Countering Ransomware, CISA 2015, and Active Cyber Defense with Cynthia Kaiser
Season 2 Episode 35 •Show Notes
Overview
Cybersecurity threats are growing more complex as ransomware gangs, nation-states, and criminal networks converge. In this episode, Frank Cilluffo speaks with Cynthia Kaiser, senior vice president at Halcyon and former deputy assistant director for cyber at the FBI. They discuss the looming risk if Congress fails to reauthorize the Cybersecurity Information Sharing Act of 2015, the evolution of ransomware as both a business model and geopolitical weapon, and how industry must play a bigger role in active defense. Kaiser also explains the indiscriminate reach of Chinese espionage campaigns and the urgent need to define national red lines in cyberspace. Together, they outline why collaboration, innovation, and trust are essential to future cyber resilience.
Main Topics Covered
- Halcyon Ransomware Research Center launch
- FBI lessons from major takedowns
- Cybersecurity Information Sharing Act stakes
- Ransomware and nation-state espionage
- Active defense and industry roles
- Balancing disclosure and attribution
- FBI of tomorrow and AI
- Red lines in cyberspace
Key Quotes
“If CISA 2015 lapses, companies may be less inclined or may be less able to share information with the government… And then America would be in the dark.” – Cynthia Kaiser (~07:37)
“There’s not one action that’s going to stop Putin from cybering… And industry has such a critical role.” – Cynthia Kaiser (~11:04)
“As a mom… the Chinese government now has information about who [kids] called, where they were, how long the call was… It really shows that the Chinese government is indiscriminate.” – Cynthia Kaiser (~22:45)
“[Ransomware is] an ecosystem of businesses… And so broadening and being able to conduct more of these proactive active defense operations against criminal groups would have a really great effect.” – Cynthia Kaiser (~16:02)
“[Washington] should really just be asking ‘What are our red lines today, and have we already gone over them?'” – Cynthia Kaiser (~32:16)
Relevant Links and Resources
- Halcyon Ransomware Research Center
- Fortune op-ed: Cynthia Kaiser on CISA 2015 reauthorization
- Recent Salt Typhoon joint advisory
Guest Bio
Cynthia Kaiser is the Senior Vice President of Halcyon’s Ransomware Research Center and former Deputy Assistant Director of the FBI’s Cyber Division. She led cyber policy, intelligence, and engagement efforts at the Bureau and played a key role in disrupting major ransomware groups like LockBit and Qakbot.
Transcript
1
00:00:00,000 –> 00:00:01,000
Cynthia Kaiser [00:00:00]: As A Mom, your 13 year olds and 11 year olds who might be just getting their cell phone, the Chinese government now has information about who they called, where they were, how long the call was. And it’s to me, just a far, far beyond spy versus spy. It really shows that the Chinese government is indiscriminate.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:23]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with Cynthia Kaiser. Cynthia is a senior vice president at Halcyon, where she runs a new Ransomware Research Center and spent 20 years in law enforcement, including in her last role as deputy assistant director for all things cyber at FBI. Longtime champion on these issues and really excited to sit down with Cynthia today. Cynthia, thanks for joining us.
3
00:00:02,000 –> 00:00:03,000
Cynthia Kaiser [00:00:59]: Thank you. I’m excited about our conversation.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:01:01]: No, likewise. And I’ve been a fan of your work for a long time and we’ve had the opportunity to work in different environments. So excited to see you now in another role. So I thought I’d start with sort of where you are in terms of the Ransomware Research Center, what your intentions are, what the mission is, and a little bit about Halcyon.
5
00:00:04,000 –> 00:00:05,000
Cynthia Kaiser [00:01:21]: Great. I’m so excited about launching this Ransomware Research Center where really Halcyon CEO contacted me to say we really need a place where we can unite experts and defenders together to bring the best information we can on ransomware. There’s so many different actors out there. A lot of these nation states get focus, but ransomware is what’s actually affecting people every day, like their small businesses, large businesses that everyday people frequent. It’s what we all kind of experience in terms of cyber attacks. And so I was really excited to come on and build out that vision. So while we’re still building, we’ve had a lot of interest, especially across startup community.
6
00:00:05,000 –> 00:00:06,000
Cynthia Kaiser [00:02:09]: How can we take some of the niche information across startups, put it all together to put out good information and new information about ransomware? But I don’t want to just do new. I think the basics are so important and we often overlook that as cyber threat analysts because it’s really fun to dive deep. Exactly, it’s really fun. But what people need, what prosecutors need, what policymakers need, what CEOs need, is to be able to find, what does this mean? Where can I find a comprehensive list of all the threat actors and what their tactics are? And then what I’m also very excited about is not just doing the threat intelligence, but developing policy options, thinking about what we’re learning, and then working with people like you and your institute and just across the spectrum to be able to put out how we can make it all better.
7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:03:05]: Awesome.
8
00:00:07,000 –> 00:00:08,000
Cynthia Kaiser [00:03:06]: Yeah. And you know, Halcyon, just as a backup, it’s an anti ransomware platform. When I first look at the technology, it looked like magic to me. But it stops ransomware, right? It’s a technical way to like continue that mission that I had at the FBI to stop ransomware.
9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:03:20]: And I’m sure you had a number of lessons and scar tissue from the Bureau, and there’ve been some great initiatives, but, and I think you are central in a number of those, whether it’s Lockbit or Quackbot or you name it. But at the end of the day, the ability to scale, that’s hard, right?
10
00:00:09,000 –> 00:00:10,000
Cynthia Kaiser [00:03:39]: It is, it’s hard. And you need industry. So I’m excited to kind of develop that from the industry side and I’m also excited to take some of those lessons learned from the government. I was part of FBI Cyber when if we had information to send out to Net defenders, FBI sent its own report, maybe DHS, it wasn’t CISA yet, right, sent out its own. Maybe NSA did too. And it’s confusing for Net Defenders. And it’s kind of crazy to think that we were in that world like six, seven years ago and now it’s just commonplace that we have these joint advisories, like for comprehensive, putting it out with one voice, like, gosh, wouldn’t it be great if we could get there with a lot of the ransomware intelligence on the private sector side as well?
11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:04:25]: And we’re going to talk about some of the new joint advisories in a little bit because more logos, more countries, also greater risk, which is being both acknowledged, recognized and exploited. But before we do that, I want to talk a little bit about the Cybersecurity Information Sharing Act of 2015. You’ve written eloquently on this in Fortune, if I’m not mistaken, and had a strong op ed. In some ways that would set us back to your pre, it would set us back 10 years. The threat has certainly gotten much more significant than it was in 2015. What would the implications be if CISA 2015 and whatever it is renamed is not reauthorized? What are the consequences there?
12
00:00:11,000 –> 00:00:12,000
Cynthia Kaiser [00:05:15]: I mean, ultimately it would be more cyber attacks against more companies and probably the companies that have, or businesses that have less resources. So the ones that are in your community on your main streets. Really what it comes down to is if CISA 2015 lapses, companies may be less inclined or may be less able to share information with the government if they’re having an issue. And industry is also less able to share with each other for fear of antitrust. So, you know, it’s interesting to think through some of the examples that are really great examples for.
13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:05:57]: I’d love for you to pull a thread on some of those.
14
00:00:13,000 –> 00:00:14,000
Cynthia Kaiser [00:06:00]: So let’s go to Salt Typhoon. Very recent. Everybody’s thinking about that. When the FBI approached various companies to tell them, hey, you’re a victim, or hey, something’s wrong, there were certain companies especially that reacted really exactly how we’d want them to react. So even though they had problems, even though the actors got in, they did everything right afterwards. They were really open with the FBI. They provided information needed. They worked with us to identify the actual victims to enable the notification of victims on the politician side or really public official side where they’re actually stealing their content down to making it everyone aware that there was just a huge trove of data on millions of Americans also stolen.
15
00:00:14,000 –> 00:00:15,000
Cynthia Kaiser [00:06:55]: I thought about that a lot when I was considering the implications of CISA 2015. I’ve spoken with outside breach counsels, so the lawyers that are brought in after an incident occurs, and they’ve told me that if CISA 2015 lapses, they have to likely change their advice to victims about their engagement with the federal government. It changes the risk of engaging with the federal government. It increases the liability risk. And that in turn likely will mean less companies are actually reporting information. So think about that in the Salt Typhoon context. Right?
16
00:00:15,000 –> 00:00:16,000
Cynthia Kaiser [00:07:37]: We maybe, maybe we wouldn’t have known everything we knew.
17
00:00:16,000 –> 00:00:17,000
Frank Cilluffo [00:07:38]: It would have had a chilling effect. Yeah.
18
00:00:17,000 –> 00:00:18,000
Cynthia Kaiser [00:07:41]: Exactly. And then America would be in the dark.
19
00:00:18,000 –> 00:00:19,000
Frank Cilluffo [00:07:43]: And that’s a great point. So it’s tough to disprove double negatives, but at the end of the day, we can’t go back to further isolating this information. And the magic really is between public private, not in a genuine, in the general partnership sense we talk, but if trust isn’t there, nothing else matters. Right? I mean, and I think this would have significant implications on trust.
20
00:00:19,000 –> 00:00:20,000
Cynthia Kaiser [00:08:13]: Exactly. And if the government doesn’t get that information in, they can’t warn others. Right. I used to tell companies all the time, if we don’t hear from others, we can’t warn you. And if we don’t hear from you, we can’t warn others. So there might be some companies that can pay for the exquisite technology information and they’ll be okay for a little bit, but even that’s gonna deteriorate over time, and we’re really gonna see just so much more activity from cyber actors on these networks that because defenders can’t defend.
21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo [00:08:47]: And downstream, even customers. Right? They’ll be the ones most directly impacted, not just the owner operator, but the end user. So it touches everyone.
22
00:00:21,000 –> 00:00:22,000
Cynthia Kaiser [00:08:59]: Absolutely.
23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:08:59]: And a lapse, even a short lapse really would set us back. Yes?
24
00:00:23,000 –> 00:00:24,000
Cynthia Kaiser [00:09:04]: Yes, absolutely.
25
00:00:24,000 –> 00:00:25,000
Frank Cilluffo [00:09:06]: And any other stark examples, because right now we just had Senator Peters on setting the stage for the congressional agenda for this year. And happy to say CISA 2015 was point one, SLCGP and state, local, tribal, territorial, and the need for our frontline defenders and responders was point two. But any other things that they should be thinking, we’ve got a small clock, it sunsets end of this month.
26
00:00:25,000 –> 00:00:26,000
Cynthia Kaiser [00:09:36]: So let’s say that there is a lapse and there’s a month without that type of sharing. How many more ransomware attacks against small businesses might occur? Because small businesses oftentimes cannot weather the cost of the ransom and the cost of actually getting back online or downtime. So how many more small businesses on America’s main streets will go out of business because we didn’t pass this widely popular bipartisan bill.
27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:10:05]: Which seems the one bill everyone agrees to, but we have a tyranny of time. We just need to address it and address it quickly. I want to pivot now to a little bit of a discussion you and I have had elsewhere around active cyber defense. And it plays into a broader posture that I think the administration is leaning forward. And, and I’ve been a strong advocate. We’re never going to firewall our way out of these problems. And, and yes, law enforcement plays a critical role, but in itself is insufficient. Yes, sanctions play a critical role, but in itself is insufficient.
28
00:00:27,000 –> 00:00:28,000
Frank Cilluffo [00:10:45]: You got to bring all of these instruments together. And, and I’d be curious what some of your thoughts are. And, and if there were things you think could be scaled in terms of recouping ill gotten gains or anything else from the FBI time, what are your thoughts on that?
29
00:00:28,000 –> 00:00:29,000
Cynthia Kaiser [00:11:04]: There’s not one action that’s going to stop Putin from cybering. Right? I mean, so we have to think about all the levers we can pull. And industry has such a critical role in being able to do some of these operations because we know things faster and we can scale beyond what resource limitations in government enable them to do. So I think we get a little stuck in this mindset like, oh, we’re going to allow industry to do offensive operations. What about the diplomatic consequences if they’ve taken down this network over here? What’ll be the implications over there? And I feel like we’re kind of biting off too much there and going to a very extreme example and stopping ourselves, right, yeah. Stopping ourselves from doing things that are smaller steps and very meaningful. One thing I’d…
30
00:00:29,000 –> 00:00:30,000
Frank Cilluffo [00:12:00]: And I would argue it hasn’t been effective anyway because the adversary continues to pound.
31
00:00:30,000 –> 00:00:31,000
Cynthia Kaiser [00:12:04]: That’s exactly right. That’s exactly right.
32
00:00:31,000 –> 00:00:32,000
Frank Cilluffo [00:12:06]: No consequence from their perspective.
33
00:00:32,000 –> 00:00:33,000
Cynthia Kaiser [00:12:08]: And I want to give an example of one of those small things. But I also want to talk about timing, because as adversaries might be incorporating AI into their programs, I have a lot of fears that it could end up being too late. It’s really difficult to conduct offensive operations against adversaries that are using certain types of AI tools, whether that’s homegrown or whether that’s open source, because the ability of an operator to iterate, figure out all the variables, conduct a successful operation, that’s hard. And gosh, if we did an offensive operation against an adversary and they were using a certain type of open source model, could we break the model? I think there’s a lot of worries. And so the time’s now is how I’d put it. From my vantage point looking at cybercrime ransomware, I’d love to be able to repatriate the stolen crypto that criminals have taken from everyday Americans and bring it back to the US, and industry is going to know about the wallets information from victims far sooner if, really, before or ever the government does. And so let me kind of peel that back on what I actually think could occur. I’d love to see industry give sanctions teeth.
34
00:00:33,000 –> 00:00:34,000
Cynthia Kaiser [00:13:26]: So if sanctions are there and they’re against a certain individual ransomware actor, a group, the government said, like, we have evidence these people are bad and they’re harming Americans. At that point, if certain companies could receive licenses and the government could create a here’s what you need to do to prove this crypto was in fact associated with this sanctioned actor. We could bring back so much money, and sanctions would then not just be necessarily something on paper or something that stops people from traveling or be able to move their money. It would actually bankrupt the operations.
35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:14:07]: And that’s precisely what we need to do, right? And I would argue more can be done with, say, bulletproof services and the like, right? We kind of know what those are. This isn’t, this isn’t Secret Squirrel kind of information. It’s, it’s known.
36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:14:22]: And I do think more can be done there. And I think in an operational collaboration kind of way, which takes the information sharing piece to the next level. If you don’t have the information sharing, you don’t have the trust, you don’t have the, you don’t even see the landscape. So how do you play ball together? But that’s where we could be going, right?
37
00:00:36,000 –> 00:00:37,000
Cynthia Kaiser [00:14:42]: I think so. And I think that, you know, do that, have this proof of concept on something that I can’t imagine is controversial. We should be able to take our money back. Then, see what we can do from there, see what we’ve learned, expand it. But I think especially in the space where we’re trying to counter criminals, non state actors, industry should be enabled to take actions.
38
00:00:37,000 –> 00:00:38,000
Frank Cilluffo [00:15:04]: Absolutely. And take more proactive steps. What could that look like other than recouping sort of crypto? What other steps? I mean, we see botnet takedowns and a lot of the cybersecurity sector is deeply involved in that. I think that’s becoming, no one would question the efficacy and the impact of that. But any other thoughts that come to mind there?
39
00:00:38,000 –> 00:00:39,000
Cynthia Kaiser [00:15:29]: I think expanding out that kind of botnet takedown concept to infrastructure takedown, yeah, overall. Being able to take away the tools that actors are using to conduct these malicious activities, as well as target and take down the services they’re using. Ransomware isn’t one actor who developed the tool and then went out and actually conducted the attack. It’s an entire ecosystem where you have developers and money launderers and infrastructure hosting.
40
00:00:39,000 –> 00:00:40,000
Frank Cilluffo [00:16:02]: It’s a business. An illegitimate one, but it’s a business.
41
00:00:40,000 –> 00:00:41,000
Cynthia Kaiser [00:16:04]: It’s a business, but like an ecosystem of businesses. And so I think broadening and being able to conduct more of these proactive active defense operations against criminal groups would have a really great effect across all cybercrime. Because I think you and I have had this conversation. It’s also, it’s hard to distinguish between some of these proxies and nation state actors.
42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:16:28]: That’s what I was going to get to. Yeah, that’s where government has to play a role because they operate out of a few countries. And again, no secret who those are. Russia.
43
00:00:42,000 –> 00:00:43,000
Cynthia Kaiser [00:16:37]: Right? Yeah.
44
00:00:43,000 –> 00:00:44,000
Frank Cilluffo [00:16:39]: And China and elsewhere. But at the end of the day, that’s where government does need to play a role.
45
00:00:44,000 –> 00:00:45,000
Cynthia Kaiser [00:16:44]: I agree, I agree. On the nation state side, there’s a lot of different things that can go wrong. And being able to free up the government to focus on that, like let industry help.
46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:16:55]: Actually, that’s a great point. It also allows government to focus on the hardest problems where their capabilities and exquisite means will have greatest net effect.
47
00:00:46,000 –> 00:00:47,000
Cynthia Kaiser [00:17:06]: Exactly.
48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:17:07]: But we seem to be fishing in every pond simultaneously. And I do think, I do think that there’s more there there. I think we, we need to lean forward in all of this because business as usual, the status quo just isn’t cutting it. I mean, by any standard, it’s not a good story to tell. So that’s not to suggest that there aren’t great intentions and, and great initiatives, but we’ve got to scale that.
49
00:00:48,000 –> 00:00:49,000
Cynthia Kaiser [00:17:35]: Yeah, I, I am just staggeringly proud of the work that we did at FBI and, and I think it made a huge difference in ransomware groups. The takedowns of LockBit and then the operation against LV that ended up creating an exit scheme, right? They ended up going away too. Those were the two top groups in 2024. And to see what it looked like coming into 2025 where there just was a power vacuum, no one had really gotten to the levels and the points, actors were kind of changing their operations. There was about 35% less ransoms paid last year than the year before. Those are real effects.
50
00:00:49,000 –> 00:00:50,000
Frank Cilluffo [00:18:11]: Those are significant numbers. Yeah, yeah.
51
00:00:50,000 –> 00:00:51,000
Cynthia Kaiser [00:18:13]: And I think law enforcement operations played a huge role in that. So, you know, let’s then industry do more, target it more. Let’s get it down to, you know, 50% less.
52
00:00:51,000 –> 00:00:52,000
Frank Cilluffo [00:18:22]: Which would be good. That’s a, that’s a start. And the terms of the ransomware gangs, they’re, and whatever terminology, they’re also engaging in much more than just ransomware, right? So sometimes ransomware is a diversion, is it not, for other tactics, techniques and procedures up their sleeves?
53
00:00:52,000 –> 00:00:53,000
Cynthia Kaiser [00:18:42]: It is. It can be a diversion for stealing data, which they think might be more effective. But we also see nation states using ransomware as a kind of smokescreen for their activity. Iran did that in Albania. They were on those networks for what, 14 months conducting espionage. But all of a sudden, when they were politically angry about something that all of us would just say scratch our heads about, they launched ransomware. It almost does a wink nod. Yeah, it’s not us and data deletion attacking them online. You name it, they were doing it.
54
00:00:53,000 –> 00:00:54,000
Cynthia Kaiser [00:19:18]: But it’s this kind of mixture of ransomware, nation state espionage.
55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:19:23]: And a toxic blend of crime, business, politics. You don’t always know who the puppet is and who’s the master. And that is increasingly what we’re seeing. And obviously you want to send muddy footprints elsewhere, wouldn’t be us, that’s a criminal enterprise. But again, to get to the point where we can address it strategically, not tactically. I’ve been a little frustrated. We let our enemies define our strategy. We’re reacting to what they did.
56
00:00:55,000 –> 00:00:56,000
Frank Cilluffo [00:19:50]: We have a chance to get out in front of this. And I think what makes this different than many of the other national security challenges is industry isn’t a player. They have to have a front row seat at the table. And that gets hard too. So, but, but they, it’s, no, it’s, it’s inevitable.
57
00:00:56,000 –> 00:00:57,000
Cynthia Kaiser [00:20:10]: Yeah. When I was on the FBI side, how I used to explain to people the difference between industry and government is that industry just had more data, they had more insight, they knew something was wrong probably before government did. Government can dive deep. They can say, okay, something might be wrong, what exactly is it and who exactly did it.
58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo [00:20:32]: And they can corroborate it, use multiple means and methods. Right?
59
00:00:58,000 –> 00:00:59,000
Cynthia Kaiser [00:20:36]: Exactly. So government can sometimes dive deeper because of its authorities, but industry can be the ones like, you know, throwing up the first flag to say this doesn’t seem right.
60
00:00:59,000 –> 00:01:00,000
Frank Cilluffo [00:20:47]: And have the most data, as you say.
61
00:01:00,000 –> 00:01:01,000
Cynthia Kaiser [00:20:49]: Exactly.
62
00:01:01,000 –> 00:01:02,000
Frank Cilluffo [00:20:49]: So it’s, it’s the corroboration and everything else where I think, that’s where I think the public private partnership, not the discussion of ten years ago, but of tomorrow, it’s going to be in this operational. And honestly, we’re not going to get it right right away. We will learn, we will get better and we’re dealing with thinking predators and quite honestly, our actions will shape theirs, so, but we can’t just sit back and wait.
63
00:01:02,000 –> 00:01:03,000
Cynthia Kaiser [00:21:18]: It’s exactly right. I mean, what are we going to do? Just let this continue to get worse and worse?
64
00:01:03,000 –> 00:01:04,000
Frank Cilluffo [00:21:22]: And I hate to think it can, but it can. Yeah. So I want to jump to, you had mentioned sort of the joint advisory, the most recent one on Salt Typhoon, and I love seeing more and more seals and logos, not just getting the alphabet soup of the U.S. government, but I think in the most recent one it was over a dozen countries. I think as it was released, the bureau was talking about 80 countries were impacted by Salt Typhoon, hundreds of companies in the United States. What should we be thinking here?
65
00:01:04,000 –> 00:01:05,000
Cynthia Kaiser [00:22:00]: So I want to highlight on the advisory front before I go on the context.
66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo [00:22:03]: Absolutely.
67
00:01:06,000 –> 00:01:07,000
Cynthia Kaiser [00:22:03]: In the back page, what I also love seeing is all the industry partners…
68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo [00:22:08]: Exactly.
69
00:01:08,000 –> 00:01:09,000
Cynthia Kaiser [00:22:09]: …that assisted. Right? It’s not just the government agencies up front. If you go to that back page, it shows what operational collaboration, private public partnership needs to be. And it’s really exciting to see those citations grow and grow and grow. On the Salt Typhoon front, I’m really hot about this and I’ve been since I was at the FBI because we really focused in on at first the hundred, 150 or so individuals whose content was targeted and stolen. And that’s a really big deal, right?
70
00:01:09,000 –> 00:01:10,000
Frank Cilluffo [00:22:42]: Because of the timing, the election, everything was significant.
71
00:01:10,000 –> 00:01:11,000
Cynthia Kaiser [00:22:45]: Right? Yes. But I’ve been really frustrated with seeing how this operation took shape because they stole millions of people’s data. And I think the FBI came out with this report saying nearly every American’s data. And as a mom, I think about it for my kids. Your 13 year olds and 11 year olds who might be just getting their cell phone, the Chinese government now has information about who they called, where they were, how long the call was, who are they texting. And can you imagine a world in which 13 year old Frank information was of interest to the Chinese government?
72
00:01:11,000 –> 00:01:12,000
Frank Cilluffo [00:23:28]: Yep. God help us.
73
00:01:12,000 –> 00:01:13,000
Cynthia Kaiser [00:23:30]: Yeah, right. I mean it’s just preposterous to think about that from our childhood and that’s what our kids have to face now. And it’s to me just a far, far beyond spy versus spy. It really shows that the Chinese government is indiscriminate, that these espionage operations are not just confined to targeting people like you or me who made a choice to be in the public to know that puts us at more risk. My kids didn’t make that choice.
74
00:01:13,000 –> 00:01:14,000
Frank Cilluffo [00:23:57]: Exactly.
75
00:01:14,000 –> 00:01:15,000
Cynthia Kaiser [00:23:58]: And it really is frustrating to me to see that. And I’m actually connecting it though in my head to now what we just talked about, like that Iran, Albania example or what we just saw China do a few months ago. So for folks that maybe aren’t paying attention as closely, there was a zero day campaign that targeted Microsoft SharePoint servers. At the end, when it looked, when it was obvious to the actors that that zero day was going to be exposed, they were going to lose access, all of a sudden ransomware was deployed against all these various servers and we don’t quite know, was it those nation state actors, was it their friends they gave access to, obfuscation? But the implication is, is should we expect every Chinese espionage operation to end with an attack? Because a ransomware attack is a cyber attack.
76
00:01:15,000 –> 00:01:16,000
Frank Cilluffo [00:24:57]: Scary thought.
77
00:01:16,000 –> 00:01:17,000
Cynthia Kaiser [00:24:58]: Yeah. So what is espionage and what are we not escalating towards, towards our other conversation? We have to counter this and we have to call it what it is.
78
00:01:17,000 –> 00:01:18,000
Frank Cilluffo [00:25:07]: And that is important. And I am actually surprised at how transparent we are becoming about the adversary. I mean eight years ago you couldn’t have this conversation. Today you’d be crazy not to because it’s in front of us, it’s happening every minute, every day, 24 by 7, 365. But I still feel like our thinking is a little, I don’t want to say 19th century when we’re dealing with the 21st century adversary. But do you string them up? Do you string them along? Do you take the public health deal with the strung out? Bad analogy there. But at the end of the day there, it’s, it’s all of the above. Right?
79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:25:55]: And, and Salt Typhoon. I mean one of the things law enforcement is, don’t necessarily act so fast because it could tip off the adversary if it’s part of a bigger pattern. Thoughts on that?
80
00:01:19,000 –> 00:01:20,000
Cynthia Kaiser [00:26:07]: So it’s always this balance because if you have a zero day campaign, you don’t want to, and you don’t have a fix yet, you don’t want to put it out. Right? If you’re still trying to hunt adversaries, you want to be able to find them on a network. And once it goes public, it goes dark rather quickly. So you can’t know the extent of the damage. So there is a kind of short term period in which it’s probably better not to go out externally. As long as that’s not also damaging, you know, the potential for new targets to defend their networks. There’s that short term period where you get your ducks in a row, you make sure things are set, you make sure that victims are taken care of the way they need, that we’re not putting out a zero day that someone can’t fix.
81
00:01:20,000 –> 00:01:21,000
Cynthia Kaiser [00:26:48]: But ultimately I’m so proud of, like the conversations I was having in 2017 versus 2025, just night and day. Yes. And it’s great. It’s because I think we really got over this mindset of intelligence community secrets to, like, how do we help? Like, what is needed to help? And also this kind of blame game that was around. Well, you put this out there, you did an indictment. So now we lost our access to knowing, yeah, sometimes when you put things out publicly, it quickens some operational security, but it’s not the cause. Like actors get better. This is the nature of crime. And then, you know, then we catch up and we get better. But the one conversation I’d love to see change that I don’t think we have is attribution. Like how much attribution you need before you can really hold a country culpable.
82
00:01:21,000 –> 00:01:22,000
Frank Cilluffo [00:27:49]: What are your thoughts around that?
83
00:01:22,000 –> 00:01:23,000
Cynthia Kaiser [00:27:50]: So, I mean, I have been in way more conversations than I want to talk about about what time the actions happened and whether that means that an actor was off the clock from their government job or on the clock from their government job. Or do we have proof that it was directed, you know, from central government down to this or was it just on their own? It doesn’t, my thought is it doesn’t matter because if you’re allowed…
84
00:01:23,000 –> 00:01:24,000
Frank Cilluffo [00:28:14]: For the victim it certainly doesn’t, right? Unless it’s a foreign counter intelligence issue. But yeah, yeah, yeah.
85
00:01:24,000 –> 00:01:25,000
Cynthia Kaiser [00:28:20]: If you pre, if you’re allowing it to happen, like, it’s not like the government doesn’t know, they know what’s happening in their borders. They’re not taking care of it, right? They’re not holding anybody accountable which gives that tacit approval. They can just say like, oh, we’d like, you know, they can give generalized guidance and then the actors run with it. It’s still the fault of that government. If I had hacked somebody in my free time, China wouldn’t have been like, oh, that was just Cynthia Kaiser.
86
00:01:25,000 –> 00:01:26,000
Cynthia Kaiser [00:28:47]: They would have said the FBI, the US government targeted us. We should have the same expectations like over on their side.
87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:28:54]: And that’s well said. And I do think the attribution discussion becomes a little cutesy and it’s easy to get caught up in knots, but you kind of know it when you see it, right? I mean, and we’ve seen enough of it and, and, and the way some moonlighting, and maybe Russia, how they use their proxies is very different than China. But at the end of the day it’s, it’s, it’s a capable actor and we’ve got to start moving forward. What does the FBI of tomorrow look like? How do we need to retool it, or industry for that matter? Because I think we touched on a number of steps, cultural and otherwise, that we need to start taking. But what does success look like?
88
00:01:27,000 –> 00:01:28,000
Cynthia Kaiser [00:29:40]: So some of the conversations that were happening before I left were really heartening around appropriate use of AI and how that can really help in investigations. Now you’re always going to need to have a chain of evidence and be able to go back and say exactly how you learn something in a court of law. But being able to put AI layers on existing case management systems so that we can draw out connections that we wouldn’t have been able to identify otherwise is exciting to me because that means the adversary can’t hide as well as they could hide before. That’s something that on the industry side we’re starting to use, you know, AI based threat behavioral detection. So how are adversaries living off the land? Like, how are, like, hey, we see these native tools being used on a network, but they’re not being used in the right way. This looks a little different, like, AI is, you know, machine learning, AI, gen AI, all of this is really good to be able to identify. So I think we’re like reaching a point where it’s not the collection part, right?
89
00:01:28,000 –> 00:01:29,000
Cynthia Kaiser [00:30:49]: We’re not going to the minority report type, you know, activity. But it’s, we’ve already collected a lot of this data. Like how do we go through it? I think that there’s really, like, there’s a push. There was a push inside the FBI when I was there, push inside the government overall. And I think you see it up through the President for, like, how do we become the government of tomorrow? And that’s going to make it a lot easier to identify these adversaries.
90
00:01:29,000 –> 00:01:30,000
Frank Cilluffo [00:31:12]: And I want to pull a thread because you brought it up earlier, and basically the Hoover vacuuming of all of American’s data, is that also, the potential is it can be exploited to target any individual, but it’s also to help their machine learning, algorithms, and AI. Right? So it’s sort of, it’s the data.
91
00:01:30,000 –> 00:01:31,000
Cynthia Kaiser [00:31:34]: It is. I, that’s how they identify who to target for the deeper collection. You know, you got to take, they, they think you have to take everything and then they’ll figure out the behavioral, behaviors.
92
00:01:31,000 –> 00:01:32,000
Frank Cilluffo [00:31:47]: That’s why it matters, right?
93
00:01:32,000 –> 00:01:33,000
Cynthia Kaiser [00:31:48]: Yeah, that’s why it matters. But that’s why like I don’t want them to know my kids behaviors, I don’t want them to know my neighbor’s behaviors. Like, that’s not right.
94
00:01:33,000 –> 00:01:34,000
Frank Cilluffo [00:31:57]: And it’s the indicators and when something may be off script for very natural reasons in a kid’s case, but could be obviously a discerning tool in their, in their overall. Cynthia, we covered a lot of, what questions didn’t I ask that I should have?
95
00:01:34,000 –> 00:01:35,000
Cynthia Kaiser [00:32:16]: I think the questions that we should really just be asking ourselves and I think Washington needs to ask is what are our red lines today, and have we already gone over them?
96
00:01:35,000 –> 00:01:36,000
Frank Cilluffo [00:32:29]: Yep, that’s one of my favorite topics, one that we have a task force looking at that I’m really excited you’re going to be part of. So red lines and lines in the silicon, we’ve got to start defining those and not act surprised after we get hit and act as if we don’t have playbooks in place. We’ve got to start getting that as real time as we can. Cynthia, thank you for spending so much time with us today. But more importantly, thank you for all you’ve done for the cyber community. Thank you for all you’ve done for the American people. And now you continue to do in industry. Pleasure to sit down with you.
97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:33:09]: Privileged to know you and just wanted to say thank you.
98
00:01:37,000 –> 00:01:38,000
Cynthia Kaiser [00:33:13]: Thank you.
99
00:01:38,000 –> 00:01:39,000
Frank Cilluffo [00:33:14]: Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.