NSA vs. Zero-Days: Kristina Walter on Speed, Scale, and Stopping Cyber Threats
Season 2 Episode 27 •Show Notes
Kristina Walter, Director of the NSA’s Cybersecurity Collaboration Center, joins Frank Cilluffo to explain how the NSA is building trusted partnerships with private industry to counter advanced cyber threats. Walter shares how collaborative work with defense contractors and tech providers has helped uncover zero-day vulnerabilities, block billions of malicious domains, and expose Chinese operations like Volt Typhoon. She also discusses the role of AI in cyber defense, the race to prepare for quantum computing, and why resilience—not perfection—is the new benchmark for critical infrastructure protection.
Main Topics Covered
- Origins and mission of the Cybersecurity Collaboration Center
- Building trust and scaling public-private partnerships
- Tracking Chinese cyber campaigns and zero-day vulnerabilities
- NSA’s protective DNS service and pre-ransomware defense
- AI’s role in threat detection and emerging attack surfaces
- Post-quantum cryptography and upgrading national systems
- Workforce development and government-industry collaboration
Key Quotes
“That service has about 1200 companies enrolled in it today. And it’s blocked 4 billion malicious domains… 500 million of them are NSA unique domains.” – Kristina Walter
“You can’t surge trust in a crisis. We have found that having that established relationship meant that when something did go wrong for some of these companies, they knew who to turn to, and how to work with us, and how we would protect the information they gave us”. – Kristina Walter
“We found it in about two weeks of the start of exploitation and were able to get out the hunting and the detections while the patch was being worked so that we could do it all together and try to remediate the threat.” – Kristina Walter
“Our focus was… how do we work with interagency partners and industry to expose this trade craft of living off the land… and really unleash the cybersecurity community in the United States to find it and eradicate it on the US Government’s behalf.” – Kristina Walter
“When we talk about a cryptologically relevant quantum computer, it’s really [a question of] when, not if… So what we’re really focused on is how do we upgrade all of the cryptographic inventory of the United States and national security systems to be quantum resistant.” – Kristina Walter
Relevant Links and Resources
- NSA Cybersecurity Collaboration Center
- NSA AI Security Center
- NIST Post-Quantum Cryptography Project
Guest Bio
Kristina Walter is Director of the NSA’s Cybersecurity Collaboration Center, where she leads efforts to partner with private industry in defense of U.S. national security systems. A founding member of the center, Walter brings deep experience from her work in both operational cybersecurity and workforce development at NSA. She also oversees the NSA’s AI Security Center, advancing the secure development of artificial intelligence technologies while safeguarding U.S. innovation from foreign adversaries.
Transcript
1
00:00:00,000 –> 00:00:01,000
Kristina Walter:
That service has about 1200 companies enrolled in it today and it’s blocked 4 billion malicious domains with companies enrolled. We are blocking botnets, ransomware, malware command and control, before that they can even visit the site. And so we have prevented significant pre ransomware staging attacks by just blocking the connections.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo:
Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with the Chief of the Cybersecurity Collaboration Center at the National Security Agency, Kristina Walter. Kristina is a plank holder of the Center, has been there from day one and has an incredible background in the intelligence community at the National Security Agency and was also working on NSA’s future workforce. So lots to discuss here, lots to unpack. And Kristina, thank you for joining us.
3
00:00:02,000 –> 00:00:03,000
Kristina Walter:
Yeah, thank you so much for having me.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo:
Well, I thought we’d start at the start, and that is looking at the Cybersecurity Collaboration Center at NSA, what its vision was and now coming back to be the chief, what your thoughts are.
5
00:00:04,000 –> 00:00:05,000
Kristina Walter:
Yeah, so, yeah, we tend to be the new kid on the block when it comes to public private partnerships.
6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo:
You punch above your weight.
7
00:00:06,000 –> 00:00:07,000
Kristina Walter:
We try to. And so, yeah, I mean, we stood up about five years ago really recognizing that the National Security Agency has two main functions. We have a foreign intelligence, signals intelligence function, and then we have a combat support function where we work with DoD to secure military communications. And really when we looked at how we could best achieve that function, we recognized that industry plays such a critical role in providing warfighter capabilities, Department of Defense capabilities. And so if we’re not talking to them about what they’re seeing happening on their networks, we’re not going to be able to help them secure them. That was one part. And the second part was really our visibility is entirely foreign in nature. So we see what plans and intentions are, what the adversaries might be doing overseas, but we lack that visibility once they come into the United States.
8
00:00:07,000 –> 00:00:08,000
Kristina Walter:
And so if we can’t partner with US based companies who are the ones being targeted day in and day out, we can’t really fully understand the picture of what’s happening. And so in the past…
9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo:
What the Brits call the rich picture.
10
00:00:09,000 –> 00:00:10,000
Kristina Walter:
Correct. And in the past, we weren’t able to do that for various reasons. Competitive advantage, who do we work with, who do we not work with? And when we stood up the center, we recognized that focusing around the defense industrial base, the technology and the cybersecurity companies who support them, the supply chain, that’s really the ecosystem, that is where our bread and butter is from a partnership perspective.
11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo:
So very much starting with the defense industrial base, but you’re expanding. What does your membership look like?
12
00:00:11,000 –> 00:00:12,000
Kristina Walter:
Yeah, so we started five years ago with two partners. We are up over 1500 partners now. And so I think when most people think defense industrial base, they think of those large DIB primes, the big companies whose names are all on the buildings around government facilities. But we recognize that that landscape is hundreds of thousands of companies. So any company that does business with the Department of Defense is eligible to participate in our service. That’s a, we, we bin them into different categories.
13
00:00:12,000 –> 00:00:13,000
Kristina Walter:
So obviously, big DIB companies, they have robust cybersecurity capabilities. They can action technical information. We want to share information with them. But on the other side is as those companies got better in cyber, we saw adversaries do two things. One, go to the supply chain, the kind of weakest link below them, or two, go up through their service provider, whether it’s their cloud provider, their internet service provider. And so we work with the full spectrum from, you know, manufacturer who’s making a really unique part for the defense industrial base, to the internet service providers, cloud providers, cybersecurity companies in that space.
14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo:
And obviously the mission assurance role is critical because if you can’t project power, deploy forces, kind of game over, right?
15
00:00:14,000 –> 00:00:15,000
Kristina Walter:
Absolutely.
16
00:00:15,000 –> 00:00:16,000
Frank Cilluffo:
And, and that includes other sectors though, like transportation and the like, how do you, how do you wrap your arms around that?
17
00:00:16,000 –> 00:00:17,000
Kristina Walter:
Yeah. So I would say our strategy is twofold. So one, again with those service providers, when we’re working with a cloud provider or cybersecurity company, we don’t tell them that they can’t use our information to defend all of their customers, whether that’s energy, water, power companies. So they can really take the intelligence we give them and action it as broad as they can. So that’s one strategy. The other one is looking at critical suppliers to combatant commands, weapons platforms, and providing free cybersecurity services to those companies to make sure that they have that continuity of operations.
18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo:
Awesome. Awesome. And if you had to sort of pick two, three things that, that are essential because we’ve talked a lot about public private partnerships, and I always say trust is the coin of the realm. That’s easy to say and it’s very hard to earn, very easy to lose. But I’d be curious what your thoughts are thus far.
19
00:00:18,000 –> 00:00:19,000
Kristina Walter:
Yeah, I think for us, you know, building that trust was not something we inherently thought we would get with our industry partners. I mentioned we started with two partners who said sure, we’re willing to try out this program. Our program is entirely collaborative. We don’t pay the companies to partner with us. We want to show up with the intelligence that’s valuable to them. And so I think we had a lot of partners who said sure, I’ll sign a non disclosure agreement and enroll in your service. I’m used to the government taking information from me and never giving anything back. We have really focused on pushing out as much unclassified but non public intelligence to our companies as possible.
20
00:00:19,000 –> 00:00:20,000
Kristina Walter:
To the extent where some of them say okay, that’s too much. Can we, can we talk through what to do? But building that trust early on by showing the commitment to sharing was one, and I think two was we can’t surge trust in a crisis. We have found that having that established relationship meant that when something did go wrong for some of these companies, they knew who to turn to and how to work with us and how we would protect the information that they gave us.
21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo:
Very well said. In the counterterrorism world we used to, you can’t be exchanging business cards on game day.
22
00:00:21,000 –> 00:00:22,000
Kristina Walter:
Exactly.
23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo:
It’s sort of the same concept. And, and I want to get into the threat in a second. But, but, but before sort of jumping into that, I’ve heard lots of positive stories from the defense industrial base. Any, any examples that you can share because, because it is normally it’s seen as a one way street. A lot of the public, private, at least information sharing initiatives but you really do lean forward and give back.
24
00:00:23,000 –> 00:00:24,000
Kristina Walter:
Yeah. So I would say, you know, we do a lot with our partners and so one of the examples that we’ll talk about, and I know we’re not quite at the threats discussion yet, but when we talk about China specifically, they are uniquely positioned to target the United States from the United States. That’s how they function because they know that we lack visibility there. And so over the last several years we really are in daily collaboration with our partners on what these obfuscation networks are, we call them, where China has compromised a small home or office router and they’re targeting from there or a local university computer and then they target from there. And so we’re trying to build out what these networks look like. And it is a constant collaboration with the internet service providers and the cloud providers. We’ve enumerated 300,000 nodes that we see China using targeting the United States. And so through that illumination we’ve been able to find zero day vulnerabilities that the community wasn’t tracking because we recognized, hey, this network that we know is China’s operated is connecting to one of our defense contractors.
25
00:00:24,000 –> 00:00:25,000
Kristina Walter:
Let’s talk to them about what they see. Oh, we see this environment being compromised, we’ve rebuilt the environment, they are coming back. There’s a previously unknown vulnerability. We’re able to bring in all the different vendors to see that activity. In that particular case we recognized that it was a vulnerability we hadn’t seen before. We built detections for it, but we had no idea if they were any good or if they were specific to one partner. We shared it out with the other defense contractors, found out four other ones were being impacted by this zero day vulnerability. So those are the types of campaigns that would have taken months to years to find previously.
26
00:00:25,000 –> 00:00:26,000
Kristina Walter:
We found it in about two weeks of the start of exploitation and were able to get out the hunting and the detections while the patch was being worked so that we could do it all together and try to remediate the threat.
27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo:
That’s a great story and I hear from a lot of the DIB partners great anecdotes along those lines. And okay, you made me go to the threat. So I mean Volt Typhoon I think was the eye opener and the broader concept of living off the land. Firstly, did that surprise you?
28
00:00:27,000 –> 00:00:28,000
Kristina Walter:
I think it did surprise us to see the change in the techniques with which China was targeting the U.S. I think everybody was very familiar with, you know, looking for intellectual property, going after the big and the small companies. But for espionage to, you know, steal secrets for their own gain. It was definitely a change in technique to see that. And I think that was really something that we needed to work together to fully understand. We had cybersecurity companies coming into us saying we are seeing this actor. They look incredibly sophisticated. We believe it’s China, but they’re not doing normal things we see. It’s non intelligence targets, it’s living off the land, it’s just making sure they have access every couple of months.
29
00:00:28,000 –> 00:00:29,000
Kristina Walter:
Can you help us understand that? And that’s when it’s important for us to go back and look and say what do we see from a plans, intentions, perspective and is it changing? And we were able to put those puzzle pieces together to say yes, this is a serious change in, you know, traditional espionage to pre positioning that the entire community should be concerned about.
30
00:00:29,000 –> 00:00:30,000
Frank Cilluffo:
And fair to say it helps the US government as well. I mean we’re getting much better visibility and attribution is improving. Right?
31
00:00:30,000 –> 00:00:31,000
Kristina Walter:
Attribution is improving I think across the board. Industry is exceptional at attribution these days as well. I think we all follow, you know, the diamond model of understanding where are they coming from, what are they targeting, what’s the tools and tradecraft they use and who the actors are. And so when it came to that, our goal was, the US Government is never going to be able to hunt across all critical infrastructure and detect and eradicate China, who has a huge cyber force that’s trying to preposition in the US. What we can do is partner with our industrial base and equip them to hunt for it. So that was really our focus was how do we work with interagency partners and industry to expose this trade craft of living off the land that we hadn’t seen before and really unleash the cybersecurity community in the United States to find it and eradicate it on the US Government’s behalf. And frankly we see that all the time. They are coming in to tell us, we see this sector being targeted, we’re working with this one and we’re, and we’re getting them out of our networks.
32
00:00:31,000 –> 00:00:32,000
Frank Cilluffo:
And you know, I’ve been a little grumpy with the public private partnership discussion. I’ve been saying long on nouns, short on verbs. But we are starting to see some operational collaboration, right? And that’s the only way you really build trust. In the foxhole together, fighting the same fight at the same time. And when it matters, they’ll be there. Right?
33
00:00:32,000 –> 00:00:33,000
Kristina Walter:
100%. Yeah. And, and I think we, we always talk about information sharing and information sharing is step one, like are you going to commit to sharing intelligence with us and, and are you going to protect the information we share back?
34
00:00:33,000 –> 00:00:34,000
Frank Cilluffo:
And with one another.
35
00:00:34,000 –> 00:00:35,000
Kristina Walter:
Exactly. And then two is, how do we actually integrate our operations together? And I think we’ve seen that with, with looking at these obfuscation networks that I mentioned earlier. You know, we have industry partners who are saying if you tell me that this is Chinese owned command and control and I can validate it, that it’s abusing my terms and conditions, I will null route traffic globally to that. That’s really annoying for China. So we really like that. On the second hand, how can our law enforcement colleagues take down these botnet infrastructure? How can our five eyes partners do it? When we all do that together, that’s where we really cause a disruption to their operations and that’s coordinated action together.
36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo:
And I think this sometimes gets lost in D.C. I mean these are all movies coming to a theater near you. So our allies matter in all of this, right? And I love seeing the seals of multiple services around the world. I hope you continue down, down that path. But, but I do think you touched on law enforcement, and this is just me speaking here. Please don’t put words, I’m not putting words in your mouth. But at the end of the day, NSA, FBI have the most to offer from an intelligence perspective to industry. Everyone else is a pass through. Maybe CIA, but that’s basically the big three. And you mentioned sort of working with law enforcement and I think this comes really into play with pre ransomware indicators and the like, anything. Because I’d love to see those operations scale. The 1 and dones are great, but that’s a blip.
37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo:
If we want to change the course of events, it’s got to be a little more strategic, right?
38
00:00:37,000 –> 00:00:38,000
Kristina Walter:
Yeah. And I think when we talk about the threats, what we really see is these adversaries are lazy in most cases. They will go after the easiest target, the unpatched system, the malicious domain that they can get you to visit that’s hosting their malware. And so the same techniques that harden against the really sophisticated actors also protect against the cyber criminals, the ransomware actors. And so what we have found is our best way to do that, especially for the small suppliers, is through these free cybersecurity services that DoD has funded us to give out to companies. So what we did is we said what are the most common attack vectors that we see hitting small businesses and how could we provide these active defense services to defend against them? So protective DNS. DNS is the phone book of the internet. It helps you navigate without having to know every IP address for every website you’re going to. Frequently abused by nation state actors and criminal actors.
39
00:00:38,000 –> 00:00:39,000
Kristina Walter:
We see them doing domain squatting where they will take over a domain that looks to be legitimate and then host malware on it. We’ll see them do typo squatting where they’ll take something that the human eye wouldn’t recognize, where they put a zero instead of an O so that you visit the wrong site that is malicious on it. And so protective DNS offers a threat feed that blocks known malicious domains. So what we have done in that space is we have provided, we’ve contracted with a third party who provides this service out to companies. What we then also do is on the back end we’re running analytics, we’re identifying new domains in our foreign aperture that are malicious and we’re feeding those into the service. So that service has about 1200 companies enrolled in it today. And it’s blocked 4 billion malicious domains for the companies enrolled. 500 million of them are NSA unique domains.
40
00:00:39,000 –> 00:00:40,000
Kristina Walter:
It’s a huge number. And so when it comes to that ransomware threat, we are blocking botnets, ransomware, malware command and control before that they can even visit the site. And so we have prevented significant pre ransomware staging attacks by just blocking the connection so that the small business employee who doesn’t know any different can’t visit that site that’s going to pre stage for ransomware.
41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo:
And it is getting a little more murky to know who’s the puppet, who’s the, I mean proxies and ransomware gangs, organizations, whatever we want to call them. It gets difficult to discern who’s sometimes in charge. Right?
42
00:00:41,000 –> 00:00:42,000
Kristina Walter:
Absolutely. And I think the other thing we see when it comes to vulnerabilities is looking for unpatch systems is something that’s on the global scale. I mean when we saw Salt Typhoon, we saw global scanning to look for unpatched systems for misconfigured routers and then exploitation. And so that’s the other part of our services is we offer, using commercial tools that scan the internet, helping these small businesses understand here is your internet facing footprint, here’s where you’re running outdated software. And here, very specifically we see criminal actors exploiting this particular device that you’re running or nation state actors. We need you to patch there. We see them patching 80% faster than industry standards because we give them that context to say it’s running right here, it’s unsafe and please address this.
43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo:
And from an adversarial standpoint, they’re going to ride in the surf anyway. Right? I mean if it’s exploited, it doesn’t matter who exploits it, they’re going to piggyback.
44
00:00:43,000 –> 00:00:44,000
Kristina Walter:
Exactly. And we see that all the time. And we see nation state actors. You know, you get in there and there’s three different actors on one vulnerable device because they’re all just opportunistic.
45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo:
And you brought up Salt Typhoon and, and not to get into great specificity, but we’re still early stages in understanding the battle damages, the assessment and, and the consequence of that, aren’t we?
46
00:00:45,000 –> 00:00:46,000
Kristina Walter:
Oh, absolutely. And I think with, with Salt Typhoon, you know, it’s different tradecraft than we see for Volt Typhoon. It’s more traditional espionage activity.
47
00:00:46,000 –> 00:00:47,000
Frank Cilluffo:
The intent.
48
00:00:47,000 –> 00:00:48,000
Kristina Walter:
The intent of it, yes. But once you get in that system, you can really do whatever, you know, whatever you want.
49
00:00:48,000 –> 00:00:49,000
Frank Cilluffo:
You can exploit, attack, whatever you want.
50
00:00:49,000 –> 00:00:50,000
Kristina Walter:
And I think we’ve really looked at, partnership has been so critical in that space to get out the detection guides. You know, we had partners coming in in the beginning saying, you’re asking me to fish in the ocean and find, you know, where they are in my network. And these networks are vast, they’re dated, they need to be updated. And so helping narrow down the scope of what they should be looking for has been really critical in that space.
51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo:
And do you see AI playing a significant role in all of this?
52
00:00:51,000 –> 00:00:52,000
Kristina Walter:
I think there are, you know, there’s always discussions on AI being used for defenders and offenders and where, who’s going to be, who’s going to benefit more from it. But especially when it comes to these techniques that require lots of logs and hunting through those logs. AI is incredibly powerful in that space for living off the land and techniques like that. How do you narrow down what a net defender has to look at? The AI can help you teach the techniques, you show it what to look for and then it highlights for the net defenders what they need to pay attention to rather than asking them to fish in this sea of network traffic.
53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo:
So you’ve got PRC, CCP, probably the most the existential threat we’re dealing with. But Russia, Iran, North Korea and pretty much anyone that has a military has a cyber capability, right?
54
00:00:53,000 –> 00:00:54,000
Kristina Walter:
I mean frankly anybody who can connect to the internet we see has a cyber capability. And so I think the interconnectedness of the world means we’re seeing, you know, the nation state actors with very specific goals, but also the opportunistic actors, the ransomware for service. I mean it’s become incredibly profitable for there to be access brokers and people to specialize in specific components of the attack chain and sell access back and forth. And so it’s, it’s an extensive ecosystem. I think the good news is we still find that the basic cyber hygiene does address across the spectrum of all of the threats. And so kind of an investment into one or two things can benefit across the attack chain.
55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo:
And feel free not to answer but, but sort of safe havens, that’s still a challenge, isn’t it? There, there are a few countries that are providing safe haven for a lot of these bad criminal actors, which again difficult to discern who’s the proxy, who’s the puppet, who’s the master, sometimes.
Kristina Walter:
It’s difficult to discern that and it’s also difficult to discern where they’re coming from because they recognize, especially China, they can obfuscate their operations by jumping through, you know, third party countries, different infrastructure. And so you know, if you’re being targeted by a small home office router in Kansas, you know, you don’t really realize that oh, that IP address that’s rating as Kansas is really, you know, a Chinese actor coming after you.
56
00:00:55,000 –> 00:00:56,000
Frank Cilluffo:
And criminal enterprises are becoming more and more sophisticated. I mean literally their capabilities would have been in the hands of maybe five countries five years ago.
57
00:00:56,000 –> 00:00:57,000
Kristina Walter:
Yeah. And I think AI is an area where that is also changing. We see, you know, phishing emails are incredibly realistic now. You know, before you could train employees to detect something that was malicious so they wouldn’t click on a malicious link. All of that is getting harder because of the commercialization and availability of AI for all the cyber criminals. That’s why they’re getting better. You can, you know, ask AI to code for you and build a malicious exploit for you in a lot of cases.
58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo:
And defenders too, right?
59
00:00:58,000 –> 00:00:59,000
Kristina Walter:
Exactly.
60
00:00:59,000 –> 00:01:00,000
Frank Cilluffo:
So it’s kind of funny. Every major industry leader tends to think AI benefits the blue, the defender. A lot of the national security folks sort of say, hey it actually, because I think part of the challenge is it’s a little bit like terrorism. We’ve got to be right all the time, right? So that’s an unfair sort of playing field.
61
00:01:00,000 –> 00:01:01,000
Kristina Walter:
I think our net defense are overworked and underappreciated 100%. They have to block everything all the time. And I think when it comes to resilience, that’s an unrealistic expectation. So when you talk about what should businesses do, recovery is an important angle of it because they are going to be targeted day in and day out. They are not always going to get it right. And how do they segment, control, contain and then continue operations.
62
00:01:01,000 –> 00:01:02,000
Frank Cilluffo:
I’m really glad you brought up the R word, resilience, because that’s probably a better way to think about these issues. We’re never going to stop everything all the time from every perpetrator and every modality of attack. But we can enhance our systems. And I think that’s especially important when it comes to ransomware and the threat that poses. Right?
63
00:01:02,000 –> 00:01:03,000
Kristina Walter:
I hundred percent agree. And I also, I think it goes back to trust as well. I think one of the interesting things about the collaboration center is, you know, we just really know a lot about cyber actors, nation state criminal actors and we want to work with partners on that. We don’t have a regulatory function, we don’t have a contractual function. You don’t have a contractual relationship with us, which means you can come to us to say I really have no idea what this thing is. And we can have that conversation that says, you know, this is who we think it is. This is what we see that actor doing, if we know.
64
00:01:03,000 –> 00:01:04,000
Kristina Walter:
And then when you get to the point where you’ve had a compromise and you need to do your incident reporting like you do all that separately and outside of us. But I think the sophistication and the way actors can pose as each other make it really hard to figure out what the impact is, having that trusted space to come in and say, what is this? I got this email. I don’t know. Can you tell me anything about this? So that they can do that investigation on their own and then decide what the impact is, is a really important aspect of this space.
65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo:
And that’s again, back to the giving back, which I think is unique. And keep that, I’m glad it’s in the DNA and I hear it from others. I’m not just because you’re in front of me, but that is in fact the case. One thing to get inside the Beltway a little bit, so CISA 2015 reauth or 2025 or CISA if we want to, so we don’t confuse it with the agency, would that have, so I’m hearing from a lot of industry that that could have significant implications on public private partnerships. And if you don’t have liability protection, it’s not going to be the operators.
66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo:
They always lean forward. But the general counsels of those companies might have a different idea.
67
00:01:06,000 –> 00:01:07,000
Kristina Walter:
Yeah, I think what we’ve recognized is protected information sharing is absolutely critical. And so the Cyber Information sharing Act of 2015 enabled companies to share information with the government that was protected so that they could have conversations about what was happening. So those programs are incredibly important. I mentioned trust is incredibly important. And everybody has a legal counsel advising them. So for us, we don’t have to have partners share under that, but some do. It enables us to share more rapidly with our counterparts in the government. And so it’s incredibly important to have programs that are protecting the sharing from liability protections for our companies to be transparent.
68
00:01:07,000 –> 00:01:08,000
Kristina Walter:
And, and we get asked a lot, you know, why is industry always tipping you it sometimes? And the answer is because they’re the ones who are the target all the time. And so they’re going to, of course, see it because we’re not monitoring their networks, nor should we. And so in order for them to share that safely, it’s important to have those policies and those overhead structures in place that protect the sharing.
69
00:01:08,000 –> 00:01:09,000
Frank Cilluffo:
I’m glad you brought that, they literally are on the front lines. That’s what differentiates cyber from other forms of conflict is they, they are the front lines. And, and none of them went into business thinking they have to defend against China, Russia, Iran, North Korea and every other bad actor.
70
00:01:09,000 –> 00:01:10,000
Kristina Walter:
Exactly.
71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo:
That’s why efforts like this are so important.
72
00:01:11,000 –> 00:01:12,000
Kristina Walter:
And I think that’s where, our conversations with these small businesses, you know, they’re small businesses that build, you know, a specific widget for the Department of Defense. Their IT person is their HR person, who’s their payroll person who does three jobs most days. So explaining to them that contracting data is very publicly available and once you win a contract, you do become on a target list to say what do they have on their network? Can I use their trusted relationships with other companies to abuse them and move laterally? And so that education piece has been critical. They don’t know where to start with a cyber program when they’re a small company trying to make payroll.
73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo:
And I do think small, medium sized and state, local, tribal, territorial, and that’s not in your mission set, but small and medium sized businesses are. And I’d be curious, sort of what you think resilience looks like across critical infrastructure.
74
00:01:13,000 –> 00:01:14,000
Kristina Walter:
Yeah, I think what we have seen is the cybersecurity and the technology community really being proactive in partnership with us to defend their customers. And I think there is an education piece for these small businesses to understand what is internet facing. What would I do if part of my network went down? How would I reconstitute that? That’s kind of on the, the small business or the critical infrastructure entity. But I think what we’ve seen is this community that can provide them cloud services that are secure by default. They start with MFA, they, they’re protecting them inherently. That’s where we really get to a, an ecosystem that’s protecting critical infrastructure in the United States.
75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo:
And when I think of NSA, I mean your reach and capacity and capabilities are immense. And baking security into the design or cyber informed engineering, whatever terminology we want to use, DOE, CISA have different terminologies, but you guys actually are the one place that probably could do that across the board, right?
76
00:01:15,000 –> 00:01:16,000
Kristina Walter:
Yeah. And we do a lot of work with NIST on the standards community to make sure that our secure technology proposals are going into the international standards discussions. That’s where we’ve seen, you know, specific nation states trying to sway international standards discussions to benefit their technologies. And so how do we partner with industry in the US and with the standards organizations to make sure that they are not influencing our standards negatively so that products that are more secure can be in the ecosystem rather than Chinese developed products that are Going to enter the ecosystem with perhaps more vulnerabilities.
77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo:
I’m going to ask you to go back to a little bit of your previous role in terms of workforce. How do we arm the women and men of the next generation to be ahead of the game? It’s a, it’s a tough challenge. There’s no silver bullet. I know, but…
78
00:01:17,000 –> 00:01:18,000
Kristina Walter:
It is a tough challenge. And I think for us, you know, we have had great success with development programs at the National Security Agency. Exposing employees to the offensive and the defensive side, helping them understand how an attacker thinks so that you can be a good defender is a good space. Starting education really early has been critical too. Running GenCyber camps, we have centers of academic excellence where we’re giving them curriculum for the cybersecurity community. I think all of those are to build the foundation. I think once you get in, we have to get better at having agility moving in and out of government.
79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo:
And constantly, I’m glad you brought that up. That’s complicated. The lawyers have a say in some of this, but that is essential because at the end of the day we talk about purple and interagency and I’m a big proponent of that. But when it comes to cyber, industry has to be part of that equation and you have to find reasons. And maybe you don’t stay for 40 years, maybe you stay for 10 years, you come back with new skills and all boats rise, right?
80
00:01:19,000 –> 00:01:20,000
Kristina Walter:
Absolutely. One of the first things I did when I ran that workforce initiative is we established an alumni program to say, you were here for a bit, you’re going out, think of us, stay in touch with us when you want to come back, let’s have a process to get you back in faster if we can. And that’s been really critical. So for me, a lot of my employees in the collaboration center, worked at NSA, went out to industry and decided to come back for various reasons. They wanted to serve again. And they are some of my best employees because they understand both sides. I’ll say the other thing is true as well. Almost every one of our partners has a former NSAer at it, and they just speak the same language.
81
00:01:20,000 –> 00:01:21,000
Kristina Walter:
You can have better conversations with them because they understand what we do, what we have to offer. And so it’s beneficial for me to have those former NSAers in companies as well.
82
00:01:21,000 –> 00:01:22,000
Frank Cilluffo:
Unequivocally. And we touched on AI, but how do you see it changing the landscape and how is the center in particular utilizing machine learning and other techniques?
83
00:01:22,000 –> 00:01:23,000
Kristina Walter:
Yeah, so I think AI is, is just going to add to the speed with which we see the attack chain move. And so we stood up an AI Security Center within the collaboration center about a year and a half ago now, really with the recognition that this technology is rapidly evolving. And so we’ve been partnering with industry to…
84
00:01:23,000 –> 00:01:24,000
Frank Cilluffo:
And you have a center under you, right?
85
00:01:24,000 –> 00:01:25,000
Kristina Walter:
Yes. Yes, we do.
86
00:01:25,000 –> 00:01:26,000
Frank Cilluffo:
Focused on AI.
87
00:01:26,000 –> 00:01:27,000
Kristina Walter:
The AI Security Center, one of our organizations, and it’s really focused on how do we partner with those frontier AI labs who are building this technology to secure their intellectual property, to understand where adversaries are targeting them to get it, how are they abusing AI so that we can work with those partners, but also how do we do red teaming to see what, what’s different about how you would target an AI system versus a traditional information system and get those mitigations out.
88
00:01:27,000 –> 00:01:28,000
Frank Cilluffo:
Coupling that with the cybersecurity mission I think is essential because AI is a little bit like cyber.
89
00:01:28,000 –> 00:01:29,000
Kristina Walter:
Exactly.
90
00:01:29,000 –> 00:01:30,000
Frank Cilluffo:
It’s a means to an end, but it’s its own domain as well.
91
00:01:30,000 –> 00:01:31,000
Kristina Walter:
Well and also the research component. So we have a research directorate at NSA that has been looking at emerging technologies for years. We pulled that research component also into the AI Security Center so that there are years of research into how AI works, what are the underlying algorithms in it. So there’s just different threat vectors when it comes to AI. And those folks are really uniquely positioned to understand how it could be targeted.
92
00:01:31,000 –> 00:01:32,000
Frank Cilluffo:
Now shoot me down. I am actually concerned about quantum. Because at the end of the day, if you’re in the
93
00:01:32,000 –> 00:01:33,000
Kristina Walter:
Absolutely.
94
00:01:33,000 –> 00:01:34,000
Frank Cilluffo:
Secret stealing business or in the defending of secret business. That could change the game, could it not?
95
00:01:34,000 –> 00:01:35,000
Kristina Walter:
100%. And when we talk about a cryptologically relevant quantum computer, it’s really when, not if at this point. We know that there’s a lot of investment going into that and that really takes our current public key cryptography and blows it out of the water. And so what we’re really focused on is how do we upgrade all of the cryptologic inventory, cryptographic inventory of the United States and national security systems to be quantum resistant?
96
00:01:35,000 –> 00:01:36,000
Frank Cilluffo:
Huge job. And post quantum, I mean we have to be thinking in that direction.
97
00:01:36,000 –> 00:01:37,000
Kristina Walter:
And we’ve gotten to a point where we have the algorithms ready. We’ve been working with NIST and that. So it’s just the recipe is there. But how do we frankly as a nation take on that massive upgrade of all of our cryptographic material is a huge underpinning that we’re leading.
98
00:01:37,000 –> 00:01:38,000
Frank Cilluffo:
So you’re not saying I’m not an alarmist.
99
00:01:38,000 –> 00:01:39,000
Kristina Walter:
You are not an alarmist. I think this is a realistic discussion we need to have.
100
00:01:39,000 –> 00:01:40,000
Frank Cilluffo:
And it can change, it can change the way all of us do business. And I’m going to ask, this is a race we cannot lose.
101
00:01:40,000 –> 00:01:41,000
Kristina Walter:
100%. 100%. And so we have to be ready for it. And industry is really coming in to be ready because they’re a huge part of this too.
102
00:01:41,000 –> 00:01:42,000
Frank Cilluffo:
Absolutely.
103
00:01:42,000 –> 00:01:43,000
Kristina Walter:
And so getting the technical specifications defined, the algorithms was a big win. And now how do we have a roadmap and how are we budgeting as a community to implement and upgrade all of our devices is an important area.
104
00:01:43,000 –> 00:01:44,000
Frank Cilluffo:
You covered so much territory, and what questions didn’t I ask that I should have?
105
00:01:44,000 –> 00:01:45,000
Kristina Walter:
Oh, gosh. I think when it comes to, you know, where are we going? I think that’s a good question. You know, we have rapidly adjusted in the last five years to how we partner with industry. I’m not sure when any of us started that we knew we would be where we are today from a partnership perspective. I think as far as where we’re going, where we really want to move to is, you know, our focus is getting as much actionable intelligence out to the people who can defend at scale as we can, and what are their barriers that maybe are stopping them from actioning that information? We’ve been in a lot of conversations with our industrial base now to say, what do you need from us, from the community, so that you can really defend against these sophisticated actors at scale. Is it a risk decision? They always have to decide what to do with our intelligence. And so that’s where we really want to get our industrial base really comfortable with being able to defend at scale and action our information as broadly as possible.
106
00:01:45,000 –> 00:01:46,000
Frank Cilluffo:
You know, you’ve got the why, that’s obvious. The how is just as important. And this is not to throw props, but to do it in a genuinely collaborative kind of way, I think is almost as essential. And the when is now. I think we know that. But all things said and done, thank you for your public service. Thank you for advancing the ball. Thank you for all the good work you’re doing.
107
00:01:46,000 –> 00:01:47,000
Frank Cilluffo:
And keep that how in addition to the why front and center, so Kristina, thank you.
108
00:01:47,000 –> 00:01:48,000
Kristina Walter:
Thank you so much for having me.
109
00:01:48,000 –> 00:01:49,000
Frank Cilluffo:
I really appreciated having you on and covered so much territory.
110
00:01:49,000 –> 00:01:50,000
Kristina Walter:
We did. Thank you so much.
111
00:01:50,000 –> 00:01:51,000
Frank Cilluffo:
Thank you. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.