Michael Chertoff is the Executive Chairman and Co-Founder of The Chertoff Group. From 2005 to 2009, Mr. Chertoff served as Secretary of the U.S. Department of Homeland Security. He will be speaking at the Aspen Security Forum and agreed to answer our questions on the range of national security threats facing our nation.
You wrote in a recent op-ed that if the voter fraud commission collects sensitive information on American citizens, it must ensure that the information cannot be hacked by criminals, foreign intelligence agencies, or other adversaries. Are there ways to guarantee this?
There may not necessarily be a way to guarantee that the information is impenetrable, but the US government owes it to the American public and to state election officials to demonstrate that they have a serious and sufficient plan to safeguard the data. As data-security experts will tell you, widespread distribution of individual data elements in multiple separate repositories is one way to reduce the vulnerability of the overall database. By centralizing sensitive voting information, the voter fraud commission would be creating a database of personal information that would be attractive not only to adversaries seeking to affect voting but to criminals who could use the identifying information as a wedge into identity theft.
The voter fraud commission should lay out to the American public a plan on how to secure this data. Important points to consider: where and how the data will be housed, whether the data will be encrypted, and which agency will be responsible for continuously monitoring the data to ensure the database has not been breached. Finally, Congress and the states should be advised on who will be granted access to the data and how they will be vetted to prevent the kind of insider theft that we saw with Edward Snowden.
What do you wish the average American understood about cybersecurity?
While we can’t prevent all cyber attacks, we can take basic steps to educate citizens about cyber hygiene. The recent WannaCry incident has shown that people don’t take the easy and obvious steps to protect themselves. Educating citizens about basic security measures – such as changing passwords, regularly updating and patching your smart devices, and understanding the threat of phishing attacks — will significantly reduce the impact of cyber intrusions.
We need to think of cyber hygiene like a vaccine for a disease. Individuals and companies that follow basic cybersecurity hygiene are more likely to avoid falling victim to a ransomware attack like WannaCry. Equally important is the need to educate citizens on an incident response program if their device has been compromised.
How can consumers of network-connected devices mitigate the security risks posed by the Internet of Things?
To mitigate risks, security needs to be built into the device by design – instead of tacked on at the end. Retrofitting security is imperfect and expensive. Manufacturers need to be asked questions about how these devices interact with the networks. Understanding the architecture of the device is critical to securing it.
I also think that people need to weigh the risk and benefits of a connecting a device remotely to a network. Every time you connect yourself wirelessly, you’re opening a surface area to attack. Growing risk surface requires manufacturers to develop, embed, and update protections designed to ensure that product benefits continue to outweigh the potential risks.
How will artificial intelligence (AI) security solutions influence national security?
Soon, artificial intelligence and machine learning will be integrated into most of our national security infrastructure. AI will allow us to incorporate, integrate, and understand the meaning of the data we collect at machine speed.
When it comes to border security, for example, machine learning will allow us to study a wide range of security data – potentially identifying threats connected to terrorist groups – in a streamlined fashion. CBP and the TSA currently collect and analyze certain data to evaluate travelers’ potential risks to aviation security and admissibility into the United States. Artificial intelligence will enhance the efficiency of processing the information available to US security personnel. Likewise, AI will lie at the foundation of our counterintelligence efforts against insider threats.
In your opinion, what currently poses the greatest threat to our national security?
In the immediate term, there is the impending threat of North Korea developing nuclear missile capabilities that could reach the United States homeland or US forces in the Pacific. North Korea’s near-relentless development of nuclear weapons and delivery systems combined with the regime’s isolated and hostile worldview poses a huge threat to our national security and the security in the region.
Russian aggressiveness in both the surrounding region and through its cyber-attacks and information operations threaten security of our allies. During the election cycle, Russia’s successful covert influence campaign aimed to stir up Americans’ distrust in our democratic processes. They will continue to target the European elections and, as intelligence heads have warned, they will be back seeking to disrupt our democracy in 2018 and beyond.
In the short term, we will likely continue to see crowd-sourced terrorism – either inspired or directed by the Islamic State. As the physical stronghold of the self-described caliphate diminishes in Iraq and Syria, ISIS will continue to broadcast its message through social media and its propaganda networks to recruit and inspire foreign fighters. This will continue to be a persistent threat to our national security.
Finally, cyber vulnerabilities will continue to be a risk to both the USG and industry in the United States. Cyber risk affects virtually every kind of enterprise. Considering different motivations — from terror plots to “hacktivists,” or just disgruntled employees or customers — the loss is potentially staggering.
Is there any opportunity for an Iran-style nuclear deal with North Korea?
North Korea is a complicated problem. In Kim Jong Un’s view, nuclear weapons and long-range delivery systems are as essential to regime identity as they are to regime survival. We need to apply tough economic sanctions we used against Iran. We may not be able to deter North Korea from becoming a nuclear power but we can certainly ramp up overt and covert efforts to slow the North’s technical progress and we can mount more aggressive sanctions against North Korean linked entities to raise the costs to the regime. These would limit (but not eliminate) the threat, but could also cause enough pain to lead to renewed negotiations in one format or another. We have not fully deployed the extent of our economic tools but we are moving in the right direction by pressuring the Chinese to play a role in this.
Now that the Iraqi government has declared victory over ISIS, what steps need to be taken in order to stabilize the country? What role should the US play in these efforts?
Before we determine a future role for the United States in Iraq, we need to fully understand why ISIS has gained traction there in the first place. The Sunni minority did not feel fairly treated by the Shia majority and some saw ISIS as a last resort.
All ethnic groups in the region need to be treated justly and fairly – otherwise the problem will recur because their grievances will not disappear. We need to think of the role of the United States from a rule of law and governance standpoint as well as a security standpoint. This is a case where soft power could yield a positive security result.
The views and opinions of the author are his own and do not necessarily reflect those of the Aspen Institute.