Hacking Democracy: Jason Healey on the Politics of Cybersecurity

From online privacy to massive leaks of classified government documents, data breaches have become part of modern society. But in recent months cybersecurity has become a new wild card in our nation’s political process.

Earlier this summer, the Democratic National Committee’s computers were hacked, reportedly by Russian state actors. WikiLeaks founder Julian Assange released a trove of Hillary Clinton’s emails, with promises of more damaging revelations to come. And in August, the National Security Agency’s own hackers may have had some of their own hacking tools stolen by, yes, hackers.

None of this comes as a surprise to Jason Healey, a senior research scholar at the School of International and Public Affairs whose cybersecurity expertise has made him a recognized voice on these developments.

“There certainly has been an increase in these operations, in part driven by the worsening global security situation,” he said. “As relations deteriorate, especially with the Russians, we’re seeing not just more intrusions, but far more aggressive operations. They used to care about being quiet, but now they either use proxies or don’t really care if they get caught.”

Healey, who joined Columbia last year, has spent his entire working life in cybersecurity in one form or another, starting with his graduation from the United States Air Force Academy in 1991. He turned down a coveted pilot training slot to compete for a job as a signals intelligence officer, where he would be among those focusing on this relatively new field.

“It was already getting presidential and other senior level attention, certainly less so than now,” he said. “But there was also an understanding that, from a national security perspective, this new field was going to be important.”

After leaving the military in 2001, Healey did two stints in the private sector at Goldman Sachs, where he helped create and plan responses to possible cyber incidents at the investment bank, and worked in the George W. Bush White House as director of infrastructure protection. He later joined the Atlantic Council, where he directed the Cyber Statecraft Initiative, a think tank. Last year, he was invited by the School of International and Public Affairs dean, Merit Janow, to join the faculty.

“A lot of the people are getting into the field only recently or only coming at it from an academic perspective,” he said. “I’ve had the advantage of having been a practitioner from nearly the start.”

Jason Healey

Position

  • Senior Research Scholar in Cyber Conflict Studies,
  • School of International and Public Affairs

Joined Faculty

  • 2015

History

  • Director, Cyber Statecraft Initiative, Atlantic Council, 2011-2015
  • Cybersecurity Consultant, 2009-2012
  • Vice President, Asia Crisis Management, Goldman Sachs, 2006-2009
  • Director of Infrastructure Protection, The White House, 2003-2005
  • Cyber Response Coordinator, Goldman Sachs, 2001-2003
  • Signals Intelligence Officer, U.S. Air Force, 1991-2001

Q. You’ve been in cybersecurity a quarter-century. Are there different, greater, risks today?

A. Our vulnerability is higher, our dependence on the internet is higher. More groups are involved. After the Snowden revelations, you heard the hardcore national security folks saying, “Hey, this is the way the game is played. How can you be surprised?” But this isn’t just the same old espionage played in a new place, this isn’t just the internet as a domain of espionage. It’s a new chapter.

Q. In what way?

A. The internet, and all that has followed from it, is the most transformative technology that has come out of human minds since Gutenberg. Alright, so it’s one of the top two or three—electricity is pretty cool too. It adds tens of billions to our gross domestic product, yet we still have a significant portion of Washington, D.C., the groups that have the biggest budgets, looking to say how can we continue to exploit this, by continuing to say that encryption must bend to government.

Q. You’re referring to the issues raised by the struggle between the Justice Department and Apple on accessing the phone of the San Bernardino killer. What is your view on that?

A. During the Apple case the government essentially said, “Look, we just want the information. We’ll give you a phone and a warrant and you give us the information and you keep control of the phone, you can keep control of the process.” That struck me as not a bad deal. You might get violations of individual privacy, but you don’t get something that I am more worried about, constitutionally, which is doing it one at a time with no explicit policy on how to handle it. And there is a policy, a presidential directive from January 2014, that when the government finds a vulnerability it tells the vendor, because it is more important to patch it than to keep it for ourselves. If the NSA, or FBI, doesn’t want to do that, they have to prove why. In the San Bernardino case, the FBI ultimately got into the phone by paying a hacker, and then it told Apple, essentially, “Sorry, we don’t know what the vulnerability is. We only bought the use of it.”

Q. You now have the government, and private industry, sponsoring hack-a-thons and paying rewards to hackers who find bugs in their software. Is this an efficient way to plug security holes? Is the marketplace an answer to some cybersecurity issues?

A. When it comes to stopping cyberattacks or resolving cyber conflicts, the government has very few levers it can use to make it better. Most of the problems are solved by the private sector. Looking back at the history of cyber conflict, it turns out the private sector has agility, subject matter expertise and the ability to directly control cyberspace. They are building and maintaining it every day, after all. Governments have almost none of those advantages. Rather they tend to have bigger budgets, more staying power, and access to other levers of power. The best solutions come from combining these two.

Q. You’ve worked on cybersecurity in the private and public sectors. Are the issues different?

A. Most companies are clear about what they want, which is they want to be secure. They may be conflicted about how much they’re willing to spend for it, or how much convenience they are willing to give up to their employees for better security. But those are conflicts all going to the same goal. So the government has those same goals. How do you keep the Department of Defense secure, or Commerce? The Department of Education has records of everyone who has taken out a student loan. There are all sorts of poorly funded agencies that have incredible details on us. But government also has this fight between how much do we want to prioritize defense for innovation, for the economy, for the health and welfare of our citizens, versus how much are we going to work against that so we can still spy on our adversaries, we can attack them when we need to, and we can catch criminals.

Q. What are examples of cybersecurity threats to companies?

A. They can range from denial of service attacks, to hacks of customers’ financial and personal information. There is a significant risk that research and development information can be stolen, and sometimes companies figure out what has been taken and may decide not to pursue research leads. Sometimes, what is breached isn’t necessarily a plan or trade secret, it could be a negotiating strategy. There’s an instance of a U.S. company bidding for oil and gas lots, and it found it was competing against a Chinese company that bid one dollar more. It’s difficult to find out how big a problem this is and what financial impact it has on the market.

Q. What is your research focus right now?

A. About half of it is on cyber conflict, deterrents and escalation. A lot of the military thinking on this, and other countries that follow our lead, seems very short-term. They’re not thinking about the response: what is the other side going to do? There’s a lot of debate on cyber deterrents, which just means that we want to scare the other guys so they stop. It is less about stability than deterrence: how can we do what we want and keep the other guys from doing what they want? As it turns out deterrence works against itself: If you brandish cyber capabilities there’s very little evidence that the other side will back down. Rather they accelerate their own capabilities and operations.

Q. Are you working on any projects within Columbia?

A. Matthew Waxman [a professor at Columbia Law School], Steve Bellovin [a computer science professor at Columbia Engineering] and I have won a grant through the Columbia Global Policy Institute to look at privacy and security issues. I also have colleagues at the Journalism School and Business School working on similar topics. And because I worked in finance and still have a lot of friends downtown, the dean asked me to work on the New York Cyber Task Force. It brings together a lot of financial cyber-executives and academics, from Columbia and people from Microsoft and other companies, trying to say, “Alright, how can we get the internet more defensible?”

Q. What has changed since you began as a signals intelligence officer 25 years ago?

A. What strikes me more is what hasn’t changed. When I look back at the things that we were preparing for then, versus what we’re looking at today, we were focused on what we could do to protect our communications from the bad guy, which in those days was the Soviets. How could we try to figure out their communications and their secrets, and protect our codes and ciphers and then try and break their codes and their ciphers. In those days the technology was almost entirely military. Now the same technology underpins the internet, it’s used for Facebook, on internal technologies used by global companies, or by all of us for everything all of the time. It’s the basis of our innovation, the basis of our economy.

—Interviewed by Bridget O'Brian

August 29, 2016