CCHS Cybersecurity Leadership Forum: FireEye CEO Kevin Mandia

On Thursday, June 28th, the Center for Cyber and Homeland Security (CCHS) welcomed FireEye CEO Kevin Mandia.  FireEye is a cybersecurity company that specializes in countering state-sponsored and state-condoned cyber threats.  With extensive experience in both the public and private sector, Mr. Mandia sat down with CCHS Director Frank Cilluffo to discuss the state of cyber threats, cyber rules of engagement, deterrence, and the role of the private sector in countering cyber threats.

Cyber Threat Trends:  One major change that Mr. Mandia has observed over time is the change in the number of threats and attacks. Since 2003, he explained, every major cybersecurity breach has been followed by a thorough FireEye assessment, that characterizes the attack according to more than 650 criteria. Over the years, the catalogued results have been used to identify unique threat groups. Until 2010, only “about forty different threat groups” were identified. Today, however, there are approximately 9,000 — of which only 10 to 20 pose a significant threat, in Mr. Mandia’s estimation. While the leading threat actors are not predictable, Mr. Mandia noted that no nation-state has deployed destructive, industrial control-system (ICS) malware against continental US utilities. He added further that cyber activities are reflections of geopolitical tensions and conditions; and, by extension, cyber activities can serve as “early warnings and indicators of aggression.” 

Rules of Engagement:  While difficult to codify, Mr. Mandia explained that the leading cyber threat actors — North Korea, China, Iran, and Russia — have acted pursuant to geographically-determined cyber rules of engagement, according to which neighboring states serve as “practice fields” for destructive cyberattacks. These same threat actors have particular engagement patterns for the United States; for example, they frequently target the U.S. defense industrial base, and U.S. media. In the case of Russia, however, Mr. Mandia noted a 2015 change in that country’s rules of engagement, after years of previously predictable behavior. Specifically, the Russians changed their targeting, discontinued their counter-forensic activities, and began leaking classified documents.

Deterrence:  One of the most critical, but challenging, aspects of cybersecurity today, is deterrence. In this context, Mr. Mandia underscored the importance of attribution. With the proliferation of cyber actors, attribution is increasingly difficult — yet essential — for effective deterrence. Without attribution, policymakers cannot formulate a suitably proportional response that imposes risks and repercussions upon the attacker(s). Understanding one’s opponent is necessary in order to inflict tailored consequences that would actually deter that particular actor in the future. Put differently, and in the words of CCHS Director and event moderator Frank Cilluffo, the U.S. “can’t simply defend its way out of the problem.”

The Role of the Private Sector:  The high percentage of U.S. critical infrastructure owned and operated by the private sector poses strategic vulnerabilities that necessitate concerted coordination and collaboration between the public and private sectors. Malicious actors could hack utilities with devastating results, as illustrated by the December 2015 Russian attacks against Ukrainian power grids.

While the private sector may play an invaluable role in intelligence collection and attribution, Mr. Mandia characterized the role of the private sector as “almost all defense.”

Mr. Mandia also reflected upon the state of the cybersecurity market, which he suggested is oversaturated. There are far too many cybersecurity companies in his view, which compounds the coordination challenge. He believes that just ten cybersecurity companies would fulfill market demand effectively, and that this consolidation would provide higher quality security at lower cost. To optimize effectiveness, these companies must be willing to be on the frontlines, learn from what has happened in the past, and apply this knowledge to engineer cutting-edge cybersecurity solutions.

Audience Q&A:  Mr. Mandia was asked his opinion on private companies retaliating — in the form of “hacking back” — after experiencing an attack. Mr. Mandia is opposed to this idea; he believes that this, in the end, creates more vulnerabilities. Consider, for instance, that a malicious actor will often attack multiple companies; and if even one company responds by hacking back, then all of the targeted companies may be affected. Moreover, hacking back is not effective; it does not inflict that much pain on the attacker, as they have a lot less to lose than the targeted companies. 

In closing, Mr. Mandia discussed the importance of securing one’s own information. He also encouraged continued research into cybersecurity, and emphasized the importance of offensive measures in order to keep the U.S., and especially its critical infrastructure, safe.

Summary prepared by Matthew Basista and Caroline Ritchey

Related Media:

Attribution of Cyber Attacks Is Critical to Deterrence -- GW Today

North Korea ‘hacking the hell out of Latin America’ -- Fifth Domain