Ukraine, Private Sector Power, and Cyber Defense with Greg Rattray
Season 3 Episode 14 •Show Notes
Ukraine’s cyber defense has become one of the clearest real-world tests of what resilience actually looks like under sustained attack. In this episode of Cyber Focus, Greg Rattray explains why Ukrainian defenders held up better than many expected, and what their experience reveals about the limits of prevention, the value of shared visibility, and the growing operational role of the private sector.
Drawing on his work leading the Cyber Defense Assistance Collaborative, Rattray argues that exposing adversary activity across a more “brightly illuminated cyberspace” helped blunt Russia’s offensive advantage. But the larger lesson is not just about threat visibility. It is about recovery, adaptability, and trust: teams under pressure need tools they already know how to use, leaders need to plan for bad days, and governments need to make room for industry to do more than simply wait for direction.
Main Topics Covered
- The “bright room” concept in cyber defense
- Why resilience matters more than perfect prevention
- Familiar tools vs. cutting-edge tech in crisis
- The private sector’s front-line role
- How cyber, EW, and drones are converging
Key Quotes:
“It’s pretty hard to do cyber offense in a bright room, in a dark room, it’s a lot easier. But like what we’ve done here is give the Ukrainians the position that the Russian attacks are trying to occur in a pretty brightly illuminated cyberspace.” — Greg Rattray
“Kyivstar, [Ukraine’s] major telecommunications provider, got leveled in December of 2023. I thought they would be out for weeks. Two days later they were back up and running.” — Greg Rattray
“The speed at which drones have to change in order to stay survivable and effective; these innovation cycles are weeks, not years.” — Greg Rattray
“While the NIST cybersecurity framework talks about respond and recover, the amount of energy that goes into resilience is still to my mind, under thought, under exercised, [and] under invested in.” — Greg Rattray
“The notion that you’re going to be targeted has to be part of your risk calculus. And therefore you even with a good team… you cannot guarantee you won’t have a bad day.” — Greg Rattray
Links/Resources
Cyber Defense Assistance Collaborative: https://crdfglobal-cdac.org
Guest Bio:
Dr. Greg Rattray is Chief Strategy and Risk Officer at Andesite and Executive Director of the Cyber Defense Assistance Collaborative (CDAC), which has facilitated more than $30 million in voluntary cyber defense support to Ukraine. He previously served as J.P. Morgan Chase’s Global CISO and Head of Global Cyber Partnerships, and spent 23 years in the U.S. Air Force, including as the National Security Council’s Director for Cybersecurity.
Transcript
1
00:00:00,000 –> 00:00:01,000
Greg Rattray [00:00:01]: It’s pretty hard to do cyber offense in a bright room, in a dark room. It’s a lot easier. But like what we’ve done here is give the Ukrainians the position that the Russian attacks are trying to occur in a pretty brightly illuminated cyberspace.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:17]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with a longtime friend and one of the great cyber minds, Greg Rattray. Greg is CEO and co founder of Next Peak. He is also the Executive Director of CDAC, the Cyber Defense Assistance Collaborative, which has produced more than $30 million of support to Ukraine at a time of great need. Prior to these roles, Greg was the Chief Information Security Officer at JPMC, JPMorgan Chase and spent 20 plus years in all sorts of leadership and officer roles at the U.S. Air Force. And we were just recollecting, I think we first met for real when he served as the Director for Cybersecurity Policy at the National Security Council and drafted at that time, tells you how long ago it was, the first presidential decision directive on Offensive Cyber Operations. Greg, real pleasure to sit down with you.
3
00:00:02,000 –> 00:00:03,000
Greg Rattray [00:01:30]: Glad to be here, Frank.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:01:31]: So I thought we’d start with the good work of CDAC, and I mean in the midst of a kinetic war, bombs dropping, you suddenly moved in, and I will say, I’m not sure if you will, played a pivotal role in supporting the Ukrainian efforts. And please tell us how that started and what you focused on first.
5
00:00:04,000 –> 00:00:05,000
Greg Rattray [00:01:57]: So the origin story really goes back to pre the Russian reinvasion. And I had the opportunity to go over to Kyiv in 2020 and understand the sort of potential of their developing cyber capabilities. They ended up asking me to start helping with the national cyber strategy they were developing back then. So came out in 21 and then had spent some time with them prior to the reinvasion, which when that occurred it became sort of within a week or two-
6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo [00:02:33]: Not academic anymore.
7
00:00:06,000 –> 00:00:07,000
Greg Rattray [00:02:35]: Not, yeah, right, yeah. And the response exercise we had done for them in December before the reinvasion was much lighter scenario than they ended up having to execute against. But I thought it would be, I had the capacity to reach to their National Cyber Center and what they call their National Security and Defense Council at the leadership level and say if you can generate requirements, I may be able to get the US companies to, to respond. And a series of US leaders like Kevin Mandia and Art Koviello and Michael Daniels, I called them up and said I might be able to get the Ukrainians to tell us things that would be helpful to them. Very much a pickup game, but one that got executed rapidly. And as I started to talk to the officials in the last administration about the fact that we were doing this, which I did very early on because I wanted to be sure that people were cognizant. They were just go, go, go.
8
00:00:07,000 –> 00:00:08,000
Greg Rattray [00:03:42]: Within a few months, I think the thing that we really helped with, and it wasn’t just through CDAC, other companies were doing things and governments more slowly started to do things, but we helped them with situational awareness. The bright lights that got shone on Russian activity when the global cyber companies are sharing with the Ukrainian, you know, cyber centers what they see with individual agencies, the military, critical infrastructure, who’s attacking you? Where is it emanating from? I think that was a very important part of a very successful Ukrainian cyber defense effort.
9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:04:20]: Absolutely. And you refer to that as a bright room. Right? You want to shed a little more light, no pun intended, on that.
10
00:00:09,000 –> 00:00:10,000
Greg Rattray [00:04:26]: So we had what we call convening. So we bring all the companies, but also governments and the full set of stakeholders. We do that basically quarterly and we discuss how it’s going. So the first one we held was in, I think it was September of 2022, and sort of just review what’s going on, again, bring in some of our government stakeholders, and one of the company people we were talking about why are the Russians not having the success everybody anticipated in their-
11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:04:59]: Including myself if I’m being honest.
12
00:00:11,000 –> 00:00:12,000
Greg Rattray [00:05:00]: Yeah, me too. Right. You know, and the statement was made by a very experienced cyber operator. It’s pretty hard to do cyber offense in a bright room, in a dark room, it’s a lot easier. But what we’ve done here is give the Ukrainians the position that the Russian attacks are trying to occur in a pretty brightly illuminated cyberspace.
13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:05:24]: And there’s a good story there too, that investment in resilience can yield benefits. Right? I mean, you look at, and I don’t want to make a direct comparison to Taiwan and Ukraine, but there are some lessons the Taiwanese can learn in all this. Right.
14
00:00:13,000 –> 00:00:14,000
Greg Rattray [00:05:41]: I think there’s lessons we can all learn. And actually we haven’t talked about this, but one of the things that I know they believe they now need to start and should be enabled to help teach the globe. And I think the Swedes just signed an agreement and the Swedes are going to train and the Ukrainians are going to teach the Swedes on the resilience lessons. I think there’s a real utility, just like the Estonians stood up a cyber defense center of excellence, for the Ukrainians to stand up a cyber resilience center of excellence. It’s interesting you said the word investment and I’m not sure that’s what’s made them very, very resilient. Their depth of technical knowledge of running their networks, their agility in, you know, fixing things.
15
00:00:14,000 –> 00:00:15,000
Greg Rattray [00:06:29]: Because I will tell you, I’m not sure they have the most highly hygienic, you know, cyber networks and defenses and you know, but they are technologically very adept. They are able to, you know, to adjust now they have years of practice in the most stressful of situations to recover things. The speed at which you may be aware, like Keefstar, their major telecommunications provider, got leveled in December of 2023, I thought they would be out for weeks. Two days later they were back up and running. And I know for a fact that that infrastructure was basically largely taken down, but they knew how to put it back together.
16
00:00:15,000 –> 00:00:16,000
Frank Cilluffo [00:07:12]: And I’m glad you’re saying others could learn a lot because I like to say that activity that can happen far flung areas of the world are movies coming to a theater near you. And it has direct US benefit too, correct?
17
00:00:16,000 –> 00:00:17,000
Greg Rattray [00:07:27]: Right. Again, on how they recovered, particularly telecom networks, but again, their energy grid is under physical attack. It’s also been under cyber attack that had occurred all the way back to 2016/17. So they had some knowledge about how to deal with that. But their ability to put digital services back up, whether it’s at the network layer, the device layer, the data layer, we all, like all nations, particularly critical infrastructure sort of operators need to sort of spend some time with the Ukrainian operators about how that works.
18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:08:07]: And when you look at the assistance, most people and myself probably included are thinking tools, they’re thinking technology, and yes, you can leapfrog next generation technologies in some ways provides new opportunities. But it was more than that, right? If you were to look at the success, it’s people.
19
00:00:18,000 –> 00:00:19,000
Greg Rattray [00:08:25]: That’s exactly right. I’m smiling because the technologies they wanted were not leapfrog technologies. They actually, and this was an interesting element of working with the companies, that the companies wanted to transform them. Like they need to take these new cutting edge things. And what the reality is, and I think this is a lesson for everybody, is a team that’s under a lot of pressure doesn’t have the time, you know, the way cyber tools work these, it takes a lot to assimilate a new tool, especially at the level of a SIM or massive endpoint detection deployment.
20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:09:03]: This is in the midst of a war.
21
00:00:20,000 –> 00:00:21,000
Greg Rattray [00:09:05]: Right, yeah. So like many layers, just the amount of energy and time they had available, but the infrastructures themselves are not capable of handling sometimes the more advanced tools. So they tended to ask for things they knew how to use. Right? Not, not always, but generally I think that was the case. But they were deploying some sort of world class technology. But a lot of what they wanted were tool sets that they were, they were already familiar with and then a lot, but to your point, a lot of what we did, what we do now is training. So it’s really continuing to increase the number of operators that they have.
22
00:00:21,000 –> 00:00:22,000
Greg Rattray [00:09:45]: They have this interesting challenge that people can be in a security operations center and then need to be in a trench and they don’t come out of the trenches. Right? So like they’ve got, you know, the people in the rear area are being, you know, many of them ended up being drawn forward so they’ve got to refresh their human skill set. That still continues to be a big deal. But again, the continued situational awareness, the intelligence attack surface monitoring, the continuing global effort to keep the bright light on the Ukrainian cyberspaces, again a key element of the assistance.
23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:10:24]: And there’s the old adage, I think Sun Tzu said it, before you know your enemy have to know yourself. So illuminating that is essential. But I also think they had to rip and replace a lot of the technology because the infrastructure itself was Soviet at one point, was it not?
24
00:00:23,000 –> 00:00:24,000
Greg Rattray [00:10:40]: Well, they, it was Soviet or Russian. It still is Soviet or Russian. The, the challenge of dealing with an infrastructure that their adversary understands better than they do.
25
00:00:24,000 –> 00:00:25,000
Frank Cilluffo [00:10:55]: Better than they do, potentially. Back then.
26
00:00:25,000 –> 00:00:26,000
Greg Rattray [00:10:58]: Yeah, right, back then. But like the Ukrainians, you know, we had this interesting engagement with NAFTA Gas is their big oil and gas company. And we patted ourselves on the back because we were going to go in and we did a sort of analysis of their security operations and ran an exercise. But at the first engagement we were happy that we had a bunch of Ukrainian speakers. They all spoke Russian. They didn’t speak Ukrainian, they actually spoke Russian. And this is the, you, you, the team defending the oil and gas. And they weren’t Russian, it was just, that was the language they used.
27
00:00:26,000 –> 00:00:27,000
Greg Rattray [00:11:28]: So, and this is actually an issue with Taiwan that that notion of, some of these environments are not the, you know, the intermingling of cultures and languages and equipment are, you know, deeply, pretty deeply embedded, which as cyber people we know comes with another layer of risk and activity you have to conduct to deal with that, we had instances where the Russians had learned to, when they had taken over territory, be able to get access on what had been a Ukrainian computer, but still had like, still had access to the rest of the company, even though there was a front line in between where the computer was located. The Ukrainians figured out that the Russians were using basically valid computers inside an enterprise, but they were on the other side of the front line. So complicated environment.
28
00:00:27,000 –> 00:00:28,000
Frank Cilluffo [00:12:20]: Since you opened up that path, you’re also doing a lot of bilateral work, US, Japan. What, and I don’t want to jump immediately to what lessons learned or observed or whatever terminology we want to use, but what can Japan and others do to help Taiwan?
29
00:00:28,000 –> 00:00:29,000
Greg Rattray [00:12:40]: Well, the Taiwanese, you haven’t spent some time in Taipei and there’s been a lot of discussion of whether we can pivot the CDAC model to Taiwan.
30
00:00:29,000 –> 00:00:30,000
Frank Cilluffo [00:12:53]: Thoughts, early thoughts?
31
00:00:30,000 –> 00:00:31,000
Greg Rattray [00:12:54]: No, we’ve been actively pursuing the right way to do that. It’s different, you know, the urgency of it is different. But I think everybody sees that as a place where investing in the Taiwanese ability to defend themselves is in the interests, everybody’s interests.
32
00:00:31,000 –> 00:00:32,000
Frank Cilluffo [00:13:10]: Including themselves, obviously.
33
00:00:32,000 –> 00:00:33,000
Greg Rattray [00:13:11]: Right. So good dialogue. They’re very much more sort of organized at the governmental level, so they, they, the one deep visit I had, I was pretty impressed with just the nature of how they were organizing themselves. Not that every entity there is in great shape in terms of a defense, but we continue to work with the Taiwanese, it’s called the administration of cybersecurity, about what would be the right type of assistance. I’ve often been asked whether the companies would be willing to do that because of, you know, concerns with a different adversary, you know, in the Taiwan Gates case, but generally they’ve been, yes, like Greg, go explore that. See what would be useful for us to do.
34
00:00:33,000 –> 00:00:34,000
Greg Rattray [00:14:01]: You know, the CDAC is a very, it’s not a policy or even strategy organization. It’s a what are the actual types of, you know, tooling, intelligence support, training support to practically improve really at the enterprise or national cyber center level operations.
35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:14:20]: I’m happy to hear that. So whatever we can do to double tap that is, is essential. One, one thing I would be, not to go back to the tools and technology, but big investment in cloud early on.
36
00:00:35,000 –> 00:00:36,000
Greg Rattray [00:14:33]: Right.
37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:14:33]: What, what benefit or new vulnerabilities did the Ukrainians learn?
38
00:00:37,000 –> 00:00:38,000
Greg Rattray [00:14:39]: Well, I think dominantly this is like a necessary element.
39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:14:44]: Shared services.
40
00:00:39,000 –> 00:00:40,000
Greg Rattray [00:14:45]: Yeah, a resilience strategy. If you are in a place where an adversary is going to be able to get at you physically, the notion that you are leveraging cloud based services to just do the digital, operate your digital world but also to operate your defenses, is a much less vulnerable position. A little bit, not back to the bright room, but sort of a different analogy, the Ukrainians took a lot of their digital services off the playing field for the Russians. Like when they immediately went out of Ukrainian based data centers which could either be bombed or that the Russians had mapped in terms of exploitation.
41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:15:32]: Assume those have all been mapped. Right?
42
00:00:41,000 –> 00:00:42,000
Greg Rattray [00:15:33]: Right. Yeah, that suddenly if they’re in a western hyperscalers cloud, A, they’re not mapped, B, the Russians willingness to go into a western US cloud provider is a very different proposition. So basically the extent to which you could take your services and put them there, they’re much, much safer. There’s some limitation. There’s a lot of dialogue around this. Like if you go, like if you go to Japan, like the question is how much do we want to rely on another nation’s, a company that operates from another nation in terms of something that’s essential to our security. But it’s not just Japan.
43
00:00:42,000 –> 00:00:43,000
Greg Rattray [00:16:18]: It’s actually most like at least most-
44
00:00:43,000 –> 00:00:44,000
Frank Cilluffo [00:16:21]: The clean stack discussion across the board.
45
00:00:44,000 –> 00:00:45,000
Greg Rattray [00:16:23]: Right. So there’s this issue of digital sovereignty or even data sovereignty that gets mixed in here and an inclination that you want to do it all homegrown. But I don’t, I technologically don’t think that’s feasible at any scale.
46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:16:39]: Most countries that’s clearly not. But there are some unique, you mentioned the Estonians, they have their digital embassy. They’re looking at different ways around.
47
00:00:46,000 –> 00:00:47,000
Greg Rattray [00:16:48]: I think that’s mostly the way forward. The one interesting case is in Taiwan. If you put it off island, the data center has to communicate back on island to deliver-
48
00:00:47,000 –> 00:00:48,000
It’s severed, you’re in trouble. Yeah.
49
00:00:48,000 –> 00:00:49,000
To deliver any services. Right? So if your digital services are all housed off island, if you can’t get basically digits back onto the island, you don’t have any digital services.
50
00:00:49,000 –> 00:00:50,000
Frank Cilluffo [00:17:12]: And that’s an Air Force guy saying that. So Navy would immediately look to the undersea. So that’s good. Yeah, no, you’re absolutely right.
51
00:00:50,000 –> 00:00:51,000
Greg Rattray [00:17:19]: Yeah. Again one of the lessons I think there is most contexts are really very specific and it’s, you have to dig into the details. Right? Again, I was surprised but you know that you, what the Ukrainians asked for and we gave them what they wanted. I actually said we’re not going to try to tell them that they need something different than they wanted because they’re fighting and we need to give it to them.
52
00:00:51,000 –> 00:00:52,000
Greg Rattray [00:17:44]: There was also a, you and I have had this discussion and the community does often, the trust building assets, you know, like they asked for something within sometimes days where they’re with that thing, you know, they built a lot, they quickly built a lot of trust that if they asked for something we would do our best to give it to them. And that was a big element of, I think, the success of CDAC.
53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:18:06]: Well said. And you know, there’s new strategy recently released and, and could this be a model for what public, private, there’s a lot of discussion around how government and industry can partner. Do you see CDAC as a model for the future?
54
00:00:53,000 –> 00:00:54,000
Greg Rattray [00:18:24]: I do for a number of reasons. And Frank, you know, I’ve been involved in our public private partnerships.
55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:18:31]: You’ve been around this for a while. We can be both a little grumpy. At least I can.
56
00:00:55,000 –> 00:00:56,000
Greg Rattray [00:18:36]: Right, so, but most of the conceptualization of those was government led, though not always. I mean, I come from the financial services sector and that sector, whether it’s the FS-ISAC early and the FSR later, you know, and Sheltered Harbor and other initiatives that were driven by mostly the larger institutions initially, you know, but private sector led. So that DNA that I sort of built when I was at JP Morgan, you know, gave me the confidence that I could call on private sector cyber and technology companies in this instance, the speed at which those companies can act without having to go through contracting motions and programs and decide if this sort of money is appropriate to do this sort of thing. There was significant barriers to the type of assistance because it wasn’t capacity building, it was actual operational assistance. It was very difficult here in Washington to have the system sort through the appropriateness of that. Though I got very strong support that this type of activity should be led by the private sector and go ahead and do it. And I think the new strategy does call for the private sector to take action for the good of the whole system, in this case for the good of the nation.
57
00:00:56,000 –> 00:00:57,000
Greg Rattray [00:19:55]: But I think it’s similar dialogue that I’m having in Japan, whether their strategy calls for public private partnerships and trying to encourage their governmental leadership to be willing to partner with the global cyber companies and actually pull, allow for them to lead and not feel like they have to tell the private sector how to participate, but empower the private sector to put together and ask the government for enablement as opposed to leadership.
58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo [00:20:26]: Going back a little bit to Ukraine, we’ve seen a lot of kinetic operations against critical infrastructure and cyber infrastructure and the like, and we’re starting to see a blurring of physical cyber. So sort of putting on your old hat, and even if you look at how the US has publicly discussed how we’re doing cyber effects, whether in Absolute Resolve in Venezuela or Midnight Hammer in Iran, we’re starting, or even more recently, you’re starting to see public discussion about that. But, but that played out for real in, in Ukraine. Right?
59
00:00:58,000 –> 00:00:59,000
Greg Rattray [00:21:07]: They certainly used kinetic cyber effects against things that were being kinetically targeted. There’s been some analysis, and I’m sort of of the mind that I don’t think they were very elegant, nor even today are very elegant about this. And it gets to where they’ve sort of been up and down about disruptive cyber attacks, certainly early. I mean, the whole Russian invasion was not well organized as I think, you know, both the physical invasion, while initially successful, you know, clearly wasn’t sustainable. And the, the Ukrainians recovered a lot in the first summer there, and then it’s become static.
60
00:00:59,000 –> 00:01:00,000
Greg Rattray [00:21:50]: On the cyber side, I think they were surprised that the effects they tried to achieve really, yeah, and it was not sophisticated and it was not synchronized with the ground operations. I think the campaign against the Ukrainian energy infrastructure in particular is definitely both disruptive cyber in addition to the bombing attacks is occurring, but I don’t know that at the tactical level, they’re trying to turn out the lights to enable drones to get in sort of operations. They do not seem to me to be that sophisticated.
61
00:01:00,000 –> 00:01:01,000
Frank Cilluffo [00:22:26]: UAS, counter UAS, though, is a daily occurrence, right?
62
00:01:01,000 –> 00:01:02,000
Greg Rattray [00:22:31]: Yeah, No, I-
63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:22:31]: And that comes into cyber too. I mean, you’re seeing the convergence of EW, cyber, RF. It’s all sort of blending, isn’t it?
64
00:01:03,000 –> 00:01:04,000
Greg Rattray [00:22:40]: Very much. And I think it’s challenging for people that grew up as cyber guys where their networks are distinct, and I’m an Air Force officer, so some of the older people might know, we used to call it information operations before we called it cyber operations. And in information operations, we put things like influence operations and electronic warfare in with the cyber, or we call it a computer network attack and defense. And, you know, we’re going back to that world. And I think the understanding of electronic warfare and the use of the radio frequency spectrum, most of what transits it now transits it as digits, not as waveforms. So there’s a real blending that the stuff going through the air is in bytes as opposed to waves. But like cyber people are not trained that way and they’re not used to trying to understand that things can be jammed.
65
00:01:04,000 –> 00:01:05,000
Greg Rattray [00:23:39]: Right? And that apertures that are receiving a signal can actually be, you know, hijacked and you can, you can, yeah, right, you can do a lot of disruptive or malicious things through, through the use of radio transmissions or again then drone warfare. Drones are transforming warfare and there’s again, there’s digital communications underpin the operations of drones. But is that a cyber thing? Yeah.
66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo [00:24:12]: And we love to look at the world in our boxes and org charts. The enemies don’t. Right? I mean, they’re finding the seams.
67
00:01:06,000 –> 00:01:07,000
Greg Rattray [00:24:19]: Right. The Ukrainians are exceptionally good at, this is just more generally in how they’re prosecuting the conflict. Their ability to go deep and damaging in the physical space and in cyberspace that watching them transform on a weekly basis. The other thing is the pace of innovation over there. The speed at which drones have to change in order to stay survivable and effective. These innovation cycles are weeks, not years. So again, lessons to be learned about how you sustain that level of, you know, that pace of change. I had an interesting discussion with the cyber attache here for the Ukrainians about like the way they decentralized that.
68
00:01:07,000 –> 00:01:08,000
Greg Rattray [00:25:05]: They don’t, there’s been back and forth about a national drone production effort or just letting each unit produce their own drones. But that decentralized model has resulted in their ability to stay ahead in many cases of their adversary.
69
00:01:08,000 –> 00:01:09,000
Frank Cilluffo [00:25:19]: And that is an advantage of being a small, well firstly disadvantage of being at war. It’s a crisis, you got to get it done, period. And also a smaller country in some ways. So yeah, it’ll be interesting to see how it all plays out. But I am somewhat amazed, and when we were having these conversations, you’d have to be behind a skiff. Now they’re daily discussions. Right? It’s a different world.
70
00:01:09,000 –> 00:01:10,000
Greg Rattray [00:25:51]: Right. There’s a, you know, the notion that offense gets conducted in cyberspace is not some, you know, secretive thing.
71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:25:58]: It’s not a black magic anymore.
72
00:01:11,000 –> 00:01:12,000
Greg Rattray [00:25:59]: Everybody’s experiencing it down to the individual. Right? And our, the constant fraud efforts against our own like phones and every, everybody’s computer all the way up to again nation states. Obviously there’s the like if you’re going to conduct something offensive, you, you don’t want to let, you don’t want the specifics to get out
73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:26:21]: Nor should they.
74
00:01:13,000 –> 00:01:14,000
Greg Rattray [00:26:22]: Right, but the notion that you have to discuss openly the balance between what you do to put the pain on your enemy or disable their ability to attack versus what you do to defend yourself, that needs to be a vigorous open discussion about which things work most effectively.
75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:26:43]: And you’re teeing up one of my favorite topics. You and I have had many around deterrence. Right? I mean you have to be able to talk about some of that publicly if you want to dissuade, deter, compel, not just the actor, but everyone else watching.
76
00:01:15,000 –> 00:01:16,000
Greg Rattray [00:26:58]: Right. So you know, our statements about what our capabilities are offensively, I mean, I trained with Tom Schelling, I mean when I went to graduate school and you know-
77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:27:10]: Mr. Deterrence Theory.
78
00:01:17,000 –> 00:01:18,000
Greg Rattray [00:27:11]: Joe Nye later. Right? So you know, these, these concepts do, are fundamental. They’re basically about, you know, the calculus of the human mind, like trying to figure out how we create the impression in adversaries that they are at risk if they do things that we don’t want is a big element. I will say it has been hard to deter in cyberspace, having lived it for the last 30ish years, right?
79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:27:41]: We can’t declare a victory there.
80
00:01:19,000 –> 00:01:20,000
Greg Rattray [00:27:43]: Right. Yeah. So like the, there are, the fact that we’ve always said and increasingly say that we’re not just going to respond in cyberspace, what cyber means. Right? That you know, at some point the transgression gets such that adversaries would assume that in the case of the United States they’d be at risk for real harm. You know, that has to be an element of it.
81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:28:06]: So maybe not directly in the CDAC context, but you and I have had discussions over the years around active cyber defense. What are your thoughts on that, where the private sector, in conjunction with the government in one fashion or another, can be a little more proactive? What are your thoughts on that?
82
00:01:21,000 –> 00:01:22,000
Greg Rattray [00:28:25]: It’s very much emerging. Right? So you’re probably aware Google has a disruptive ops team.
83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:28:30]: Absolutely.
84
00:01:23,000 –> 00:01:24,000
Greg Rattray [00:28:30]: Microsoft has, you know, been conducting takedown operations for years, but under the guise of government, you know, with government authorized, with court orders that, you know, you know, make it clear that they have the authority to do these things. I think, I think that’s the model. Right? I continue to believe that, you know, it need, that the big tech companies need to be working with governments. Now there is an issue of like how much direct sort of control the government has when it is leveraging the private sector. I do think the future holds that the global platform companies, that’s where this activity occurs.
85
00:01:24,000 –> 00:01:25,000
Greg Rattray [00:29:14]: That the notion they’re going to disrupt the adversaries that are misusing their infrastructure, that should be almost an obligation. Some people, again, Google calls that disruptive ops. It sort of bleeds into this discussion of whether that’s active cyber defense. Interestingly, a lot of countries, the UK, the Japanese and the US all use that term, but we all use it differently.
86
00:01:25,000 –> 00:01:26,000
Frank Cilluffo [00:29:37]: Aussies too. Yeah, they use the term too in their official strategy.
87
00:01:26,000 –> 00:01:27,000
Greg Rattray [00:29:42]: Right. So the private sector needs to be part of the team that puts adversaries at risk. I certainly would go that far.
88
00:01:27,000 –> 00:01:28,000
Frank Cilluffo [00:29:53]: And looking now to your role at Next Peak and, what should CEOs take away from some of the lessons you’re seeing come out of CDAC and Ukraine and just more generally?
89
00:01:28,000 –> 00:01:29,000
Greg Rattray [00:30:07]: You know, I have for quite a long time, you know, having been there when we coined the term APT and sort of seen having run the Air Force Red Team like it is very difficult to stop a persistent advanced attacker. Right? So to the extent to which you and, and almost everybody now could be a target. It’s like companies want to believe that they wouldn’t be the target, but you know, the sophistication-
90
00:01:29,000 –> 00:01:30,000
Frank Cilluffo [00:30:35]: Ransomware has democratized everything. Right?
91
00:01:30,000 –> 00:01:31,000
Greg Rattray [00:30:37]: So the notion that you’re going to be targeted, you know, has to be part of your risk calculus. Right?
92
00:01:31,000 –> 00:01:32,000
Greg Rattray [00:30:45]: And therefore you, even with a good team and you know, I believe I’ve seen some best of breed teams, you cannot guarantee you won’t have a bad day. So while the NIST cybersecurity framework talks about respond and recover, the amount of energy that goes into resilience is still to my mind under thought, under exercised, under invested in that we need to be of the mind, if you’re a CEO, that a big element of your risk management is not just expecting your defense to be stop everything, but that you know, you can have bad days. You need to understand the risks that are involved. You need to be able to get back up off the mat if you take a hard punch.
93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:31:30]: Maybe even bounce forward if you’re smart about it.
94
00:01:33,000 –> 00:01:34,000
Greg Rattray [00:31:33]: That’s right. And then. Yeah, and be collaborating if you’re smart about it, with the right people that can disrupt your adversaries, whether it’s just sharing into a system where somebody else is taking the action or if it’s appropriate for your team to be leveraging capabilities and sponsoring the right sorts of actions to disrupt your adversaries proactively.
95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:31:55]: Greg, we’ve covered so much territory. What questions didn’t I ask that I should have?
96
00:01:35,000 –> 00:01:36,000
Greg Rattray [00:32:03]: I think we’ve hit it, one of the core things that I’ve been trying to push, which is the shift between assuming that the government, governments, and it’s not just the US government, but governments in general, at least in the west, are going to be able to lead their national cyber defense and that because of the resources, the technological expertise, the operations are occurring in the private sector to figure out a model by which the private sector leads, which in some ways takes the burden off of governments to solution things that they aren’t really in a position-
97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:32:41]: And then they can, government can focus on what they really exclusively only can focus on. Right?
98
00:01:37,000 –> 00:01:38,000
Greg Rattray [00:32:46]: That’s right.
99
00:01:38,000 –> 00:01:39,000
Frank Cilluffo [00:32:47]: It’s a risk management question.
100
00:01:39,000 –> 00:01:40,000
Greg Rattray [00:32:48]: Yeah, and create some appropriate guardrails for private sector activity, but to, not to expect that the governments are going to stop even, you know, the governments have a role in national security and stopping our nation state adversaries, but the private sector needs to be able and empowered to be a key element. The front line is generally in the private sector’s hands, so you need to enable the private sector.
101
00:01:40,000 –> 00:01:41,000
Frank Cilluffo [00:33:14]: Greg, thank you for joining us today. Thank you for all you’ve done for so many years and thank you for continuing to advance the ball. Thank you. I appreciate it. I’m going to leave you with a token of our appreciation, figuratively and literally, our coin, and really appreciate it.
102
00:01:41,000 –> 00:01:42,000
Greg Rattray [00:33:31]: Yeah. Great to be here, Frank.
103
00:01:42,000 –> 00:01:43,000
Frank Cilluffo [00:33:32]: Thank you, Greg. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed and stay curious.