>> When you say things like critical infrastructure, people think it's a really technical term, but at the end of the day, it's the water, it's the power, it's how we get gas at the pump, how we get food at the grocery stores.

♪♪ >> Hello and welcome to "GZERO World."

I'm Ian Bremmer.

And today, the global cyber landscape has never looked so dire.

From Russian-backed ransomware attacks against America's largest oil pipeline, to that phone scammer who just won't leave you alone during dinner.

We're living in a brave new world, but before you change your computer password yet one more time, I'm here to tell you that it's not all bad news.

Despite the many threats that we face, my guest today is optimistic about the state of America's cyber defenses.

She should know.

Jen Easterly is director of the Cybersecurity and Infrastructure Security Agency, known as CISA, the U.S. government agency tasked with keeping our country safe from all cyber threats, foreign and domestic.

She joins me on our show today.

Don't worry.

I've also got your "Puppet Regime."

>> Monkeypox, monkeypox, monkeypox.

It's all I'm seeing now.

>> But first, a word from the folks who help us keep the lights on.

>> Major corporate funding provided by founding sponsor First Republic.

At First Republic, our clients come first.

Taking the time to listen helps us provide customized banking and wealth-management solutions.

More on our clients at firstrepublic.com.

Additional funding provided by... ...and by... >> Ever heard of Phreaking?

That's Phreaking, but with a P-H. Before there were computer hackers, there were phone freakers, hence the P-H -- it's mildly illiterative.

In 1957, Joe Egressia -- he was a blind 7-year-old boy with perfect pitch -- discovered that if he whistled the fourth E above middle C into a phone receiver, he could access the network's tone-operated switch lines.

Before long, Egressia and a growing community of Phreakers, as they call themselves, were whistling their ways into free long distance.

In the 1970s, a young Steve Wozniak was so enthralled by phreaking, that he decided to mess around on circuit boards to speed up the process.

And he started building so-called blue boxes that more easily made free and illegal long-distance calls.

And he teamed up with his friend to sell those boxes around the California Bay Area for 150 bucks a pop.

That friend -- Steve Jobs.

And he later told his biographer that if it wasn't for Woz's blue boxes, "There wouldn't have been an Apple."

That seems only fitting, doesn't it?

That so much of today's digital landscape can be traced back to some bored kids trying to beat the system and make a quick buck in the process.

Hackers helped build today's digital world, there's no question there.

But those who build can also destroy.

And the cyber threats we face today are rather more sinister.

According to the research firm Cybersecurity Ventures, cybercrime damages are estimated to reach $10.5 trillion annually by 2025, up from $3 trillion in 2015.

That makes it more profitable than the global trade of all major illegal drugs combined.

Measured in terms of GDP, cybercrime damages, which totaled an estimated $6 trillion in 2021, would constitute the world's third largest economy after the United States and China.

Sorry about that, Japan.

59 million Americans lost nearly $30 billion to phone scams between 2020 and 2021 alone.

Ransomware attacks, where a hacker locks a user or organization out of their own network by encrypting files until a ransom is paid, increased fourfold in 2020.

In fact, the 2021 Colonial Pipeline hack, which took down the largest fuel pipeline in the United States and created shortages all across the East Coast, was the result of one single compromised password.

Colonial ended up paying the Russia-linked hackers a nearly $5 million ransom to get the pipeline up and running again.

That's the thing about cyber threats -- just one open door, one gullible mark, one compromised password, can bring down a company or a country.

And we're not just talking about rogue actors.

U.S. adversaries like Russia, China, Iran, and North Korea have all developed their own sophisticated state-sponsored cyber criminal organizations at a breakneck pace.

So what can we do to protect ourselves?

And what can our governments do to protect everything else?

My guest today runs the U.S. government agency tasked with answering just those questions.

And she proudly brings a "hacker mentality" to the job.

Jen Easterly is director of the U.S. Cybersecurity and Infrastructure Security Agency known as CISA.

She joins me now.

Jen Easterly, thanks so much for joining us on "GZERO World."

>> Great to be here, Ian.

>> Tell us a little bit about what your organization is responsible for, your remit, both in the U.S. and globally.

>> It's actually the newest agency in the federal government.

We were set up in 2018 to really be America's cyber defense agency.

And our mission is to lead the national effort to understand, manage and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day.

When you say things like critical infrastructure though, Ian, people think it's a really technical term, but at the end of the day, it's the water, it's the power, it's how we get gas at the pump, how we get food at the grocery stores.

So it's really those networks and systems and data that underpin everything we need to run our lives.

And so we are responsible for working with our partners to protect and defend that infrastructure.

>> Now, I want that agency to exist and I'm glad that you're running it.

But of course, when you talk about critical infrastructure, in the United States at least, most of that is owned by, run by, managed by the private sector, not by the U.S. government.

And God willing, that's not going to change anytime soon.

How do you do your job effectively, given that you have no control over the actors that are actually doing the defending?

>> Yeah, it's the best thing about being the leader of this agency.

Because it's all about partnerships at the end of the day, as you said it, and that's the way it should be.

Over 80-some percent, the majority of critical infrastructure, is in private hands.

And so the challenges in this role are very different from other roles where I've been in the Army, overseas in combat, in the intelligence community at NSA and the White House doing policy, where arguably the federal government has monopoly power.

In cybersecurity, the federal government is just a partner, a partner with state and local colleagues and a partner with industry.

And so we have to work together collaboratively, realizing that government can't solve this problem, industry can't, state and local colleagues can't.

So we all have to work together to drive down risk to the nation.

It's very instructive.

Before I took this job, I was working at Morgan Stanley doing cybersecurity defense and leading resilience.

And when I was still there working on the transition, SolarWinds happened.

>> Experts believe Russia was behind the hack of a company called SolarWinds, sending malware to 18,000 private and government organizations.

>> And a lot of people took different lessons from SolarWinds, but the big lesson, one of the big lessons, that I took was that it wasn't the federal government, it wasn't the incredible intelligence community or some other capability that we've been building that discovered that massive espionage campaign that affected -- >> It was a cyber company.

>> It was a cyber company.

It was my good friend Kevin Mandia at FireEye.

And what that really told me is we have to work hand in hand with these companies to be able to see the dots, connect the dots and drive down risk to the nation at scale.

And that's what's behind things we've been building, like the Joint Cyber Defense Collaborative, some of the partnerships with all of the technology companies.

It's just a recognition that this is not something the federal government can do alone.

>> What is it that every member of Congress needs to know better so that you can do your job better?

>> I have been incredibly impressed, since I took this job, and encouraged frankly, because we live in a world, in a country at least, where partisanship affects a lot of things, but frankly it has not affected cybersecurity.

We have incredible support from both sides of the aisle and some real champions on both sides of the aisle, of folks who've gotten incredibly smart on cybersecurity.

There's some terrific support of people who've actually done the work to learn about these issues, so that they can help make CISA as successful as where we need to be in it.

And frankly you see it reflected in increase in budgets every year, increase in authorities, increase in responsibilities.

And that has been, again, incredibly encouraging.

And since I took this job over the past year, today's my, by the way, one-year anniversary, since I took this job, we have had support on both sides of the aisle.

>> Let me ask you.

You said that 80% of critical infrastructure is in the hands of the private sector.

I want you to give me your back of the envelope percentage, in terms of the significance of the threat environment from other countries as opposed to from criminal actors that are not affiliated with governments.

>> So the reason why I can't give you a great back of the number, maybe I'll say it's 50-50, Ian, but the reason why we don't have great data is because there has never been a mandate to report things like cyber incidents to the U.S. government.

And so certainly we see nation-state attacks, big breaches that make their way into the news.

Certainly SolarWinds, the attack we saw on Colonial Pipeline, JBS Foods, Kaseya software, Equifax a couple years ago, so those things that hit the news, you can...

The attribution ultimately comes out.

Some are nation-states.

The big four are of course China, Russia, North Korea, Iran.

And then you have a whole ecosystem of cyber criminals to include those who are deploying ransomware.

And some of those groups are aligned with nation-states.

Some of them are given safe haven, some of them have a sponsorship.

But very hard, given that we don't have a baseline of data.

It's why, again, going back to the Congress, they actually passed earlier this year a groundbreaking set of legislation, The Cyber Incident Reporting for Critical Infrastructure Act, which for the first time -- they've been trying to get this thing passed for over a decade -- for the first time there will be a requirement for critical infrastructure to report to CISA if they have a cyber incident.

So we can not only use that data to render assistance, to warn others, but also to get a much better understanding of what's going on, so that we can be able to react and respond and to drive down risk in a much more systematic way.

>> So a lot that we don't know, and we don't know because right now the incentives and the requirements to report are not close to what they should be.

On the China side, one thing that I've always found interesting is how behind the curve the Americans have been, the American government has been in assessing Chinese technological capabilities.

10 years ago, nobody in Washington remotely believed that the Chinese could be at parity with the U.S. in technology, in basic technologies, by 2022.

And here I'm talking about productive technologies.

I'm talking about parts of AI, I'm talking about voice recognition, facial recognition.

How confident are you that we understand China's offensive cyber capabilities that they could deploy against the United States?

>> I think we have a very good understanding of the major threats out there from adversaries.

We have huge capabilities, as you know, in the intelligence community.

We've been building capabilities to understand, from a military perspective, our North Star.

We are the defenders.

So, my whole life is about cyber defense.

But in order to be a good defender, we have to understand the offense as well.

And that's why my time in the intelligence community really has helped me be a better defender.

But, at the end of the day, you bring up something that I really worry about.

I worry about the next 10 years being a decisive time when we will be able to win the battle, or lose the battle, for technological innovation.

When you look at things like who is setting the standards for technology these days, most of the chairs and vice chairs of those committees are Chinese.

So the government has a very heavy hand in what are going to be those technology standards of the future.

I worry about things like, how are we going to get ahead of 6G, when we kind of failed to do it with 5G?

What about artificial intelligence?

What about biotech?

What about quantum?

One thing that I'm starting to put a big focus on at CISA, working with our international partners, is smart cities.

When you think about everything getting digitized, that's so great.

Everything's so much easier when everything's smart, but think about the risks of that.

And so there's so much that we need to do to truly invest in research, in people, in technology, in capabilities, to be able to stay ahead of this power curve when it comes to technology innovation.

>> Is it a plausible scenario that in the next 10 years the Chinese could become technologically dominant compared to the United States?

>> I think it's a concern.

I think it is a concern.

And so that's why I think we need to ensure we have the alliances.

We are building the right incentive models.

We are investing in the research to keep the edge on technological innovation.

I think it is not at all clear that we are always going to be dominant in that.

And that's why the investment is so important.

>> Now, given how much we're hammering the Russians, and given how badly they've been performing militarily in the field in Ukraine, does that also translate into Russia's cyber future?

That China's really where we should be more worried about?

Even though the Russians historically have been the bigger concern?

>> Yeah.

The certain answer is no.

You've heard the old trope that Russia is a hurricane, China is climate change.

And certainly if you look at the long term, when we think about the size of China, the investments that they're making in their capabilities, yeah, a serious long-term concern, particularly about some of the emerging tech issues that I just addressed, but they are both, along with Iran and North Korea, very formidable adversaries from a cyber perspective.

They have placed a lot of investment in all of their capabilities and in their people.

And we should not take the wrong lessons from the fact that Russia has not done as well as many of us expected militarily in Ukraine.

And so we have been, for several months now, running a campaign called Shields Up to help everybody understand that we are in an elevated threat environment.

We know that the Russian playbook is all about using cyber to go after critical infrastructure.

We've seen that many times in Ukraine.

We've seen it here in the U.S. And we need to be prepared to be able to respond to any sort of attacks, whether it's a direct attack on our critical infrastructure or whether it's a ransomware group that might be aligned that could give Russia some plausible deniability but could have a serious impact, as we saw in Colonial Pipeline last May.

>> Now, that was before the Russian invasion of Ukraine.

That was before the unprecedented U.S. and other allied sanctions against Russia.

I have to presume that we expect that there's going to be a full-throated cyber response, retaliation from the Russians.

But am I to understand that since the invasion of Ukraine, you have not seen significant cyber attacks, successful or unsuccessful, against critical infrastructure in the United States from Russia?

>> We have seen no cyber attacks, as we would say, on critical infrastructure, of any note.

That we know of.

Again, there are cases where there may be an impact, but certainly given our role in protecting and defending critical infrastructure, that would very likely have been something that came to us.

So no, we have not.

But we continue to tell all of our partners that we are not out of the woods.

We need to continue to stay vigilant and keep our shields up and keep focused on maintaining security and resilience capabilities for the nation.

>> Are you a little surprised by that?

>> I think I would've expected to see something at this point in time and obviously, there's a lot of thinking around this.

In my mind, there's probably two things.

So deterrence by punishment.

I think there's a little bit of a fear of escalation if there was some type of an attack here.

So certainly the warnings that have been given, I think most of the significant attacks have really been within Ukraine.

So I think there's a little bit of deterrence by punishment.

But I'd also like to think, Ian, that there's been some deterrence by denial.

I think we have really raised the red flag on this, given a sense of urgency -- we have briefed our critical infrastructure partners at all levels.

Thousands of people around the country, hundreds of briefings, we have briefed at classified levels.

We've worked with the intelligence community, who have been incredibly supportive, to aggressively declassify information that can be used in an actionable way to defend networks.

So I think part of this is really digging in on defense.

I think there's a concern about escalation, for retaliation.

And I also think there's just a huge focus within Ukraine, given that it hasn't gone as well as what was originally expected.

>> We haven't talked much about terrorist organizations.

Given the level of terrorist attacks that have been out there, why, you think, we haven't seen more effective cyber capabilities from major terrorist organizations?

>> Yeah, it's interesting.

My last job, before I went to Morgan Stanley, was as senior director for counterterrorism at the NSC.

And this was during 2013 to 2016, so this was the rise of ISIS.

All of the attacks around the world.

And it was a question we often wondered.

There were low-level attacks, things like doxing, so taking names and putting them out publicly, and threatening to go knock on their door and create physical harm.

But we have actually not seen any sort of development by terrorists of significant cyber capabilities.

And so when I think about the schema for what I worry about on the landscape, I worry about nation-states, because they are the most sophisticated, they are the most well-resourced.

I worry about cyber criminals because they have actually been able to raise their game significantly over the past couple years.

And they've made it easier, because a lot of these as-a-service tools, like ransomware as a service, are much more widely available.

So sadly that ecosystem has been democratized.

You'll have hacktivists, and we've seen a bit of that with the defacements and the distributed denial of service.

And then you have cyberterrorism.

And frankly, I always think of it as a low probability, but it is not a threat that is high on my landscape right now.

>> So then final question around that is, when I was growing up and you too, we were very worried about the proliferation of nuclear technology, weapons and capabilities.

And the Americans and the Soviets had arms control, but we also all wanted to ensure that the nuclear club stayed as small as possible.

We devoted a lot of effort internationally to that.

I don't hear, or see, us devoting a lot of effort to the prevention of proliferation of dangerous cyber capabilities.

And I'm wondering why you think that is and what can and should be done?

>> To state the obvious, it's incredibly difficult to be able to verify whether somebody is developing, or the amount of cyber weapons that they have in the way that we could actually verify nuclear capabilities and come together and have an agreement on a treaty.

In some ways it's even complicated, although I do think we're getting better at this, to attribute a cyber attack.

But again, in terms of developing these capabilities, you're exactly right.

There are many, there's dozens of nations now that have developed what we call offensive.

That's point one.

Point two is, these types of capabilities may start out for things like collecting intelligence, which is lawful in many cases, but then they can be used for destructive or disruptive purposes, which you certainly wouldn't want, particularly if it was against critical infrastructure or against cyber responders or against emergency responders.

And so we do not have those rules in place.

This is where I think -- And I'm a bit of a norm skeptic I have to say, but I do think at least articulating what we think should be absolutely out of bounds as a normative point I do think is important.

Things like civilian critical infrastructure, things like, again, first-respond capabilities, things like computer emergency response teams.

So I think that's probably the right direction to go in and the best we can do.

>> Jen Easterly, thanks so much for joining us today.

>> Thanks so much, Ian.

Great to be with you.

♪♪ >> And now to "Puppet Regime."

Move over, COVID, because there's a new disease sweeping the country and I'm not talking about dance fever, or am I?

Roll that tape.

>> God, can you believe this garbage?

>> What?

>> Monkeypox, monkeypox, monkeypox.

It's all I'm seeing now.

>> Oh, don't get upset, honey.

>> I am not upset!

But we were on a roll again, babe.

BA.5, bang, crushing it.

Now this little pox shows up and -- Do any of you remember who I am?!

Hello?!

>> Whoa, whoa, relax.

You're embarrassing me.

Listen, the humans will mess this up too.

And that means more disease.

And more disease is good, remember that?

>> How are they going to mess this up?

How?

They already have a vaccine, and this one, like, actually works.

>> Ah, but they don't have nearly enough of it.

Remember, people think only the gays can get this pox.

And, you know, Pride Month is over, so the streets are back to pretending the gays don't exist.

>> Ah, I guess it's true.

All those rainbow logos have been taken down again.

>> Look, why don't we call up Monkeypox and invite him over?

Here, I'll put him on speaker.

[ Dance music plays ] >> Hello.

>> Hi there.

This is the Coronaviruses and we -- >> The who?

>> "The who?"

The Coronaviruses, A.K.A.

the greatest generation of pestilence since 1920!

Ever heard of it?!

>> [ Laughs ] Okay.

Okay, boomer, relax.

Have a good one.

Nice talking to you.

>> Both: That insolate son of a -- >> "Puppet Regime"!

>> That's our show this week.

Come back next week.

And if you like what you see, you're just worried about getting hacked and we all are -- it happens -- check us out at gzeromedia.com.

♪♪ ♪♪ ♪♪ ♪♪ >> Major corporate funding provided by founding sponsor First Republic.

At First Republic, our clients come first.

Taking the time to listen helps us provide customized banking and wealth-management solutions.

More on our clients at firstrepublic.com.

Additional funding provided by... ...and by...