Phyllis Schneck was in charge of U.S. cybersecurity for four years. She was in the White House Situation Room many times due to cyber attacks. The Spanish newspaper El Confidencial spoke with Schneck and published an article on July 13, 2018. The original, published in Spanish in the Teknautas section, can be found here.
Phyllis Schneck had just gotten off a plane coming in from the other side of the Atlantic. It´s lunch time and she only wants one thing: manchego cheese and Coca-Cola. “I´m allergic to a thousand things,” she says, excusing herself while she eats off her plate, looks at her phone and dodges questions about the U.S. President, Donald Trump.
Politics is another big thing she´s allergic to.
“I don´t talk about it. I was in the government but I´m a scientist, not a politician,” she said.
Even so, she´s probably the cybersecurity expert that has been in the Situation Room the most during critical moments, many of which have never been reported publicly. “How many times have I been there? Uff, many.”
Until mid-2017, Schneck was the chief cybersecurity official in the U.S. for the Department of Homeland Security (DHS). She was in charge of more than 2.000 people whose daily job was to stop cyber attacks launched against all government bodies and, if necessary, clean up the damage. And there were very, very compromising situations.
“The worst was when they stole the personal data of 23 million citizens by accessing the Office of Personnel Management´s database. How do you tell all those people that have worked as volunteers for the government that their personal data has been stolen?” Schneck asked in her interview with Teknautas.
Schneck has stopped working for the government and returned to the private sector where she came from. She is currently the managing director in charge of cyber risk at Promontory, an IBM firm, but her time in the Obama Administration working side by side with the CIA and the NSA on national cybersecurity matters has left its mark.
“What do I think of Snowden? He´s a terrible person!” she says with a laugh, proceeding to grab another triangle of manchego cheese. “He´s a national traitor.”
El Confidencial: How does a country like the United States defend itself against cyber attacks?
Schneck: With a lot of cooperation between agencies and government bodies. I was deputy under secretary and I was responsible for leading the cybersecurity strategy to protect the government. That implicated working with the FBI, CIA, NSA, Department of Justice, Department of the Treasury and many others to coordinate the actions and messages that we gave in the White House Situation Room. We had to go a lot of times.
El Confidencial: How many times?
Schneck: Many times. I was sitting at the table a couple of times, but many times I was accompanied by Suzanne Spaulding, the head of the National Protection and Programs Directorate (NPPD). They called me to cover the whole technical and cybersecurity part. And it was not always because of a cyber attack. But I´m afraid that I can´t be more specific. If there is a big cyber threat, our work was to mitigate it and create teams to clean up the network while making sure the service was still available. When it happens, you have to answer a lot of questions, decide where the error was and agree on a stance as a government. Those are the types of decisions that are made in the Situation Room.
El Confidencial: Your mission was always defensive: avoid cyber attacks but not carry them out.
Schneck: Exactly. We had many ways of finding out if there had just been an attack or if it was imminent. For example, there was the victim, who would let us know. Or we would find out ourselves. The U.S. government has a very advanced system called Einstein that blocks ´malware´ and all types of cyber attacks. We can look at the behavior of who is trying to hack us and see if it has occurred in other parts of the government.
El Confidencial: On various occasions Trump has stated that he wants to develop cyber weapons, not only defend the country, but also carry out cyber attacks.
Schneck: My objective was always defensive, I´ve never thought of the offensive part. And it´s difficult to say what is the correct balance. It´s not so much a money question, it´s more about thinking about what the consequences of something like that could be. We´ve known for thousands of years that people respond during a physical confrontation. What would happen if that confrontation were digital? It´s delving into unknown territory.
El Confidencial: But it´s something that´s already happened. You´ve worked with the CIA. Documents published by Wikileaks last year demonstrated how the CIA created malware, trojans and all types of cyber viruses to infect third party equipment for spying purposes.
Schneck: I don´t think I should answer that and I don´t feel comfortable doing so. My mission was the defensive part. The other part, the offensive, is something that I would need to think about for much more time before offering my opinion.
El Confidencial: You´ve also worked with the NSA. Edward Snowden´s leaks demonstrated that the NSA carried out massive spying over millions of citizens without their consent. What do you think about that?
Schneck: That´s the eternal problem: privacy versus security. The more data you have, the stronger your systems are to carry out work that people can´t do, such as analyze massive amounts [millions] of data in seconds and show only what´s important. There has to be a global debate about what can help us ensure that people have maximum security and maximum privacy at the same time.
El Confidencial: But it´s impossible to have everyone on a global level agree on this.
Schneck: It´s true. In the U.S. alone we have 49 different laws about data breach notifications. But there are already people that are starting to look at how this can be done at a global level.
El Confidencial: What do you think about Edward Snowden?
Schneck: Snowden? He´s a terrible person!
El Confidencial: Do you say that seriously?
Schneck: Of course. He´s a national traitor. We all read the news. The judges will determine what happens to him.
El Confidencial: In the 2016 presidential elections, hackers supposedly tied to Russia got into Hillary Clinton´s email account and the accounts of other members of the Democratic Party. Why couldn´t this attack be avoided?
Schneck: I can´t speak in the name of the U.S. government anymore, and certainly not in the name of the Russian government. But I think that those are very small matters when compared to a much bigger problem. We´ve destroyed our capacity to protect ourselves. We have incredible technology, super fast networks. If I send you something, you´ll receive it whether you want to or not. But many people could hack the phone you have right now and steal your data. We haven´t thought more broadly about how to prevent this from happening before creating all of this technology. And we haven´t thought about it for critical sectors like water supply, energy and financial services. How do we innovate and ensure that these new technologies don´t leave everything open and make it easier for hacks and cyber attacks to occur? It´s a fundamental matter.
El Confidencial: Do you believe the hacking of Hillary Clinton´s email was the beginning of Trump´s victory?
Schneck: I think it was a criminal act. If you execute an instruction on someone else´s computer without their authorization, it´s a violation of the law. End of story. I believe it isn´t appropriate for me to give my opinion over that act and its impact. The important thing is that it´s a crime. It´s true that it was a crime that woke up the whole world. That act made it clear that the systems we use are very vulnerable.
El Confidencial: What is the United States´ weakest point right now when it comes to cybersecurity?
Schneck: Physical infrastructure. When I was in the government we were very transparent about how the small and medium enterprises in the energy sector, and not so much the big companies, were infected with malware everywhere. It´s not that they weren´t worried about it, it´s that they didn´t have the resources to do so. The weakest point is the software that drives these physical systems, which opens and closes water valves and circulates electricity from point A to point B. All of that in control of an external adversary is very dangerous.
El Confidencial: And the most worrisome cyber attack you experienced?
Schneck: The Wannacry attack happened shortly after I left. I didn´t have to deal with that one. But there was a serious error in the Office of Personnel Management. An external attacker managed to steal private and personal data from 23 million people. Our team, along with DHS, led the response and mitigation. It lasted months. It was very complex. You had to analyze millions of pieces of data. The most difficult part was telling the citizens that had worked as volunteers for the U.S. government that their personal data had been stolen.
El Confidencial: Why did you leave your government job? Was it because of the change of administration?
Schneck: No. I´m a scientist, not a politician. I didn´t even ask after the change in administrations. I left a great job in the private sector. I was on the management team at McAfee and then later at Intel. They called me from the government for the job, [and] I did it for almost four years. And it was time. I wanted to go back to the private sector.
El Confidencial: In Spain, according to various reports by the CNI – the National Intelligence Center, Spain´s official intelligence agency – cyber attacks have not stopped increasing. We´re already ranked the third country in the world in terms of attacks. Who carries out these attacks and why?
Schneck: The motive is simple: money. It´s very difficult to ascertain who carries them out. Any country has the capacity to carry out attacks. Finding the guilty party can be a confusing game. I don´t like to blame countries without real attribution evidence, and that in the digital world is very complex. It´s very easy to cover your tracks.
El Confidencial: The same reports from the CNI state that in Spain we receive one cyber attack a day to our critical infrastructures for water supply, electricity, financial services… Is that a lot?
Schneck: That´s a curious way to measure it. I think the amount of attacks is not as important as what happens. You can define an attack as executing an instruction on a third-party system that you don´t have permission to access. I can receive 20 attacks and have nothing happen. Of course, I want to know why they´ve occurred, but they don´t worry me. But a big one, like the one in Ukraine in 2015, when half of the country was left without electricity and heat during the winter, is the same as hundreds of the small attacks.
El Confidencial: In Spain, the government wanted to create a hackers cyber reserve made up of technology lawyer and social media specialists to act in the case of a cyber attack or threat. The country´s best hackers, however, don´t want to be a part of it.
Schneck: This is always complicated: how do you define a hacker? Is it people that are very, very good with computers? Or is it those who have entered systems without permission? If it´s the second description, we´re really talking about criminals. Is a government going to listen to a criminal´s opinion about what to do about criminals? Every time you gather a group of experts you have to think about this.
You can follow the author of the article, Manuel Ángel Méndez, on Twitter at @m_angelmendez as well as El Confidencial (@elconfidencial) and Teknautas (@teknautas). The AEGIS Project carried out the translation of this article from Spanish to English. We would like to convey our gratitude to Mr. Méndez and El Confidencial for allowing us to translate and share the article.