Nitin Natarajan is the deputy director of CISA (Cybersecurity and Infrastructure Security Agency), and has extensive experience in the cybersecurity space, including overseeing critical infrastructure for the U.S. National Security Council and the U.S. Department of Health and Human Services.
In this discussion with a16z general partner Joel de la Garza (who was previously chief security officer at Box, and has led security teams at numerous financial institutions), Natarajan explains why the evolving cybersecurity threat landscape is forcing organizations of all sizes — as well as individuals — to become more cyber-savvy. He covers a number of other topics, as well, including how industry and the government can best work together to share information and keep everyone protected.
This is an edited version of a live discussion that took place in May. You can listen to the entire discussion in podcast form here.
JOEL DE LA GARZA: How do you, and how does CISA, think about prioritizing threats? That seems like a key to everything you’re trying to do.
NITIN NATARAJAN: As we look at prioritization, it comes down to really understanding what those systemic risks are. How are we able to help tell the story of cascading impact analysis so that people can make the decisions on where to invest and what risks to invest in protecting against?
Or, how do we look at risk as a three-legged stool? I think we spend a lot of time talking about risk identification. We spend a lot of time talking about risk mitigation. We forget that third leg, which to me is that every risk we identify and we don’t mitigate, we’re accepting. And we always accept some risk. I mean, I drove up here. I walked up on stage. I took a risk by coming up here. I’ll take a risk by leaving and possibly falling.
But how do we make sure our eyes are wide open to what we’re accepting? And how do we understand that landscape of risk and use that to drive our prioritization? And then how do we look at this across 16 critical sectors that are in various levels of maturity?
Industries like the financial sector have had a quantifiable return on investment from investing in cybersecurity, but we have other sectors that have not invested as long or as much in that area. We want to be able to address risk in a way that acknowledges that people are in different places, and that speaks to large multinational corporations as well as small businesses. As we look at the supply chain risks, a lot of that risk doesn’t reside in large multinational corporations, but in the small business that’s creating that one little piece, that one widget that is critical.
So prioritization for us is a challenge because we’re looking across entire industries — vertically and horizontally. But what we want to try and do is really understand what that systemic risk is.
The media and the security industry tend to always talk about the same threats. What are some things that are top of mind for you that we don’t hear about every day?
I think the biggest threat is complacency. There’s been a lot of talk out there about who the adversary is and what the adversary looks like. And how do we engage? But what I truly worry about is getting people to truly understand the potential for them to be a victim, and how they perceive the threat to be theirs.
Things like Colonial Pipeline hack and other incidents have helped with that, where people have thought in the past, “I can’t be a victim. No one’s going to come after me: I’m a small business, or I’m a small rural jurisdiction, or I’m a school, and what have you. They’re not worried about me. They’re worried about the New York Cities of the world, they’re worried about large multinational corporations.” I think what we’re seeing is that people are able to see that the threat is real to them.
We had an incident with a small school district that was a victim of ransomware. They called the number and said, “We don’t have any money. We’re just this tiny school district. You don’t understand.” And the attackers said, “No, we know how much money you have.”
How you think about breaking down some of that either numbness or that complacency on the side of the general public?
I think it’s education. It’s getting the consumer to ask questions. So if you’re going to a bank, for example, is the bank using multi-factor authentication? You want to be looking for those types of capabilities, as well as what that institution does to your personal information and to your resources, and what’s the value there.
I think getting people to understand even things like the Internet of Things, and that we’re introducing a lot more vulnerabilities into the world, is important. I mean, we have refrigerators connected to the internet. I’m not against it. I don’t know what it does differently than my refrigerator. But all of these things are bringing in new vulnerabilities.
I jokingly told someone the other day that I would love to go back to my old Motorola StarTAC days. We’ve brought a lot of capability and technology into our mobile devices. But with that, we brought risk. And I don’t think we’ve spent enough time talking about the risk, because we’re talking about the pixel size and the ability to play games.
I think we also need to educate the next generation. Arguably, I’m lost. I believe what I believe, you know, and how do you change my mind? But I look at my kids who are coming out of high school, and people are like, “Oh, they’re so cyber-savvy.” And I’d say they’re not — I would offer that they’re tech-savvy. They’ve used iPads from the time they were two months old, but they still tape the password to the back of the iPad or to the back of their keyboard.
So, I think that we’ve equated tech savviness with cyber savviness. We need to make them cyber savvy. We need to build it into that next generation for them to truly build it into their daily lives, both personally and professionally.
Are there threats that we are just way too obsessed over and probably distract us from the real risk?
We spend a lot of time looking at the short term. It’s nature, it’s by default. We’re focusing on what’s in the here and now, what’s in front of us. But I don’t know if we’re spending enough time looking at the longer term —if we’re really, truly looking at what resilience looks like in 5 years, 10 years, 15 years. And I think it’s because it’s hard. We don’t know where technology’s going to be in 5 or 10 years, so it’s hard to gauge where to focus. So we focus on what’s immediately facing us.
I think we need to spend more time on that longer term resilience because it’s going to take time to build it. When I look at enterprise solutions, or in government, a lot of those types of things are multi-year efforts. And often, at least in the government acquisition process, by the time we’ve set our scope and we’ve done the acquisition, it’s already outdated. And we just start the cycle again.
The biggest thing is engaging with us. We have great relationships with the partners that we know. My biggest concern is that there’s a lot of partners we don’t know.
Let’s talk about the situation with Russia and Ukraine. One of the things that’s been very interesting as a passive observer is that we haven’t had the same chaos we had in the past — NotPetya and these things that were designed and developed to disrupt Ukraine but got out and disrupted global commerce. It seems that, in this iteration, there’s been a lot less collateral damage.
Is that because we’ve just leveled up and we’re doing a lot? Is it the work of the government driving standards and letting people know? Because we got the Shields Up announcement that a lot of the boards that I’m on, and the people that I work with, took very seriously.
I think this changed on multiple sides. There were definitely changes with the adversary and some of the approaches there. I think there’s definitely changes from the government side and the work that we’ve done over the several years to really raise the bar. A lot of that’s due to collaboration with industry, and a lot of those types of things that have helped industry become more resilient. I think people believe in cybersecurity more than they did several years ago. And, so, all of those things together have got us to a good place.
I was in the public health space for a while, and we’ve been fighting pandemics for a long time. This is not new to us. And we were fighting pandemics, I remember when H1N1 —what we thought was a pandemic — hit. Little did we know. And, you know, what we actually said back then was that we could not go to a complete remote work or telework posture because the IT systems couldn’t handle it. Well, fast forward 12 years and we pulled it off. We pulled that off not just because of the transition to the cloud — a lot of things led us to where we are today.
So I think as we look at NotPetya versus now, part of it is really both changes on the adversary side, changes on our side, and changes on the partnership and the relationship. Shields Up is a great example where we’re able to lean forward and share a lot more information with industry partners, both at the classified level and the unclassified level. How do we get information out there? How do we get people to trust the information we put out there?
Our goal at the end of the day is not to get every classified document out to everybody or get everybody cleared with a security clearance. We’ll never get that information out there in a timely manner. It’s getting the information out there in a way that people can actually utilize it. Over the years, I’ve developed kind of a mantra on information sharing. To me, it’s: How do we get the right information to the right people in a timely manner that results in more informed decision-making. So even though the decision is the same, at least it’s better informed.
And so as we looked at this event, and what we saw, we had the mechanisms to get information out there. We had people believing the quality of the information that was coming out. I also think there’s value in leaning forward and saying we don’t have a lot of information. And we saw some really unique things. We had a lot of information that we were able to get from the classified space to the podium pretty quickly — in record time, in some cases — and were really able to use that to drive people’s decision-making on what actions they should take. So I think it’s been a strong and effective response.
But it’s all about the collaboration and partnership, because it’s not just us putting information out there if it can’t be utilized. And until we can get the feedback and really build those systems in a way that allows us to work together, we’re not changing that national landscape as we’re looking at critical infrastructure.
I look at my kids who are coming out of high school, and people are like, “Oh, they’re so cyber-savvy.” And I’d say they’re not — I would offer that they’re tech-savvy. They’ve used iPads from the time they were two months old, but they still tape the password to the back of the iPad or to the back of their keyboard.
I’d love to get your take on ransomware. The administration’s gotten very serious about it. And it just so happens that it’s mostly centered in the areas that are now fighting with each other. I’m curious about your approach to dealing with ransomware and how you’re maybe defanging some of that. Because it does seem like it’s maybe gotten better …
I’ll make my plug for our ransomware site, where we tried to put everything together in a central website to get the information out there. But I think a lot comes down to education. It’s educating people that you’re not going to get a million dollars by email — you’re going to get a big paper check, someone’s going to come to your door and ring the bell. I think it comes down to letting people understand who the potential victims are.
We had an incident with a small school district that was a victim of ransomware. They called the number and said, “We don’t have any money. We’re just this tiny school district. You don’t understand.”
And the attackers said, “No, we know how much money you have. We have your bank account statements. We know how much you have. And we know how much you can pay and what we’re asking you is pretty commensurate to how much you’ve got in the bank. So we’re not taking everything, we’re leaving a little bit of something. But, really, this is what we want.”
And the school district said, “Well, you want Bitcoin. I don’t know how to do that.”
“We’ve got a help desk. We’ve got help desks in 14 different languages that can help you get bitcoin. So how can we help you?”
So I think with ransomware we need to let people understand the vulnerabilities, the risks, who the targets could be, and the actions to take [see CISA joint advisory 2021 Ransomware Trends]. And the monetary impact. With ransomware attacks and with other types of things we’re seeing, people are individual users. But I also think people are starting to pay attention. I think people are starting to not click on everything.
I do worry about things like pandemics and those types of things where we have an increased opportunity potential. Or someone with 300 emails in their inbox and just needs to get through them, who falls victim to those types of things. And so we need to keep the pressure on. We need to keep the messaging going.
And we need to get the younger generation to realize this, as well. Because, I made the mistake of looking through my high schooler’s inbox. And I don’t know if they read their emails, or what. I don’t know what they’ve … there’s hundreds — hundreds — of emails. I don’t even know where they’re from or how they got them. How do we educate that next generation to be in a better place?
Our goal at the end of the day is not to get every classified document out to everybody or get everybody cleared with a security clearance. . . . To me, it’s: How do we get the right information to the right people in a timely manner that results in more informed decision-making.
It would be great to understand how we can, in the private sector, better engage with the government and help make things better. Because it’s one of these team-sports things, where we all lose together if we don’t win.
I think the biggest thing is engaging with us. We have great relationships with the partners that we know. My biggest concern is that there’s a lot of partners we don’t know. We don’t know where they are, or how to get there. CISA is a growing organization — we have a field force throughout the nation of 500 or so people, and we need to continue to grow that —but even 500 people is a drop in the bucket. So, we need to know how to engage and who to engage with. And that’s where I think industry can help, because there is a lot more opportunity for industry engagement to get us connected with those right partners that can help us raise that bar of resilience.
And then keep us honest. Keep us honest and educate us. You know, we’re really trying to lean forward in a lot of our engagements because I think that, in the past, there’s been a lot of fear about how we engage with industry: “What can we do?” “What can we say?” “What can’t we say?”
We’ve built a team at CISA now that really is forward-leaning where we’re not afraid of that engagement. Yes, there are lines, but we have a lot of latitude within those lines. We’re really trying to try to stay within those guardrails — we don’t want to crash through and go off the cliff — but as long as we stay within those guardrails, we’re fine.
So I think the biggest thing is to tell us what we don’t know. And I know there’s a lot we don’t know. But helping educate us on what those are, helping us stay accountable for what we’re doing or not doing, I really think is going to help us move forward and make those significant jumps we need to make.