Former cybersecurity director, US Navy: Data is the new oil, we need to protect it

Former cybersecurity director, US Navy: Data is the new oil, we need to protect it

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of government. I’m thrilled to be joined by Kathleen Creighton, former director of cybersecurity for the U.S. Navy where she designed cybersecurity, IT and cloud strategy policy, and governance for 607,000 Navy personnel. Kathleen retired from the U.S. Navy in 2021 following a 33-year career, including six as a Rear Admiral. Currently, she is Independent Director for the ManTech Corporation, the West Bend Mutual Insurance Company, and the Military Women’s Memorial. I’ll be turning over the interviewing duties today to my Protiviti colleague Perry Keating, Managing Director, and President of Protiviti Government Services. Perry, I’ll turn it over to you to begin.

Perry Keating: Thanks, Joe. Thank you, Kathleen, for joining us today.

Kathleen Creighton: Thank you, Perry. It’s a pleasure to be here.

Keating: Wow, we’ve heard quite an impressive resume on your behalf. One of the things I didn’t hear Joe mention was that really—you’re probably really only in a handful of information warfare, community flag officers who specialize in cybersecurity, and IT, and network, and C4ISR capabilities in the Navy. Certainly, we are honored to have you here. What an impressive background. What do you see ss the biggest cyber threats facing the federal government today? What steps do you think leaders should be taking today to address this ever-increasing threat?

Creighton: Perry, there’s so many threats. You may think I would say something like misuse of AI, or supply chain, or compromised credentials. But I really think it’s a broader issue and that issue is the sheer size and complexity of government networks. They are just massive. For example, the DoD has the third largest IP space in the world, only behind the United States and Amazon. So, it’s a gigantic network. It’s not homogenous like a corporate network. It is—it has every variance. It has on-prem, in the cloud. It has IT. It has OT. It has weapon systems. It has autonomous vehicles. It is just incredibly varied and complex to command and control.

Having said that, what the government has done, and needs to continue to do, is to remove humans as much as they can from mundane tasks, automate use of machine learning, introduction of AI. Making sure that they know what’s on their network, what’s connected to their network, the VPNs, the trust, all the connections. Make sure that they have good situational awareness and all the things that go with proper network management, configuration, control, and all the different controls. It’s complex. It takes a skilled workforce to do it. I think they need to continue to automate and make sure that they can fight hurt. Also, they know they’re going to be attacked. They’re being attacked every day. They need to make sure that they can fight hurt and they build in resiliency and know how to segment parts of the network if they need to.

Keating: I noticed that you said AI and quantum computing, but that’s emerging, right? So, you’re wondering, is it emerging faster than we can keep up with? I guess, the question that comes to mind is that “Do we think AI, quantum, and these new emerging technologies, are they’re going to be a net positive or are they going to be a net negative from a cybersecurity perspective?”

Creighton: I don’t think we have the luxury to say whether it’s going to be a net positive or net negative. I think it’s just fact. It’s coming. It’s going to happen. So, we just we have to prepare. AI is already here but will be coming faster and faster. So, we need to get these technologies in the hands of the people who are defenders and let them experiment, let them use it and get comfortable with it, and let them train on it. Deepen the understanding that AI will be part of our crown jewels, right? It will be the thing we’re going to have to defend. It will be something we have to defend in critical infrastructure. So, I think we need to get on with it.

As far as quantum, that’s a huge game changer that it’s hard to get your mind around. A hundred-time increase—hundred million time increase in computing power. It’s mind baffling. So, it will make everything faster. It will make attacks faster. It will make defense faster. Of course, the concern that many of us have, or most of the government has, is its impact on cryptology, on the data that we have encrypted, and that our adversaries will be able to break that encryption much more quickly. So, I think in preparation for that the government needs to—and they are—but really needs to get serious about understanding their inventory of crypto. What types they have, what their purpose, what it’s protecting, the risk of those things, to be able to prioritize. Once they get post-quantum cryptology they’re going to have to be able to implement that quickly and do it based on risk.

Keating: Interesting. Interesting. I heard you talk about the need to remove people I almost wanted to chuckle, right? Always want a little job security [Laughter] but there’s no question that the government still is going to need—be able to have access to the best people trying to solve some of these challenges. From a talent and workforce perspective, one, do you think we have the skill sets that are needed? If not, where do we go get those skill sets and be able to retain that talent that would be so desperately needed?

Creighton: I didn’t mean to insinuate that we’re going to remove people. We’re just going to remove people from doing mundane tasks and put them on other more important tasks. Workforce is one of the key issues. It’s going to be hard but we’re going to be able to do it. We need to start with elementary school. My daughter, for example, went to cyber camp, and it introduced her to a lot of STEM things and cyber. Of course, she went on to become an English major so it didn’t work very well on her, but some kids at the camp hopefully came away that they wanted to pursue STEM. I think with the young people—I think with cryptology, there’s opportunities—I met a young woman this week who goes to a top university. She got exposed to national security and defense. She’s now going to go work for the Navy as a cyber analyst. So, there are patriotic people who want to serve, who want to do this type of work, and we need to reach out—we need to increase diversity. Even things like neurodiversity, right? There’s a three-letter agency where everybody jokes that, “Everybody looks at their shoes.” That’s how you know that they work there. Well, those people are—a lot of them are neurodiverse. We need to attract those people and realize that maybe they don’t interview so well because they have problems maybe making eye contact all the time. But, boy, they’re good at puzzles and analysis.

Keating: I think you provide a unique perspective. You certainly spent decades in the public sector and now you’ve spend some time in the private sector. Are there unique ways that the public and private sectors should be working together or public-private partnerships? Is there any advice or thoughts you had for both the government side of this as well as for the private sector side of this that you think might be helpful in this area?

Creighton: Yes, I think partnerships are incredibly important. The last 10 years in the government, we were really, really pressing on ways that we could partner with industry. especially with cyber threat vulnerability, working with all different types of organizations. I think as a country we’re at the point where we realize that the data is the center of everything. That this is the gold, right? This is the new oil. We need to protect that. The only way we’re going to protect it is through working together, sharing threat intelligence, sharing vulnerabilities, sharing knowledge, and building bridges. So, it’s incredibly important and it’s important that industry feels like they get something out of it and that both sides feel like they get something out of it. That isn’t just the government pushing out information and that the private sector is just like, “Okay. Thanks.” But that they both feel like they’re getting something out of it. I think increasingly they’re feeling that. Also, there’s education. That each know when something bad happens who is their point of contact? Who is your contact with the FBI? Who is your contact? Reach out to that person before you have an incident so that you know each other and you know you’ve already established that communication.

Keating: So, no doubt stakes are high. So, if you had to look out tp 2030, 2035, how optimistic are you? How pessimistic are you? What thoughts do you have? How do you see the future laying out?

Creighton: I’m an optimist. My glass is half full. I have no doubt that we will have compromises, that we will have data loss, that we will have critical infrastructure, compromises, that companies will have data stolen from them and they’ll have ransomware. All these things are going to happen. Hopefully, not too many people get hurt, not too much money is lost, but it will happen. I’m also confident that we’re going to learn from it and we’re going to adapt to it, and that as a country working together, public, private, that we can defend not only our intellectual property, defend our critical infrastructure and ensure our national security.

Keating: All right. Well, Kathleen, thank you so much for your time today. I really enjoyed our conversation.

Creighton: Thank you, Perry.

Keating: All right. Joe, I guess, we’re back to you in the studio.

Kornik: Thanks, Perry and thanks, Kathleen. Thank you for watching the VISION by Protiviti interview. Please rate and subscribe wherever you listen to podcasts and be sure to visit vision.protiviti.com to view all of our latest content. Until next time, I’m Joe Kornik.