To hear Tom Ridge talk about it, there was no single come-to-hackers moment that made the first secretary of homeland security and former governor of Pennsylvania realize the importance of cybersecurity. Instead, he says, his enlightenment took place over the several years following the terrorist attacks on Sept. 11, 2001.
“It’s an evolution from an interest that began with technology, and the technology sector, and seeing the impact of technology on my companies,” says Ridge, who, according to a 2015 report in The Intercept, became wealthy by investing in cybersecurity companies after leaving the public sector in 2005. “The notion that you could help companies to be more competitive, and go back in the cybersecurity arena and continue to develop tools—both offensive and defensive, but particularly defensive—made a lot of sense to me.”
Ridge says he has been using his influence as a former politician to encourage more common-sense cybersecurity policy. To prevent threats and protect U.S. interests, he says, he wants to see modernized data sharing—and talent sharing—between private companies and the government.
Ridge says he’s also worried about the United States’ online interactions with other countries and global threat actors. He sees the country lagging in online development as other nation-states improve, and says American politicians “damn well should be” more aware of what’s at stake for the country.
Cybersecurity, Ridge says, “has everything to do with our national security. It has everything to do with privacy, as we see with Facebook and Cambridge Analytica. It has become an offensive tool in the hands of the nation-states, and very effective tool for criminal organizations.”
What follows is an edited transcript of our conversation.
Q: The United States doesn’t seem to have a strong, guiding cybersecurity policy at the moment. What’s your take on why that is?
You raise an issue around what I consider to be a clear, present, and permanent danger; a risk to not only national security but economic competitiveness. When you look at the geopolitical arena—and we can point accusatory fingers because our tools of attribution are pretty sophisticated and credible—we know where attacks have come from. Holding people and organizations and countries accountable for those attacks is an entirely different matter.
Countries, including the United States, have used cybertools to advance sovereign interest. It was in our interest to slow down the development of nuclear capability within Iran. And digital tools, offensive weapons, and malware were used.
I forget what article of the Constitution says Congress declares war, but we’ve got a digital war going on right now, 24 hours a day, seven days a week. We know who the adversaries are. I’m just putting aside the criminal organizations that’ll get the personally identifiable information and use that to make a lot of money.
The concern that I have is that the time calls for, in my judgment, an entirely different relationship between the government and the private sector. Both are so interconnected and so interdependent that in the area of addressing cyberrisk and cyberexposure, it calls for a different kind of relationship—other than a punitive one.
The Securities and Exchange Commission and the Federal Trade Commission can be very punitive. But given how threats affects the private sector, upon which the federal government relies, and the federal government, upon which the private sector relies, we have to have a different kind of relationship.
Where does U.S. cybersecurity stand on the geopolitical stage?
It is a pipe dream to conclude that we would ever have international norms that countries would agree to. They might sign an agreement, but is it ultimately enforceable? And so the notion that somehow we could reach some kind of geopolitical arrangement with regard to the use and abuse of online threats, punishing the abusers? Not gonna happen.
You spoke of a different relationship between the government and private sector. Can you sketch out what that could look like? How would you advise groups to go forward?
I’ve gotta give this more thought, but off the top of my head, while we have some incredibly talented people working in U.S. Cyber Command and other various agencies and departments, we don’t have enough of them. There’s a shortage of manpower, writ large. The first thing I think the private sector and the government should do is, full square, figure out a way to educate and attract more young men and women into this arena. Not just STEM, but into the area of cybersecurity.
I’m a traditionalist when it comes to this, but we need to be more thoughtful. If the worst impediment that a young man or woman has on their record is having smoked a little grass or something like that way back when, let’s get over it. We are facing a clear, present, and permanent danger. There’s capability in the private sector that we need. Let’s take advantage of it.
What did President Clinton say? He smoked, but he didn’t inhale? I never did either, and we had plenty of it roaming around when I was in Southeast Asia.
Beyond hiring hackers who’ve smoked a little, what else should the government do to recruit the best cybersecurity?
I’d like to think that we might figure out a way that you could bring of the some best and the brightest people into the government. Would Amazon and Google and Facebook and Cisco and other titans of the technological world be willing to loan not just executives, but also some of their talent pool, to work with the federal government, to build out defensive weapons? They could help build out capabilities that could be applied to the private sector too.
Should there be more digital-information sharing? In this hyperpartisan environment, I would like to think that the politicians would bury their ideology and their points of view at the door, and accept the notion that there’s an ongoing battle with nation-states and criminal organizations.
I think there’s an opportunity now. Zuckerberg’s probably gonna get the hell kicked out of him, but that’s nothing compared to the challenges that our defense industry has, and the utility industry has, and the financial-services industry has. People are pinging on their systems constantly, so let’s think about a different relationship, and let’s take advantage of all the talent, all the expertise out there in the private sector.
How can the government be competitive with the private sector when we know that top cybersecurity talent can be incredibly pricey?
Listen, I don’t think they can. Here’s where we need some really thoughtful and resourceful and forward-leaning thinking from within the government and within the private sector. Would any department or agency have a problem with X number of people from different sets of companies coming in to their department or agency to take a look at their infrastructure, to make very specific recommendations as to how it should be changed, based on those recommendations made in collaboration with the existing personnel?
The problem is, there’s not enough talent within the federal government. The problem is, it’s still operating from more of a punitive than a collaborative standpoint. The problem is, we’re still not sharing enough digital information on a timely basis, and we can rectify and should rectify that disconnect because in this space, we are all in it together.
We have to think differently about how we can use all the capabilities. The manpower, the intellectual property, the resourcefulness, the creativity of the private sector to help secure not just the institutions of government, but also our economy.
If I’m Lowe’s, I can’t be too excited because Home Depot got hit. If I’m one bank, I can’t be too excited that the other bank got hit because there but for the grace of God go I—and I may be next.
The barbarians are no longer at the gate. They’re inside, and they’re exquisitely concealed. We need a different kind of model to deal with this threat. Maybe this dust-up around Facebook will be a catalyst to start that conversation. It’s more than information sharing. It’s more than data.
Given your background and the struggles the government has protecting its own systems, what strikes you as the most important aspect of the complex voting-technology situation?
Well, you’re talking to a conservative Republican governor, but if ever there was an area where the feds and the states need to be collaborating, it is the area of securing the ballot. And I think there’s been some progress made in that regard, but again, it’s an opportunity, and I don’t want to underestimate the importance of the public discussion around Russia’s interference in our election process. It did interfere. There’s no question about it.
Can you get the president to say that?
Well…he may grudgingly. In his heart of hearts, who knows? I think that everybody gets it. Putin’s forte was, and still is, destabilization.
And if our country spent as much time thinking about deterrents and defensive capabilities as we are about the politics of this digital assault on our democracy, we’d be a lot further ahead. Did Russians interfere? Yes. With the purpose of destabilization? Yes. Did Putin accomplish his goal? Yes.
OK, get over it. But also understand that he’s going to continue to do it. Other people are going to continue, and what the hell are we gonna do about it other than talking about what he did?
Abraham Lincoln talked about thinking and acting anew. Let’s think and act anew around this clear, present, and permanent danger that changes daily. Frankly, I don’t think that the government is doing enough to both educate and then to deal with it. We’ll never maximize our ability to reduce that risk unless we we build a different relationship with our friends in the private sector.