WHEN: Today, Tuesday, January 9, 2024
WHERE: CNBC CEO Council Virtual Roundtable
Following is the unofficial transcript of a CNBC interview with U.S. Cyber Command Commander, NSA Director and Central Security Service Chief General Paul Nakasone and FBI Director Christopher Wray from the CNBC CEO Council Virtual Roundtable, which took place live today, Tuesday, January 9th from the International Conference on Cyber Security 2024 at Fordham in New York.
All references must be sourced to the CNBC CEO Council Virtual Roundtable.
MORGAN BRENNAN: David, thank you. And, General Nakasone and Director Wray, what an honor and a privilege to sit down with both of you today. Thank you so much for taking the time.
CHRISTOPHER WRAY: Great to be here.
GEN. PAUL NAKASONE: Thanks.
BRENNAN: There’s a lot to get to, but, first, I just want to start with what I realize is probably kind of a big, broad, open question. And, General, I will put it to you first, but it’s your geopolitical assessment. We know the world has become more dangerous. What does that mean in terms of the trajectory of threats, how they’re evolving and what that looks like if you basically go across the world and assess our different adversaries?
NAKASONE: Yes, I think I begin with really where our partnership begins in 2018 as I take over the National Security Agency and U.S. Cyber Command. We’re very focused on counterterrorism, violent extremist organization. First change I would tell you, pacing challenge, China, diplomatic, information, military, economic powerhouse that they are and understanding what they’re going to do. Secondly, I would say is that the other nation-state challenges that we have in the world, whether or not it’s Russia, whether it’s North Korea, whether or not it’s Iran, they’re still there, and they’re very, very focused. But I think, obviously, here being at Fordham today, and we’re talking about cybersecurity, scope, scale, sophistication, and speed of what our adversaries are doing today in cyberspace. This is where our partnership is so powerful. What FBI does, what NSA and Cybercom does, certainly, I think, gives value added to the nation.
BRENNAN: What does that partnership look like?
WRAY: So, our folks at FBI and NSA and Cyber Command are embedded with each other pretty much every day. So, it’s not just a question of people being on the phone with each other. It’s people literally working shoulder to shoulder on joint sequenced operations against a variety of adversaries, the Chinese certainly, the Russians, the Iranians, North Koreans, a variety of foreign cybercriminal actors and criminal groups. And it is kind of the essence of trying to get our two, the FBI’s two, together with their two, and have it equal more than four, try to find the synergies where we can really maximize impact on what are a very sophisticated, heavily funded and dangerous group of adversaries.
NAKASONE: I would tell you, it’s a personal connection, though. I mean, we’re talking all the time. It’s one of the things that I think when, yesterday, I was at the field office here in New York City, it was like, you know, Director Wray and Director Nakasone, we’re talking all the time. And you were just talking about is something that we have a lot of interest in.
BRENNAN: I mean, you both just laid out a number of different countries, different adversaries, as well as non-state actors. I guess where are the threats most acute? And how are those threats manifesting if you look at some of these different adversaries? And, General Nakasone, I will start with you, whether it is an Iran or a China or Hamas… and what we see playing out in the Middle East, et cetera?
NAKASONE: Well, let’s begin with where our partnership begins. It was 2018 with the security of the 2018 midterm elections. Three elections since, a fourth one coming up, I mean, this is what we have done in terms of looking at the partnership, but it’s also in terms of the domain of cyberspace. What gives our nation power is what we do overseas against a series of foreign adversaries, but also domestically what Chris and the FBI do here to make sure that victims are notified and being able to understand what adversaries are doing within the United States. And then the other piece, I would just say, is that, since the 7th of October this is exactly what we, as the National Security Agency and U.S. Cyber Command and the FBI, have to be ready for, is the fact that we’re global power and things happen. And we have got to be able to ensure that we protect American citizens and have insight on our adversaries.
BRENNAN: Have threats changed from a domestic standpoint or even just from a foreign adversary standpoint and how it’s translating here in the U.S. since October 7?
WRAY: I would go around the horn. I mean, certainly, the foreign terrorist threats have increased and intensified post-October 7, but we’re particularly concerned about the risk here in the U.S. of different kinds of violent extremists being inspired in some misguided and awful way by the conflict in the Middle East to conduct attacks here. We have seen since October 7 what I would describe as kind of a rogues’ gallery of foreign terrorist organizations all calling for attacks against Americans and our allies. And so the partnership, the deep partnership, that exists between the FBI and NSA and Cyber Command is incredibly important to that as well. But you can go around the horn, because the rest of those threats that Paul referred to, it’s not like they just took a breather when the foreign terrorist threat spiked up again. So, China, by far and away the biggest hacking program in the world, has stolen more of Americans’ personal and corporate data than every nation combined. If you took all of China’s cyber hackers and focused them on the U.S., which is their priority, if I took all FBI assets and said, forget Russia, forget Iran, forget cyber criminals, just focus on China, we’d be outnumbered 50 to one.
WRAY: So the scale of China’s hacking program, both from a cyber espionage perspective, a prepositioning in the event of a conflict at some point, and even on the influence side is very, very significant. Meanwhile, you got Russia, which remains a top cyber threat, very sophisticated adversary, in terms of espionage, attack capabilities, influence, major investments by the Russian government in cyber operations, because they view that as an asymmetric weapon, if you will, that they can use to try to keep up with us. And then you’ve got Iran, which shouldn’t be underestimated. It’s a very sophisticated, very aggressive cyber adversary. And they have, for example, they’re one of the only countries to have conducted a destructive cyberattack in the U.S., the other one being North Korea. And they have shown themselves to couple that sophistication with a level of brazenness that’s really outrageous. We have seen the Iranians target, for example, a children’s hospital in New England. So, put those three – and that’s just the nation-states, and before you start getting to the foreign cyber criminals, which is a place we spend a lot of time engaging as well, and you have got a pretty full plate for our teams to work together.
BRENNAN: I mean, there’s so much there for me to unpack. I think the first place I’m going to start is where you just left off, and that is, whether it’s Iran or others, hacking and attacks on critical infrastructure. How do you navigate that, especially when, in some of these cases, whether it’s a hospital or water infrastructure, it might actually be a private company, a private sector company that actually owns that asset? So what does that look like?
NAKASONE: Yes, I think that this is really – let’s come back to the equation that Chris talked about. Two plus two, we want it to equal 10. How do we get it to equal 10? Well, not necessarily in quantity. It’s in quality. It’s, how do we do things differently that are going to get after our actors? You mentioned the Chinese and our foreign infrastructure. The first thing we did is, we talked very openly about it. It’s transparent. We have published things with the FBI, with our Five Eyes partners, with Microsoft and other companies to say, this is what they’re doing. This is something that’s different that we do today. But I think the other piece of it is, is that we have to think differently about how we’re going to be able to have impact against our adversaries. And so we have thought about it in terms of our sensitive intelligence. How do we take that sensitive intelligence and perhaps provide insights to the nation, the world, businesses in terms of what our adversaries are doing? That’s different. That’s how we get to 10.
BRENNAN: OK, now we have generative A.I., which the whole world is talking about right now. It raises a question. Is generative A.I. a new threat within cybersecurity, or is it just compounding, accelerating, and proliferating the existing threats?
WRAY: I mean, the way I would look at generative A.I. is as a significant amplifier, both in terms of quantity and sophistication, of threats that are already out there. That probably understates it, but that’s the way I look at it, as opposed to a threat in its own right. It is a tool that enables a lot of these adversaries we have been talking about, nation-states, criminals, others, to have lower barriers to entry, to make their attacks more sophisticated, more credible, more pernicious. And so it raises its own share of challenges for our organizations working together, because, right now, the place where it’s most significant, that is, generative A.I. in the world of cyberattacks, is what I would describe as taking kind of junior varsity athletes and making them varsity. But we are rapidly approaching a stage where the varsity adversaries are going to be able to find enough value from generative A.I. to take their game to the next level. And that’s going to put this partnership at an even higher premium.
NAKASONE: And, if I might, we talk about the threats, right? And we’re very, very concerned and focused on the threats. Let’s talk about the opportunities of generative A.I. Our adversaries are using U.S. A.I. capabilities. That tells me that we have the lead in artificial intelligence. We want to maintain that lead. And being able to protect intellectual property of businesses, this is where the partnership, again, comes in. Protect A.I., how do we do that in terms of what the National Security Agency does with what the Federal Bureau of Investigation can do? Because this is our future. This is where we’re going to have a marked impact in terms of our economy, our national security, and other things.
WRAY: That’s a part of A.I. that I would just add on to, right? So much of the discussion has been on how bad guys can use A.I. and how we can use A.I. to defend. But there’s a key piece of that, especially in our lane at the FBI, working closely with Paul’s folks, which is defending American A.I. R&D, American innovation in A.I. I think 18 of the 20 most successful A.I. companies in the world are American. And you can bet your bottom dollar that foreign adversaries, especially the Chinese, are actively targeting that innovation, that intellectual property.
BRENNAN: So you’re working with those companies that are on the leading edge, American companies that are on the leading edge of A.I., in terms of protecting it?
NAKASONE: We stood up the Artificial Intelligence Security Center at the National Security Agency because we knew that we had to be able to do this, in terms of being able to provide insights, right, to understand what adversaries, what tradecraft or what techniques they’re going to try to steal your intellectual property. Hugely successful in the cybersecurity realm. We want to bring this to artificial intelligence as well.
BRENNAN: So, I mean, 50 to one, I’m still wrapping my head around that stat where the Chinese are concerned. How do you do this? How do you continue to stay ahead of what I imagine are very centralized, very organized, very resourced, and well-funded actors who are getting more and more access to more and more affordable capabilities?
NAKASONE: Again, I begin with you do it with quality, right? We begin with, what are the competitive advantages of what FBI and NSA and Cybercom do? Well, first of all is the fact that we understand what happens in our foreign adversaries and what they’re doing. And we’re able then to be able to communicate that and to provide insights to Chris and to others. That’s the first piece. But the second thing is, we have tremendous partnerships. We’re at the CEO Council today. I mean, these are partnerships that really matter. This is what our nation has, and being able to foster that, tremendously important. And then the last thing, being here at Fordham, great academic institution here at Fordham University. This is the exact same thing. This is where we have worked very, very hard for our academic institutions to understand what are the foreign threats that might be approaching them as well.
WRAY: I think that’s the key to your question. How do we defeat it? It’s through partnerships. It’s not just this partnership…
NAKASONE: That’s right.
WRAY: … between Paul and me and our folks. It’s our partnerships together with the private sector, with the academic sector, with our foreign partners. More and more of those partnerships are based on trust, shared values, and a desire to work together towards a common good. And that kind of partnership will beat what the Chinese bring to the table every day of the week.
BRENNAN: So we’re talking a lot about defense, but how do you also just deter? And I ask this question at a time where we do have these new capabilities, these new technologies. You do have more adversaries who are looking to attempt more espionage or more actual attacks and cybersecurity incidents. And then, of course, you have the proliferation of disinformation campaigns as well.
NAKASONE: Well, so, I think, first of all, I would add transparency to what Chris just talked about, right? We want to be transparent. We want to be able to shine a light on this type of behavior. This is why it’s so important that, when we work together, to be able to publish, to actually say, hey, this is what our adversaries are doing, showing that in a term that nation-states understand that, hey, we see you and we know exactly what you’re doing, and we’re going to call you out on it. That’s an important piece of what gets done. The other piece is, there are a number of different authorities that each part of our government has. How do we take the authorities that the Department of Justice has, Department of Commerce, Treasury, Department of State, and how do we use this as the package to be able to, as you said, deter adversaries in the future?
BRENNAN: So, of course, when we start talking about disinformation campaigns, which we know have become much more prevalent and arguably normalized, based on some of the academia and some of just the reports that I have read, that brings us into election security. We just came through the Bangladesh – it’s a huge year. Let me just step back and say, it’s a huge year globally in terms of democratic elections. We just came through the Bangladesh elections. We have got Taiwan this weekend. We have seen the use of deepfakes in certain elections, internationally speaking. How, whether it’s that and the role of A.I., whether it’s other threats, how is that helping to shape or inform, if it is, the potential threats that we could see in this election cycle here in the U.S.?
WRAY: Well, in one level, information warfare, disinformation, misinformation have been around for decades.
WRAY: And what you saw, of course, maybe a few decades ago or a decade-and-a-half ago was the use of social media as the next escalation of it. It wasn’t a new weapon. It’s just a new way of making that weapon more effective. Now, with A.I., it’s taking it to the next level, obviously, the ability for influenced actors to create more credible fake personas, more sophisticated false messages, to manufacture evidence that’s harder to discern as phony. And so, again, I come back to the importance of partnerships to guard against it, not just our partnerships, but there’s an important role for the private sector, for example, A.I. companies, which, many of which are very actively engaged in this fight to help detect deepfakes. The, in some ways, A.I. is quite good at detecting A.I. And so seeing the private sector invest its own time and money into trying to help detect some of the things that you’re describing, I think, is an important piece of it. Obviously, government partners, research community, et cetera, is another piece of it as well.
NAKASONE: Yes, I think I would just add, I mean, the private sector, as Chris said, that’s, we’re going to make sure that we understand where the trends are and where we can be impactful. But here’s the other thing. We have got a great example in the fall of 2020, when we see the Iranians using a type of deepfake capability that we’re able to then call out, director of national intelligence, Chris Wray in front of the country saying, this is what’s occurring. And it’s, it goes without saying, I think it was a pretty credible on a pretty important thing that we were able to do at that time.
BRENNAN: It does raise a question. I mean, you use the word evidence. And it’s, how do you tease out that evidence, and how do you do so at a time where these mis– these disinformation campaigns are meant to so distrust? You have maybe foreign actors who are on platforms or elsewhere. They’re sharing information and then it gets picked up and accelerated or reverberated by Americans as well. So, I guess, I guess, what defines disinformation? How do you parse it out?
WRAY: Well, to be clear, our role at the FBI is focused on the role of the foreign actors, as in the source of the information, not the content. We’re not the truth police. We don’t aspire to be. What we’re focused on is foreign intelligence services, hostile foreign intelligence services creating fake personas, attempting to persuade people that they’re something they’re not, right, appearing to be American, when they’re actually the Chinese, the Russian, or Iranian intelligence services. And so what we try to do together is ferret that out and then share it with people who need to know about it. In some cases, that’s sharing it very publicly, like I did with the Iranians and Director Ratcliffe in the, in October of 2020. It completely took the wind out of the sails of the Iranian effort because it exposed what they were up to.
BRENNAN: It does seem like there is this very active effort to get that information, that intelligence in a declassified way out in a much faster way. I mean, I even just point to the Office of the Director of National Intelligence making public in December the report looking at 2022 midterm elections too, which I think is, to me, it seems like a shift in terms of the communications and the ability to get that information out and sort of counter disinformation campaigns. All of this, though, raises the question. I’m going to ask a very basic question right now, because it, for better or worse, it has been debated in the last couple of years. And that is, are U.S. elections corruptible?
WRAY: Americans can have confidence in our election system. Most of the things that we have seen in terms of election threats, for example, in terms of cyber threats, are focused on parts of election infrastructure that wouldn’t have any impact on the counting of the vote, for example. But the bigger concern is the ability of foreign adversaries to create chaos and lack of confidence, even when confidence should otherwise be there, which then creates a, almost a futility effect for voters in terms of whether they think their vote’s going to be counted. So it’s not a question of the integrity of the election itself being impacted, so much as it is a question of affecting Americans’ confidence in it. And that’s why there’s, you have seen this trend that you have alluded to, I think, of the intelligence community trying to lean further forward in trying to shine more sunlight, if you will, on what we’re seeing from foreign adversaries, on the theory that the best way to build resilience in the system is sharing information, sharing information with election officials, sharing information with the public, sharing information with other partners who can take action.
NAKASONE: And I think the other thing that Americans should have confidence in is the fact that, this is our A-team. I mean, this is the best of what FBI has, NSA, Cyber Command, Justice, Homeland Security. And it’s not where we’re starting in a few months. We’re now. We’re doing it now. It’s something that we have thought a lot about. It’s a very, very ready blue plan, blueprint we have used previously, and we’re going to utilize it again.
BRENNAN: I do want to get into the private sector collaboration a little bit more, but first just one more question on this. And that is, I guess, the sunshine. I think you just used the word sunshine. How are, to the extent you can share, how are some of the ways that you are ensuring that we are going to have a strong, I guess, secure election process and, yes, I guess we will just start there.
NAKASONE: Well, I think I would start with our election security group at the National Security Agency and U.S. Cyber Command has already begun to take a look at what’s happened in the past, what’s happening today, and what may happen in the future. We’re asking the questions, Morgan, like, OK, what are the threats that may come up that we haven’t thought about previously? What’s the technology, and how might we be able to look at it? And I think the final thing is, what’s been successful in the past and what should we think about utilizing in the future? So, this has already begun for us.
BRENNAN: So, what has been successful in the past?
WRAY: Well, I will give you one concrete example. The level of engagement that we have had, for example, with state election entities has exponentially grown, both in terms of quantity and quality, over the various election cycles since we have both been in these jobs. And that includes everything from sharing classified information in certain instances with those officials, so they’re better equipped to figure out how to better harden their systems, better anticipate the threats, better protect. After all, the election infrastructure in this country is in the hands of the states. And so we view our role as trying to arm them with information, so that they can invest wisely in their own cybersecurity to protect against the possibility of disruption or interference.
NAKASONE: What’s been successful for us? Department of Defense is bringing in new partners, like the National Guard, 50 states, three territories and the District of Columbia. How do we ensure that they’re aware of what’s going on as they get called up by governors or they’re obviously in their local communities?
BRENNAN: I do want to talk about public-private partnerships a little bit more. Social media has been getting a lot of attention. I realize that we have this Murthy v. Missouri case that’s making its way through the Supreme Court. We expect to have a decision at some point here in the coming months. It’s not something that you can comment on. You have been very public about that. So, if I put that piece of the puzzle aside, how are you working with private sector? How can that continue to become a bigger piece of the puzzle?
WRAY: I think the key to our engagement with the private sector is sharing information with them, so that they can make decisions about how to better harden their own systems, their own networks, their own infrastructure. So, taking it out of the context of anything to do with elections, just putting it in the context of private-public partnership, from a cyber perspective, 85 percent of this country’s critical infrastructure is in the hands of the private sector. And if you look at our innovation, it’s higher than 85 percent, if you look at personally identifiable information, same thing. So the information that the adversaries want to go after is in the hands of the private sector. And as great as our partnerships are, we can’t by ourselves investigate and disrupt our way out of that threat. So we have to lean forward, which we are, in sharing information with the private sector, so that they can use their considerable resources to better protect themselves against the theft of intellectual property, against cyber intrusions, and against foreign malign influence.
NAKASONE: So, at the National Security Agency, we work as part of the Department of Defense, which has a responsibility for the defense industrial base. In 2020, we opened the Cybersecurity Collaboration Center outside the fence line of the National Security Agency to do specifically what Chris said. How do we give and how do we get from the private sector at an unclassified level? If 85 percent of the critical infrastructure is in the private sector, we have to be able to talk to them. We started with one partner. We have 850 partners today. It has made a demonstrable difference in being able to secure the defense industrial base. And this is the give-and-get and, at the same time, being able to understand what might be happening outside of what we’re being able to see.
BRENNAN: OK. There’s so much I want to get to, and we’re starting to run up against the clock here for questions from our CEO Council. But Section 702, Foreign Intelligence Surveillance Act, it’s been seen as somewhat controversial. Lawmakers punted the decision on this until April 19. You have both been pretty outspoken in terms of how important this is to national security efforts and intelligence efforts. I guess lay the argument out for me and why opponents who say that, privacy and civil liberties groups that have voiced concerns about inappropriate access and incidental data collection, why they’re mistaken.
WRAY: Well, first, in terms of the value and then in terms of the reforms to ensure compliance. So, in terms of the value, 702 is the tool that we probably most rely on to protect Americans from foreign terrorist organizations, from foreign espionage threats, from foreign cyberattacks. What a lot of people probably don’t know is that 702 is the tool that we rely on the most to know which cyber victims, as in which businesses, have been targeted by some cyber adversaries, so that we can rush out and warn them. And, often, we find that those victims don’t even realize they have been targeted. So, losing 702 means losing our ability as a country to protect American critical infrastructure and American businesses from those threats. On the terrorist organization side, post-October 7, as I mentioned a few minutes ago, we have seen a whole slew of foreign terrorist organizations calling for attacks against Americans and our allies. So, the idea that this country would unilaterally disarm and blind itself in our ability to protect Americans from foreign terrorist organizations, from foreign cyber adversaries, from the Chinese hacking program and espionage efforts makes no sense to me whatsoever. In terms of compliance failures, there have been compliance failures. We have owned our compliance failures. We have put in place a whole slew of reforms to address those. And the court, the FISA court itself and other outside entities have found that those reforms have had dramatic impact in terms of improving the compliance. It’s now at the level of 98, 99 percent compliance. And we’re not done. We’re going to keep going at it to push that compliance rate even higher. But the one thing we should not do as a country is throw the baby out with the bathwater. And I think we will live to regret it if we don’t reauthorize 702.
NAKASONE: I would just add, from my perspective, 702, it saves lives. It saves American lives. It is the most important authority that we use day in and day out to do just that. Whether or not it’s hostages, American hostages abroad, or whether or not it’s fentanyl coming into the United States, it is impactful. The second piece is, is that it is, from our perspective, the most transparent authority that we use every single day. We publish statistics. We own up to areas that we have fallen short in. We have executive, judicial, and legislative oversight of what goes on. And the last piece of it is, is that, every single day, I would tell you that, from my perspective as the director of NSA, it is the one authority, and as we sit here in New York City, that allows us to connect the dots and to make sure that our nation is secure.
BRENNAN: We talked a little bit about distrust earlier, but we have seen it. We have seen it among institutions. We have seen it among government agencies. How do you counter that? And I ask that at a time where maybe some of it, maybe some of it’s not deserved, maybe some of it is deserved, going back to changes that have had to be put in place around 702, for example, even just looking at some of the leaks we have seen over the past decade, or attempted leaks. I go back to 10 years ago with the Snowden leaks. But how do you, how do you, I realize it’s a long time ago, but how do you re-foster trust in these institutions and in the national security work that you are doing now in 2023 and be 2024 excuse me and beyond?
NAKASONE: So, I—
WRAY: No, go ahead.
NAKASONE: OK. Thank you.
WRAY: I got a lot to say, but I…
NAKASONE: Me too. Trust and confidence in American people, the foundational thing that we must have. I think it begins with being very transparent, in terms of being able to talk to the American people. As the director of NSA and commander of U.S. Cyber Command, I want to make sure that the American people understand what we do and they have confidence in the leadership and those that work out our agency and command. That is essential for what we do. So I think that it begins with just a broader dialogue than we have had in the past.
WRAY: I think the focus for any agency, certainly at the FBI, is on how we do the work. And so I’m constantly reminding our folks that the most important thing we can do to earn and deserve Americans’ confidence is to do the work in the right way. We can’t guarantee the outcome. All too often, in today’s world, people’s standard for whether or not they think an institution or a process was fair, objective, or independent is whether they like the way it turned out, whether their side won or lost. That’s not what independence and objectivity are about. What those are about is ensuring that we do the work in the right way. And I’m firmly convinced that, at the FBI and, frankly, other institutions, if we stay focused on doing the work in the right way, so that the process itself can’t be challenged, then we will be fine in the long run when people kind of ebb and flow about whether or not they’re unhappy about the outcome of a particular investigation or a particular case or anything else.
BRENNAN: Oh, there’s so much more I could ask both of you, and including we haven’t even gotten to talent yet. But I think we need to, I’m going to turn it back over to David, because I do believe we have some CEO Council questions. And I suspect they’re going to want to talk more about that as well.