the vulnerability of our election infrastructure in our states to hacks and unwanted exfiltration of voter registration data and we therefore need a national as well as a state-level response to protect our cyber security of election infrastructure.


Just before I left office in January 2017, under the authority I had as Secretary of Homeland Security, I declared election infrastructure in this country to be critical infrastructure, which prioritizes election infrastructure for DHS’s cyber security help and that is obviously an effort that has to continue, especially now that we're in the year of a midterm election again. So I hope I've answered your question.


You certainly have. You discussed several aspects related to the international coalition initially related to military operations through your work as General Counsel at the Department of Defense. You also were involved in similar Coalition's related to cyber security at DHS. Your team at the Department of Homeland Security was involved in discussions that led to cyber security agreements with many of our allies and partners. I believe that DHS was involved in discussions between the US and South Korea, Cuba, Japan, Israel to name a few. In many ways you really embody President Obama's signature consensus-building approach, especially related to your involvement with cyber security agreements. When we look at these international partnerships, there are many countries that we have some allied interests and some areas where the relationship is more complex. What was your approach in prioritizing how best to build these the most effective agreements without opening up issues related to privacy or other risks?


When I was secretary, I was impressed by the number of my counterparts in other nations, very often, the Minister of security or Minister of the Interior of another nation that would ask us about cyber security and ask for ways in which we could cooperate more effectively in cyber security. That reflects the increasing interconnectedness of the global cyber security that I think we need to have. We did reach agreements with a number of other nations on cooperation in matters of cyber security and matters of law enforcement in cyber security.


I think the proper approach is to accept that when you're dealing with another nation, particularly another superpower, there are just going to be some areas of cyber security where you're not going to be able to cooperate and you're going to have to agree to disagree, that does not mean that there should be no level of cooperation, and that there are areas where we can cooperate and the best example, I can think of is China. In September 2015, after extensive and fairly intense negotiations between myself others at the State Department and certainly people at the White House, we reached an agreement with senior most officials in the Chinese government that the Chinese government would adhere to one of the cyber security norms and not attack commercial infrastructure for commercial gain in cyberspace. Our assessment, both in the private sector and from my government experience is that the Chinese government has largely dialed back on that level of activity with that motive, though, one never can be sure completely. Maybe they are masking it better. But our general assessment is that we've seen a decrease in that type of activity since we made that agreement with them, which I think has worked to the benefit of a lot of companies globally.


We reached that agreement, because President Xi was about to arrive in the United States for a state visit and it was right on the heels of the OPM attack, which was a topic of discussion with them. I cannot get into the details. But both those circumstances created an environment where we found an area with the Chinese government in which we could agree and we did agree on something and that's an example of how large, powerful nations can cooperate on cyber security and since then, I believe it is also the case that we have cooperated with the Chinese government on matters of law enforcement in cyberspace.


We have seen a significant decline in state-sponsored hacking from China against the private sector now, which I think everyone would agree is very good news and perhaps it's unrealistic to initially focus on everything. China certainly had a very robust hacking network.


We should also point out that large nation-states have a very powerful and increasingly effective cyber hacking capability. That is, however, not the exclusion of other actors out there, whether they're criminal hacktivists that engage in ransomware. Across the spectrum, we're seeing an increasing level of aggressiveness and ingenuity, not limited to just nation states. We have to be aware of that and privy to it.


I believe Kaspersky knew that sometime after the US China agreement, they saw that there is an increase in Chinese hacking activity against Russia, following the US-China cyber agreement, an interesting indication that China may have refocused their targets.


I couldn't comment on that.


Secretary Johnson, you mentioned Russia. There was a brief period in 2016, where it appeared that renewed collaboration between the US and China in terms of cyber security interests was possible. There is an announcement that there would be a meeting between officials from both countries in April 2016, it appears that those conversations either didn't happen, or did not progress fully.


With the Russians?


Correct, with the Russians. Hindsight is interesting. Was there anything that could have moved us in a different direction from the situation that we currently find ourselves in? Or at that time had the Russians already decided on their course of action?


That's an interesting question. I would say this, and this is a matter of public record. Vladimir Putin's bias against candidate Clinton goes back a long period of time and what we saw in 2016 was an attempt to interfere with our election that seemed to have a range of motives. On one hand, one could say that was an attempt to discredit her inevitable victory. People are looking at the polls and discredit her presidency once she was elected. But on the other hand, when the polls got closer, perhaps the Russian government thought they could put their thumb on the scale in and tip the election. One will never really know without a study by a social scientist, and a pollster, whether that actually happened through an influence campaign. But it did seem that the motives and the biases were long-standing and vary from time to time.


By late summer, early fall, we became convinced that the Russian government was behind this activity and we had to say something to the public before the election, about what we saw and so the DNI and I issued that statement on October 7, 2016. Attributing that activity to the Russian government in pretty blunt and enforceable, in terms that were plainspoken, kind of uncommon for the intelligence community. But we felt it was something we had to do and frankly, it's up to the Trump administration, the new government in place to follow through and a lot of the sanctions we put in place, and a lot of the steps we took after the election, before we in the Obama administration left office, and so there has to be a lot of follow through there, especially now we're in the year of a midterm election, and the next presidential election approaches.


You have been very outspoken about the need to address America's vulnerable election infrastructure following the Russian interference campaign. On that note, many cyber security experts have warned that Russia's interference and hacking campaign and release of sensitive documents was effectively the canary in the coal mine.


The way that I put it is this. In 2012, Secretary of Defense Leon Panetta had a speech he gave at the intrepid right here in New York City and I remember he said that there assume that'll be a “cyber-Pearl Harbor”. That may have occurred in 2016 with the interference in our election. I'm not sure we yet know the full effects of the Russian campaign there and at this point, nothing further would surprise me. So that's the way I think of this. There are vulnerabilities in our election infrastructure. That's what the scanning and probing around voter registration databases reveals, a lot of that stuff exists online, it exists on the internet, and it is capable of intrusion and so my hope is that states are addressing this problem. The systems and the processes they have in place all vary from state to state, and sometimes even county to county. I'm hoping at the state level with federal assistance, they are addressing this problem. 2016 wherever you want to characterize it, the canary in the coal mine, the wakeup call, cyber-Pearl Harbor was a very serious series of events.


It was and in addition to be the grave concerns to democratic process, I believe that the use of canary in the coal mine is another concern as well and there is a concern that the same tactics that have been used in or that appear to have been used in a political campaign may soon or have already, but not necessarily publicly, be used against the private sector.


Well, there are hacks in the private sector all the time, virtually every day as we speak and it's the case that it could be a period of months before a private sector actor, a large company, a large bank, discovers that they've been infiltrated and it's very often the case also, that companies will discover the infiltration, but then not discover the exfiltration until months later, even after they've got a cyber security expert. Forensically the exfiltration could occur even after that. The other point I want to convey here is that given our electoral college, and the way it works, where it's a state by state count of electors, and given our politics where in selecting a president only a few states matter, the results of our elections for president dance on the head of a pin and depend upon what happens in swing precincts in swing states, which means probably a small percentage, if not a fraction of a percentage of voters make the difference in an election and so knowing that, it’s not hard to pinpoint what precincts in what states we're talking about.


Someone could target those precincts to do something to alter a ballot count or to suppress votes. The writers of the TV show House of Cards figured that out last season, you can tell I watch House of Cards, and so wouldn't be that hard for a bad cyber act to do the same and we're not just talking about cyber matters either. You can go beyond that context, given the nature of our politics.


What are the takeaways be that you would recommend to risk professionals as they take an active part In taking about these issues and raising concerns,


I have two recommendations. What I've learned from my experience as Secretary of Homeland Security; person responsible for the homeland security of this nation, that there is a full range of threats and potential hazards and there's always somebody out there who's focused on one or two threats, in particular, who wants to know why you're not doing more to address that particular threat, you have to categorize threats into threats that are high probability, versus low probability and high impact versus low impact. Very often a threat can be high impact, but low probability and then a threat could be high probability. But lower impact like a random shooting, for example. High impact would be a 9/11, for example, or a potential dirty bomb somewhere or the release of some type of chemical weapons. So when I was at office, various people that approached me, what are you doing about this particular threat? And the answer to all of this is you simply have to prioritize in where your focus is and the way to focus and the way to prioritize is to put things in these categories. What is high probability, lower probability? And what are high impact and lower impact and make judgments around budgets, and how you spend your time, accordingly. So that's number one.


Number two, when we're talking about cyber security, and we're talking about critical infrastructure, like election infrastructure. This needs to be a national priority with a national campaign, and a national spokesperson in Washington, leading that effort. So that's number one. Number two, we need to budget both in the private sector, and the government sector around critical infrastructure. This needs to be something for the CEO, and not just the chief security officer, the CIO focus on. This needs to be something for the CEO of a business or a government agency to focus on and make it a central part of how, if you're in the private sector, you protect shareholder value, you protect your workforce, and you protect the information and the assets that you have of your business. As I said before, the cyber threat to our country and to private sector is going to get worse before it gets better. We have yet to turn the corner.


Secretary Johnson, we begin this discussion by speaking about your involvement in international cyber security initiatives or international initiatives and agreements on many fronts, including cyber security. How has your return to the private sector shifted your focus on international agreements?


Let me answer that question this way. When I was growing up as a lawyer, most of my private practice career has been as a litigator and a trial lawyer, now that I've had the experience I've had in public office, and I've returned to the private sector. Everybody wants to know about cyber security. That's issue number one of the day. In this environment, particularly in financial services and in high tech, everyone wants to know about cyber security, everyone is anxious for good cyber security advice, which very often includes advice from lawyers, because of the regulatory aspects of it, because of the disclosure aspects of it and because our advice is protected by the attorney client privilege and so, at this law firm, Paul Weiss, we have developed a cyber security practice, which I think is terrific. I have been very engaged with a number of clients advising them on, how to strengthen their cyber security and how to assess cyber threats and how to respond to cyber-attacks and that's pretty much what I do most of the time now in my private life in this law firm.


Do you see potential for industry groups or for other international bodies to create a sea change through cooperation in terms of cyber-preparedness and risk-preparedness?


Yes, even among the most sophisticated firms, businesses, banks, that have spent hundreds of millions of dollars on cyber security, we all benefit from information sharing, so that we are all aware of the larger global threat environment. When I was Secretary of Homeland Security, it was something that I encouraged in the private sector. We established in DHS something thing called automated information sharing so that we could share information much faster while taking accountability, privacy concerns. We work with Congress to strengthen that ability through the Cybersecurity Act of 2015 and it's something that needs to continue, and it doesn't necessarily have to occur involving the federal government. Through information sharing organizations, companies in the private sector can share information. I think it's something we all benefit from.


Thank you, Secretary. It has been a pleasure speaking with you.


Thank you very much. My pleasure.