U.S. Markets closed

Cyberthreats Will 'Get Worse Before They Get Better,' Former Homeland Security Chief Jeh Johnson Says

Former Homeland Security head Jeh Johnson was a keynote speaker at Legalweek at the New York Hilton Hotel in New York on Tuesday, January 30, 2018. Photo: David Handschuh/NYLJ

Despite all the talk and money being thrown at cybersecurity defense, an alarming number of massive corporate data breaches were disclosed this year. And, unfortunately, former Secretary of Homeland Security Jeh Johnson doesn’t think we’re close to seeing an end.

In fact, he thinks things are going to get worse.

Johnson, now a partner in the litigation department at Paul, Weiss, Rifkind, Wharton & Garrison  in New York and Washington, D.C., and member of the firm's management committee, led the U.S. Department of Homeland Security under President Barack Obama from December 2013 to January 2017.

He spoke with Corporate Counsel on Tuesday about cybersecurity, the effort to overhaul U.S. export control rules, and trade tensions between the U.S. and China. The conversation has been edited for clarity and length.

Corporate Counsel: You wanted to start by talking about cyberthreats (attempts to damage or disrupt computer networks or systems) and cybersecurity. Let’s go ahead and launch into it.

Jeh Johnson: “In terms of the general threat picture, I believe it’s going to get worse before it gets better. I believe that those on offense are increasingly clever, aggressive and tenacious. And those of us on defense have yet to turn the corner. We struggle to keep up on the defense.”

It seems pretty bad right now. How much worse do you think it can get?

I think we’re going to find out. I think that large-scale attacks will likely become more pervasive. I think bad cyber actors will become more and more ingenious in ways that we cannot fully conceive as we sit here.

For example, this report that was given to the Senate Intelligence Committee in the last couple of days, I’ve been saying for quite some time now that we have yet to fully understand the extent to which the Russian government influenced public opinion in connection with the 2016 election. And this most recent report highlights the extent to which the Russians influenced what was on the internet. I think two years from now we’re going to be seeing the same thing when it comes to the 2018 election. And it will be a long time before we understand the full extent to which foreign influences had an impact on the 2018 midterms.

If you were the general counsel of a major American company, what would be the primary cybersecurity concerns that you should have today?

Any business that warehouses large amounts of personal data, whether it’s a bank or a university or a hotel chain, needs to be concerned about the intrusion and theft of that personal data by a nation-state, or a cybercriminal. That’s concern No. 1.

Concern No. 2 is having a team of cyber experts and having a sufficient level of cyber capability that can provide some sophisticated level of defense. There are vast discrepancies in the level of sophistication of those in the private sector.

No. 3 is impressing upon the other members of the management committee, the executive committee, the leadership team of that business that cybersecurity has got to be a core priority of the business. Just like the protection of your physical infrastructure, it’s not just simply an information security concern that you pass off to your chief information officer. It is a core part of the business to protect the crown jewels.

Can you provide tips to leaders in the in-house world about how they can have a more robust cybersecurity defense?

I would encourage attorneys for businesses to think proactively in advance of an incident. Too many of us are in a situation where we have to react to an incident. I would encourage in-house attorneys and senior legal officers to get out in front of an incident and ensure that their cyber defenses are as good as they can be. Not enough of our clients do that. 

It seems like it’s a weekly or even a daily occurrence that we hear about a massive data breach. Can you envision a future where that is not the norm?

I can envision a future where our cyber defenses are much tougher and the level of cyber intrusions and cyber attacks has decreased and we have turned the corner. But we have yet to get there. I’m optimistic for the future. This needs to be a national imperative with someone in the federal government leading the charge.

You don’t see someone leading that charge now?

It’s multi-headed at the moment. In the prior administration, I thought we did a good job of clarifying the roles of the various federal agencies through a presidential directive that divided the responsibilities between threat response and asset response. Threat response means you have a crime committed and you call the cops. Asset response means you call somebody to help catch the vulnerabilities and root out the bad actors. The way I used to describe it, former FBI Director Jim Comey is the cop, you call him for threat response. And I was the fireman. You called me for asset response. I thought the roles were fairly clear when you spelled it out that way. I fear that the current administration may be rethinking that all over again.

What are your thoughts on the push for federal data privacy legislation?

I do not have a view on the specific legislation, but agree that, either through self-regulation or government regulation, service and internet providers must do more to safeguard consumer privacy and educate the public on the potential uses of data that is entrusted to them.

What should the federal government be doing to proactively prevent cyber attacks?

When it comes to nation-states, the federal government must make cyberattacks cost-prohibitive. We cannot stop all cyberattacks by simply defending against them. There is no 100-percent effective defense.

On a different topic related to national security and intellectual property concerns, I’ve been speaking with international trade attorneys about what they’ve been hearing from clients during the current comment period on new export controls on emerging technologies. Many of them are saying that their clients are commenting now and want to stay on the sidelines. What has your experience been so far?

Congress, in enacting FIRRMA Foreign Investment Risk Review Modernization Act} and in authorizing this pilot program, is attempting to update the law to meet an evolving threat picture. The theft of intellectual property, the theft of trade secrets, the potential infiltration of U.S. businesses by foreign influence, that has an impact on national security and is a real threat.

A lot of our clients are relieved and satisfied that there is a carve-out for U.S.-based investment funds. If the foreign interest is investing in a U.S.-based investment fund then that is exempt from the law. And, setting that aside, my sense is that a lot of the members of the business community are on the sidelines waiting to see how this program works. And while there may have been some initial concern about the impact of the new law, I think folks are now taking a wait-and-see attitude.  

I recently wrote about an apparent uptick in trade-secret theft enforcement actions by the U.S. Department of Justice against China. There were different thoughts on what was behind that effort. I’d like to hear your viewpoint.

There are ways for nation-states, even superpowers, to be deterred, to be convinced to forbear from a certain bad activity. You’ve gotta provide a sufficient deterrent to a nation-state from refraining from this type of behavior to make it cost-prohibitive. We cannot prevent all cyberattacks simply through a good first-line defense.

This also ties in with trade relations: Do you think President Trump would be overstepping if he were to intervene in the U.S. DOJ’s  probe of Chinese telecom Huawei on allegations of violating  sanctions with Iran?

I think a president should be very reluctant to intervene in any matter being handled by the Department of Justice, unless there is a serious, serious foreign policy implication.

How do you see the U.S. trade conflict with China ending?

This president is very transactional in how he views foreign relations. There does not appear to be an overarching foreign policy to the other superpowers in the world. It’s very transactional for this president. He’s a businessman. As far as I can tell, what this administration hopes is that by strong-arming other countries through tariffs, he can bully them into submission. We’ve yet to know whether that strategy is an effective one.`

Read more:

Legal Tech's Predictions for 2019 in Cybersecurity and Privacy

Cybersecurity Is 'The No. 1 Threat to Our Nation': Jeh Johnson's Legalweek Keynote

Johnson Receives NYSBA Pioneer Award