San Francisco, Feb. 26, 2020 —
Defense Intelligence Agency’s Defense Intelligence Officer for Cyber James Sullivan spoke on the Agency’s cyber operations during a panel discussion at the 2020 RSA Conference public sector day in San Francisco, Feb. 24.
In its sixth iteration, the public sector day welcomed more than 500 registrants and featured 48 speakers during several keynote addresses, panel discussions and breakout sessions. Sullivan’s breakout session, “Digital Risk Management,” focused on federal agency efforts to minimize risk while taking advantage of technological advancements.
Sullivan talked about the cyber threat and how his role at DIA impacts the Department of Defense.
“The cyber domain is very much becoming an aspect of war and warfare in this country and globally,” said Sullivan. “The defense intelligence officer for cyber directs and oversees Department of Defense intelligence collection and analysis in order to help DoD better understand the strategic threat of our global competitors.”
Sullivan noted that organizations are often on the defensive when it comes to cybersecurity and it’s primarily due to a lack of understanding the adversarial threat.
“I think if you’re a network defender and you don’t understand your adversary’s interests in your networks and what their strategy is and what their intent is, then you’ll never fully get out from under network defense,” he stated.
He went on to discuss whether a defense-first approach is effective in the long term.
“[The United States] is a lot more centered on the defense than we are on the offense,” he said. “As long as we do not conduct a credible offense and we do not impose cost [on those attacking our systems] we will be playing defense for a long time and will eventually get exhausted.”
Panelists were asked to reflect on how advancements in technology often come with added vulnerability.
“In the U.S. government and the private sector … capability is always going to trump security,” Sullivan responded. “You’re always going to have these new technologies followed by these (adversarial) exploits.
So, what is DIA doing to mitigate the risks of capability versus vulnerability?
“One of the ways you mitigate the vulnerability is understanding your supply chain,” he noted. “DIA runs a supply chain risk management threat analysis center and they do a good job of looking at all the key vectors where an adversary … can penetrate the supply chain and actually get in embedded software. I think if you understand the tactics, techniques and procedures (of adversaries) of how they go about discovering and exploiting vulnerabilities, then I think that goes a long way mitigating risk.”
Sullivan concluded the panel by reminding the audience that everyone is vulnerable to the cyber threat.
“Don’t think that [your organization] is too large or too small to escape,” he said. “[Our adversaries] are watching and they are probing … and they want what you have.”
The RSA Conference is a five-day international IT Security forum held annually in the United States and in other countries.