>> My personal experience in national security, I've had very, very senior officials of foreign governments look me in the eye and lie to my face.

"It wasn't me."

"It wasn't me.

It was some other guy," because they like to believe that by creating some form of separation, some degree of deniability, they get to deny plausibly to their United States counterpart.

♪♪ >> Hello and welcome to "GZERO World."

I'm Ian Bremmer, and today, what a massive Russian cyber hack of U.S. institutions and private companies really means.

Is America prepared for the geopolitical threats of the 21st century?

I'm guessing no.

I'm talking about that with former Homeland Security Secretary Jeh Johnson.

>> When you're dealing with nation-state actors who are really sophisticated in this space, like the Russians or the Chinese, there is no complete line of defense.

We cannot erect a wall that will prevent all such attacks.

>> And then it's puppets.

>> Breaking news -- It appears President Trump has accepted his defeat after all.

As sources say, he is now actively testing the job market.

>> But first, a word from the folks who help us keep the lights on.

>> Major corporate funding provided by founding sponsor First Republic.

At First Republic, our clients come first.

Taking the time to listen helps us provide customized banking and wealth-management solutions.

More on our clients at firstrepublic.com.

Additional funding provided by... ...and by... >> You want a computer program to sound really smart?

Call it Einstein.

That's a multibillion-dollar digital defense system the United States has used to catch outside hackers and attackers since 2003.

Turns out Einstein was no match for what's looking like one of the biggest cyber breaches in history.

It started in March of 2020.

A product from a software company called SolarWinds was compromised by hackers.

>> We've been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation-state.

>> All signs point to Russia, and U.S. government agencies and Fortune 500 companies alike who used SolarWinds software were compromised.

We're talking about the United States State Department, the National Institutes of Health, the National Nuclear Security Administration, the Homeland Security Department and Microsoft.

The list goes on and on, and we are only beginning to hear the full extent of the damage, what information may have been stolen and how it might be used against the United States going forward.

The story shines a light on two key aspects of cybersecurity today.

First, experts say the U.S. is under-resourced when it comes to safeguarding against this kind of act, spending far more on intelligence gathering than on tracking and stopping attacks like this one.

In a recent op-ed, the man who used to run information security at both Yahoo And Facebook, Alex Stamos, points out that the agency tasked with defending public and private sector systems in the U.S. has about 2,200 employees.

By comparison, the NSA has 40,000.

Next, there really are no international norms or conventions when it comes to cyberspace.

Unlike nuclear weapons, cyberattacks fly under the radar, literally.

I talked about that in 2018 with New York Times national security correspondent David Sanger.

>> Unlike nuclear weapons, you can dial it up and you can dial it down.

And basically the history of cyber in the past 5 or 10 years is one of attacks that do not get responded to.

>> How should the United States respond to Russia or other adversaries like China or Iran for the kind of cyberespionage our own government engages in abroad?

And what does a U.S. cyberdefense system of the future look like?

I talk about all that and more in today's big interview.

Jeh Johnson -- He was secretary of Homeland Security under President Barack Obama.

Jeh, thanks so much for joining me on "GZERO World."

>> My pleasure, Ian.

Looking forward to our discussion.

>> I want to jump right in to this massive Russian breach into both the public and the private sector.

Give us a little rundown, given your expert perch of what you think we've just seen.

>> Well, Ian, when I was at Homeland Security, I used to tell people, let's prepare and plan for the next attack, not the last attack.

I used to try to encourage my people to think aggressively, to try to stay one step ahead of the enemy.

Unfortunately, bad cyber actors like this most recent one are increasingly aggressive, tenacious and ingenious.

This attack, using software upgrades, was both ingenious and ironic.

Using a software intended to promote cybersecurity as the tool to implant malware was extraordinarily clever.

And it's highly regrettable that some of our most sophisticated actors in this country in cyberspace, you know, like the Department of Homeland Security or other elements of our national government, didn't catch this sooner.

It took FireEye apparently to catch this.

And so my assessment of this is it is yet another example of how the bad guys continue to stay one step ahead of the good guys in trying to defend against this kind of thing.

And as I sit here, I think we are yet to fully understand the extent of the damage caused by this attack and, most fundamentally, whether it is simply an act of traditional surveillance, which many governments engage in, or it is some form of offensive attack which would merit a very, very serious response, in my view.

>> For those that are just kind of watching the headlines around this, should we be a little shocked that this actually could have happened at the hands of a foreign government?

>> No, we should not be shocked, unfortunately.

And your question is a very, very legitimate one.

The one thing I will say is when you're on defense, when you're in national security, when you're in homeland security, there are a lot of bad things that we do prevent from happening that somebody like you and me in private life don't hear about.

And it is the reality that one failure will be the equivalent of a thousand successes.

So there are a lot of cyberattacks, a lot of attempts at infiltration that are prevented and caught that you don't necessarily hear about.

It's the big one, like the current one, that we do hear about and obviously need to be concerned about.

>> Is there anything that we know thus far that implies that this was more than just espionage?

Because, again, I've heard -- I've heard lots of intemperate things on the Internet -- shocking -- including from members of Congress saying this was an act of war.

Is there any reason to believe that is the case from what we know so far?

>> Well, in reacting to a national security event, I rarely take my guidance from individual House members reacting on Twitter.

And I recommend that you not do that either.

There are indicators when you implant malware that it could be done for all sorts of reasons.

When I was in Homeland Security, the cyber intrusion that I would worry about most is a national actor, a nation-state actor, one of the more sophisticated ones, implanting malware in critical infrastructure, and it lies in wait to do something, whether it is to exfiltrate data, whether it is to degrade something, whether it is to destroy something, whether it is to change an identity.

You don't really know until the trigger is pulled.

I gave testimony before Congress a couple of years ago, and one of the things I addressed in my testimony is under what circumstances a cyberattack should be considered an act of war.

And my basic conclusion was that if the cyberattack amounts to physical destruction, loss of life, like any other, more traditional kinetic attack, then that should be considered an act of war.

And so we do get excited about these things, as we should be.

But we have to also consider the other side of the equation, which is what is the United States capable of doing?

How might the United States respond to this intrusion in ways seen or unseen?

And so we do have awesome capabilities in cyberspace ourselves as a country.

But going back to your original question, Ian, cybersecurity is a public/private partnership.

There are cyber experts in government.

There are cyber experts in financial services.

There are cyber experts in the Defense Industrial Base.

And apparently this intrusion was far-reaching.

It stretched into the private sector, some of our most sophisticated actors in the private sector.

And so we don't know the answer to the question "to what extent should this be considered an attack?"

And we don't know whether we've discovered the full extent of it.

We don't know whether it's implanted in a system that you and I use every day and we just haven't discovered it yet.

>> What do you think the Russians, assuming, as Secretary Pompeo said, that they're responsible for it?

What are the -- What is the potential -- What can they do with this sort of information?

What are the capabilities that they're now likely to have or have improved that they did not status quo ante?

>> Well, if one assumes that this was espionage, then the Russians know a lot more about people like you and me, more people in government or our capabilities or what we are talking about within government or within some of the more sophisticated elements of the private sector.

If this is a different form of malware with offensive features to it, one could eliminate data, one could alter data, one could degrade a capability, one could shut down a capability and critical infrastructure.

Frankly, the possibilities are enormous.

And so I look forward to hearing the public congressional testimony of our national security officials about exactly what they think this malware was implanted for.

We just don't know, Ian, at this point.

It's still early.

We just don't know.

One thing that the public should be most upset about is, just weeks before this attack was discovered, President Trump fired our government's senior cybersecurity official, Chris Krebs, who, by all accounts, was doing a good job as an appointee in the Trump administration.

He was the head of CISA, which is part of DHS, and, by all accounts, was doing an excellent job.

He was doing exactly the job that a president should want someone in that position to do.

But he was fired because he was not on the same page in terms of the election outcome.

And so CISA, the agency of our government principally responsible for our cybersecurity, is leaderless right now at a moment of great stress, in a moment of cybersecurity crisis, and rightly over the last four years, state election officials, along with the Department of Homeland Security, did a lot of good work to harden the cybersecurity of state election systems, voting, voter registration rolls.

But still, if you're in this space, you have the sinking feeling that a sophisticated nation-state actor has probably moved on to something else, to a different form of attack.

And they did what they did in 2016.

So now we need to be worried about what it is they're going to do in 2020 that's totally different, totally new, different victims, which is why I said earlier, I used to tell my people all the time "think about the next attack, not the last one."

>> So I want to get to your views of what you think the next attacks might be and how our policy should change.

But first, I should ask you about what the response should be with the Biden administration coming in.

>> Assuming this was done from a Russian platform at the behest of the Russian government, the intelligence officials in the Russian government, then I think the response has to be twofold.

One, governments really don't like it when you sanction their people, when you sanction government officials or go after them criminally, even though it may be just in absentia.

The other is, I believe that for an attack like this, an in-kind response is appropriate.

In other words, you don't necessarily respond to a cyberattack kinetically.

Cyber for cyber to demonstrate our own capabilities.

Ultimately, Ian, when you're dealing with nation-state actors who are really sophisticated in this space, like the Russians or the Chinese, there is no complete line of defense.

We cannot erect a wall that will prevent all such attacks.

The way to end these attacks is simply to make the behavior cost-prohibitive, to put in place sufficient deterrence so that the rational state actor will say, "Hey, this is going to cost me too much if I continue on this path."

And obviously we have yet to do that with the Russians.

>> What would you like to see?

I mean, in terms of a doctrine of deterrence, which may not only include hit-back measures.

It could also include offensive capabilities.

What do you think it looks like for the United States and/or our allies?

>> Three things.

There is an overt attack like killing General Soleimani of the Iranian government in December a year ago.

That's overt.

It's in your face.

Then there is covert action where the target is not even sure where the attack came from.

And then there is that middle ground where something is technically covert, but you want the target to know it was me, but you leave yourself some room of deniability publicly.

And when you're dealing with cyberspace, very often the response is in that middle ground.

The other facet of your question which I would like to address is very often nation-states create for themselves some degree of separation with the bad actor so they can say, "Wasn't me."

And in my personal experience in national security, I've had very, very senior officials of foreign governments look me in the eye and lie to my face.

"It wasn't me.

It wasn't me."

It was some other guy," because they'd like to believe that by creating some form of separation, some degree of separation, some degree of deniability, they get to deny plausibly to their United States counterpart.

And so it's my assessment that foreign governments do set up these degrees of separation, which is a fiction in a way, so that when the bad actor goes out and does something, they say, "Wasn't me, wasn't me.

We'll try to bring them to justice for you.

But it wasn't me.

I'll come back with an investigation in about two years to tell you who it was, but it wasn't me."

And frankly, much of what you and I would consider warfare is conducted through proxies these days, through proxies in cyberspace, through covert action such that each side gets to try to pretend it wasn't them, which is why the Soleimani attack a year ago was something that was really eye-catching because it was the United States.

And we basically said, "Yeah, it was us.

What are you gonna do about it?"

>> So let me widen the aperture a little bit.

Four years ago, President -- then-President Obama invited President-elect Trump to the White House and reportedly told him that the biggest national security threat he had to worry about upon assuming the presidency was North Korea.

Here in 2021, how do you assess and prioritize national security threats to the United States and the incoming president?

>> Everybody's talking about China.

China is a multifaceted concern.

They are a competitor in many, many ways, economically, militarily and the like.

And because they are the other major global economic power in the world, I would rate China as the number-one national security concern of the incoming administration right now.

>> Jeh, there are plenty of things that we could probably talk about as how Trump has degraded American national security.

Can you tell me one thing in your view he has done to improve U.S. national security?

>> Great question.

I was on a panel where I asked somebody else the exact same thing.

>> [ Laughs ] >> Well, two things.

One, I think under Jim Mattis' leadership -- and Jim is a good friend of mine -- this administration -- this outgoing administration did a lot to continue the effort we started under Obama to degrade ISIS.

They took the fight to ISIS in Iraq and Syria, and ISIS is all but obliterated.

So that's number one.

Number two.

I thought that this administration was clever and possibly a little lucky in striking the chemical weapons facilities in Syria.

In other words, they crossed the line so we responded without there being a serious response coming from the other side.

One could say that about the Soleimani strike.

I thought frankly and still think the Soleimani strike was hugely risky.

It turned out the Iranians' response was measured.

But I thought that was a hugely risk-- risky gamble to take to cross the line into overt warfare basically by taking out one of their general officers.

>> For an administration that hasn't done much of that actually, right?

I mean, over four years, generally speaking, that's one thing that you wouldn't say about them, yeah.

>> Correct, and the response was measured.

So whether it was just good fortune or it was smart decision making or whatever, I give this administration credit for the times it has acted in response to crossing a line in a way that did not have serious consequences.

>> And if you were to sit down, as I'm sure at some point you will, if you haven't already, to the incoming Secretary of Homeland Security, Alejandro Mayorkas, what sort of advice would you provide in this environment?

>> Where do I start?

Well, first, I would say, "Ali, I'm glad it's you, not me.

Welcome."

And... regrettably the immigration issue overwhelms whoever occupies that job.

The job of being Secretary of Homeland Security is border security, but it's also maritime security, aviation security, port security, cybersecurity, training federal law enforcement officials, Secret Service, protecting our national leaders, the Coast Guard.

I could go on and on.

But the immigration issue overwhelms everything.

And no matter what you do in the immigration space, you're going to make somebody angry and unhappy.

And so you do the best you can to make the best judgments in support of the American people, in support of our border security, our homeland security but be humane at the same time.

And that's a tough line to walk when you're facing pressure from numerous different directions, and appoint good leaders, appoint good component heads who will focus on all those other aspects of homeland security while you focus on the things that are drawing your attention.

>> So, before we close, you have said that you absolutely will not play an official role in this incoming Biden administration.

Why such a definitive statement?

>> I was just, you know, looking at the reality of things.

I was considered for Secretary of Defense by the president-elect.

It was a great honor to have that interview.

Frankly, this would not have been an ideal time for me to return to Washington for a lot of reasons, including personal family considerations.

But I could not have said no to the job of Secretary of Defense if asked.

And that's what I was considered for.

And right now, I'm happy in private life here in my Midtown Manhattan law office.

Life is good.

Perhaps sometime in the future I may have an opportunity to serve the country again.

But right now, I am content to practice law, pursue my hobby of model trains in the basement of my house in New Jersey and do public interviews like this one with you.

>> You heard that.

Do not count out former Secretary Jeh Johnson going forward.

Thanks so much.

Great to see you, Jeh.

>> Thanks, Ian.

Take care.

>> Before we go, something a little lighter.

It's time for "Puppet Regime."

>> Breaking news -- it appears President Trump has accepted his defeat after all.

As sources say, he is now actively testing the job market.

How is it going for him?

>> Look, your husband died.

It is what it is, okay?

You're not the only one suffering here, okay?

I had an election stolen from me.

Frankly, you should be sorry for my loss.

[ Buzzer ] Well, as you know, Jeff, I have a strong track record in this field.

♪♪ [ Buzzer ] There's a man with a gun in your house?

Well, you know, the liberals are trying to take that man's gun away.

Go ahead, ask him.

I'll wait.

[ Buzzer ] Okay, nobody knows more about the endovascular thrombectomy for the treatment of acute ischemic stroke -- I call it acute ischemic -- than me.

That I can tell you, okay?

[ Buzzer ] That's my toy!

What are you -- Give me!

Give me!

Give me!

Give me that!

Give me that toy!

No, this is so unfair!

[ Buzzer ] >> Tough times indeed.

That 7% jobless rate is no fun for anyone.

But wait.

Sorry.

What's that?

We're hearing that President Trump has in fact found a new position.

What is it?

>> That's right, folks.

It's Big T's Bees' Knees Tonic for all occasions.

Cures COVID, kills liberals, helps your hair and keeps your skin looking like a baked potato.

Order now and I'll throw in three Brooklyn Bridges, two scotch golf courses, and a Mexican wall, because, hey, it's still infrastructure week, isn't it?

Don't wait, just hate, be great.

Call now.

It's -- >> "Puppet Regime"!

>> That's our show this week.

Come back next week, and if you like what you see, and I know you do -- that's why we have this very intimate relationship despite everyone else that's watching us -- check us out at gzeromedia.com.

♪♪ ♪♪ ♪♪ ♪♪ >> Major corporate funding provided by founding sponsor First Republic.

At First Republic, our clients come first.

Taking the time to listen helps us provide customized banking and wealth-management solutions.

More on our clients at firstrepublic.com.

Additional funding provided by... ...and by...