National and Information Security with Sue Gordon

ACME General: My guest today, Sue Gordon, served as Principal Deputy Director of National Intelligence and Deputy Director of the National Geospatial Intelligence Agency after having spent more than two decades at the CIA. She is currently an advisor to a number of organizations in the national defense and security space with a special focus on information security. Sue, welcome to Accelerate Defense.

Sue Gordon: I’m delighted to be here. Thanks for having me.

ACME General: Of course, we both share an alma mater, Duke University, Go Devils. Uh, so I’ve been dying to ask, how did a degree in zoology prepare you for the CIA?

SG: So, great question. First things first. I was actually hired to do analysis of Soviet biological warfare. So that makes a bit of, right, so that makes a little bit of sense, you know, critters, critters. But it was 1980 and it was a time of downsizing. And so I show up as a bright, shiny 21 year old and they said, sorry, that job’s gone. You’ve got 30 days to find new work. So, you know, it was kind of an inauspicious thought, but it turns out a Duke education allows you to take zoology and turn it into mechanical engineering. But truthfully, you know, it did prepare me because intelligence is inductive and so are the biological sciences, right? In the biological sciences, when you look at what a living system is doing, your proper assumption is to presume that what it’s doing, it’s doing perfectly. So you don’t judge it for whether it’s good or bad. You say, okay, let me figure it out. In a weird sort of way, that’s what intelligence is, right? It’s you look at something, you’re not gonna mirror image, you’re not gonna be smirking, you’re gonna say, what the heck is going on? And so it actually turned out to be a decent foundation for my career.

ACME General: I got to be honest, I did not expect you to have an answer for that. Um, that was pretty impressive. Uh, let’s get, let’s get serious. You were at the white house the day after nine 11, and it was clear to everybody that the world had changed. We spent the next 20 years trying to adapt to that new reality, succeeding in some ways, failing in many. And it feels like right now. We are in the midst of another sea change when it comes to national and global security. I’m not sure most Americans realize it. And when you speak to members of Congress and other decision makers now in government, how confident are you that they appreciate the dramatically shifting nature of the threats we now face?

SG: That’s a great question. I think increasingly everyone sees it. There’s a great Ted talk that’s about 10 years old now called After Midnight, it said, “‘We all went to bed and one time after midnight, “‘the world changed and when we woke up it looked the same, “‘but nothing we did before worked.'” So I think we’re starting to see that it’s different. I think what is… still elusive is that the only way we’re going to respond to it is to not keep dragging the past with us, you know, in a weird sort of way. We’re still dragging the Cold War decisions. We’re still dragging the counter-proliferation decisions, and we’re certainly dragging the counter-terrorism decisions, all of which consumed dollars and gave us the weapon systems and approaches that have been successful. The problem is this sea change is not going to be accomplished in the leftover resources. Right? We can’t evolve these systems and we can’t get to the future by just saying, okay, I’m going to maintain everything that I’ve done and with whatever’s left over, I’m going to be able to make this great change. I also don’t think they fundamentally understand how different this one is. You know, you talk to old warriors, and I guess I’m one of them, and what you often hear is, ah, this isn’t so different. We’ve been through changes before. Well, this is a big one, right? One, this is where every technology is available to everyone, and the one that puts it to use first is the one that’s going to win. And that means big installed are deleterious to that success. And so I think we still think about a massive competitive advantage in the technological sense, I think that’s eroding quickly if it still remains. I think they also don’t understand exactly what a digitally connected world has done. in terms of how fast everything moves. And that’s from information and wisdom to data, to what weapon systems can do. And then the last one is this is a data world where every threat goes to and through data. So every day that you can’t harness data quickly to produce effect is a day that you’re losing ground. So they see it and that’s good, but. I’m not sure they quite understand the magnitude of the shift that I feel.

ACME General: You said in a recent interview, simple technological superiority is not going to be enough. What do you mean by that?

SG: Well, a little bit of what I just said is that technologies are increasingly available. So simply having a capability isn’t going to be enough. In a weird sort of way, you see this a bit in Ukraine, right? Where if you evaluate capability, you say they’re going to march to Kiev in a minute. But even that engagement wasn’t just about capability. It was about geopolitics, harnessing it, coalitions, commercial systems integrated and kind of a combination of modern warfare and World War II all playing at the same time. So do you have… the wherewithal to not only fight, to deliver capabilities, to respond, and to innovate all at speed. And so, again, you know, you know, that point, just as I was talking about it, I do think the U.S. retains a significant advantage. and derived a bit from being a democracy, is that our fighting forces are more adaptive, they are better thinkers, our leaders have more autonomy. So I think there is a pretty significant plus hanging out there in terms of how adaptive our leadership and our forces are. But man, you gotta have the stuff. in place and you got to be able to implement it at speed in order to be successful.

ACME General: Well, I want to talk about a specific aspect of that when you laud the adaptability and the autonomy of our fighting force, which I couldn’t agree more with. Is that being harnessed by the systems of our national security apparatus, the acquisitions process, the innovation pipelines? Are we leveraging our greatest strength, which is the innovation of our people?

SG: Uh, probably not exactly as you described it, in that we have awesomeness in each of our cylinders of excellence. But the processes that either link or don’t link, or in some cases impede them, are actually minimizing the advantages. So let’s choose three domains. One is the budgeting process. You know, we really are just going to have to think differently and Congress is going to have to join us in terms of thinking about how fast advances move, how much this isn’t a hardware dominated world and so those processes aren’t going to work. How difficult it is, how fast technology is moving and therefore how difficult it is to into a budget. So the budgeting process is going to have to change. The risk processes are going to have to change a little bit because we’re going to have to figure out how to manage risk when you can’t test perfectly on everything in order to know exactly what’s going to work. And I think the combination of fast moving technology, digital engineering, and our amazing forces should be able to help overcome some of the reticence we have about putting imperfect out there. And I think then the last thing is, is we gotta think a bit, and I think this is something we don’t talk about enough, is leadership is really important now to have leaders that have a vision about what must. happen, not just turning the crank on the job that they have. And I think that’s just gonna have to be rebuilt up over time, is the vision piece that’ll do it. And I think then the last one is, I’m rambling a bit, and that is too many of our policies are written to keep bad things from happening. And they are actually impeding good things from happening. And I could choose just one really small example. And that’s technology transfer amongst allies. So we’ve just announced AUKUS. It’s a great idea of giving us a chance of superiority or at least freedom of motion in. the Asia Pacific, we want to share, but we are impeded by our tar regulations born of a different time that allow us, that keep us from sharing our technology with Australia. Well, wait a minute. We just said that we need to huddle together for warmth. So I think it’s a whole spectrum of things that are systemic, that are just require a change from protection to enabling as a dominating. thesis and I think we could get there.

ACME General: How much faith do you have in not just policymakers, but in our policymaking process in a democracy like ours with two-year election cycles and really short-term incentive structures? Do policymakers have the ability to think about the things you’re thinking about and still… keep their jobs, if you know what I mean.

SG: Yeah.

ACME General: It is an incentive structure, at least in our democratic form of government, that doesn’t really lend itself to over-the-horizon thinking.

SG: Yeah, I think it’s worrisome. I don’t think there are many good signs for a couple reasons. One, just how fraught the political discourse is now where you’re making decisions on national security based on politics that are outside that. And that is so different from what it used to be. You know, it used to be when the two parties came together to discuss national security. Yes, there was some tussling back and forth, but they still recognize that was sacrosanct. Now you see national security things going by the wayside because of… completely different political issues that just are being brought to bear. So I think that isn’t a hopeful sign, but let’s imagine that we can get past that. I think the other thing that’s difficult is… there’s not just an installed base in the government, but there’s an installed base in the defense industrial base outside. And so even when you have policies that want to allow new things to happen, some of the players who have benefited from the past approaches. have a lot of wherewithal to put pressure on their representatives to in fact maintain the status quo. And remember the present always has an advantage because you can prove that it’s good. The future is always going to be more risky because it’s uncertain. And so I think this issue of pressure by the industrial complex on the representatives to maintain the status quo is something that we’ll have to address. But again, there are some hopeful signs, you know, what Mike Gallagher is doing. Interestingly enough, China is becoming one of those kind of commonly held security and economic challenges that seem to be able to bring policies together. So I’d say, you know, this is a good time to use that crisis or that focus to try and make some advances in policy that will help us out. But a good example of your challenge, you know, when you say this policy community can come together, think how difficult it’s been to get cyber policy. organized and cyber policy through the various committees. You know, you would say, man, we’re having our hats handed to us, we ought to be able to get together, and even that is difficult to get through our policymaking communities.

ACME General: Let’s double click on that because you have fired a few warning flares on that issue, especially when it comes to the security of our information. Talk about StoreNow, Decrypt later, and what we need to be thinking about right now when it comes to computing power, AI, tangentially related, and the inability, it seems, of our security industrial complex to grapple with it.

SG: Yeah, it’s such a multi-dimensional challenge. Again, I think there are hopeful signs. I think what this administration has done, some good things in cyber policy, they’re getting some traction, they’re getting more defined. But I think this is just something that you kind of have to wrap your head around. And I’ll go through my taxonomy, which is this is a data world, and superiority is going to be with data, use of data and protection of data. We’ve seen it play out in the micro, but what’s happening now is the compute power and the software power is now going to say, not only can I take data, but I can manipulate it in ways that create tremendous advantage. And so even though we’ve been living this for a while, this moment is actually more consequential. So you got to protect your data. You just have to. And again, The day will come when even encrypted data can be unencrypted. And so thinking about how you protect that. And there’s great work going on in NIST that help with standards on that. So protect your data, assure your data. So this has really been highlighted by a lot of the advances in AI right now where We’re going to have systems that can use data. Are we sure that the data they’re using has not been manipulated and is not falsely used? And then the last is, I know there’s a lot of hype around AI, but the combination of the rate of advance, the number of people participating gets advanced, and the advance in computing power is going to mean that it could have tremendous advantage for… good outcome, almost regardless of whose perspective you’re standing on, but if you aren’t thoughtful about that, you have the equivalent potential of bad outcome. So I think to me the biggest thing, if I had one hope of someone taking away from this podcast, it would be everyone is a national security decision-maker. private citizens or national security decision-makers when they decide what information they’re going to promulgate, companies or national decision-makers when they decide who they’re going to take money from and whether they take… put decision makers who are not, do not have the same fidelity or how they decide to partner or share their information. This is really an important time where people look at it and say, in the data game particularly, we need everyone to be thoughtful about how they’re protecting and how they’re using data because this is not one that is disproportionately in control of the government. This is a challenge that is disproportionately resting on the decision-making of and a private citizen.

ACME General: How do we better incentivize the private sector and the private citizen to take cybersecurity seriously?

SG: I think we need to talk less breathlessly, but more directly about the challenge. I think we need to link it to the world and the systems we enjoy, because I think, I think in a weird sort of way, you have a Duke education too, so we both know the law of commons that is, or the tragedy of the commons that is this idea that there’s a limited resource that we all use if we all… husband of that resource will be okay, but if individuals start saying, you know, no one will notice if I take twice my share, that no one will notice when in fact, if everyone takes twice their share, the common resource will go away. We need to think a little bit about this. environment that we have and the ease and abundance we have is a little bit more limited than we are right now. And so I think we need to talk that way about it. I think standards for cybersecurity will help a bit. If you think back to when the SEC was formed after the stock market crash, that was a little bit this recognition that was happening in the private sector. Fraud mattered to national security. So you have the SEC set standard that becomes a regulatory body. And the private sector and say, okay, come up with accounting practices that are going to make sense. And since then, you know, you have Gap and Audit and things that have maybe not stopped fraud, but they’ve made us better. I think it’s time to do something like that on cybersecurity, because right now, when you don’t have something like that, everyone’s making their own decision because adding security is all cost. And for a business, this is not the time that they want a lot of cost.

ACME General: All right. Those all seem like defensive approaches to cybersecurity. Is there anything that can be done in the realm of deterrence when it comes to protecting our national secrets?

SG: Yeah, and I think yes, and probably two fronts. One is you have to have a pretty clear policy about what our national interest is, and you have to be able to articulate it in terms of… you know, deterrence isn’t what you say, deterrence is what you do. So you’ve got to first be able to say where we draw that line. And then you have to have the capability to both respond, but also create deterrence by what you do ahead of time to increase the cost of people crossing that line. There is no technologic challenge. to us mounting the kinds of active deterrence capabilities that would raise the cost of people aggressing. It just comes down to being sure that you understand the consequence of your action, that you can bear it. But this to me is 100% a policy decision about what we communicate and how we raise the cost. of those adversaries and competitors who would aggress against us. And there are ways to do it. And you’re seeing it. Well, no, you’re not seeing it. It’s going on. Even the FBI has done a lot of things that are making things harder in advance. But this is an ongoing battle. But just remember, it’s not a technological one. It’s more about what is the U.S. policy and can we bear the consequence of our actions? Do we understand them enough to be sure that we are achieving our effect.

ACME General: You said we need to have a clear policy when it comes to defining our national interest. Do you worry about the blending of economic security and military security and the potential that holds for blurring thresholds for military escalation?

SG: Well, I think what we have learned collectively is that economic security is national security. So one, the two are intertwined and ought be thought about collectively. And the reason I say they ought be thought about collectively. is let’s choose an example like 5G, where 5G was a perfectly fine economic decision for the companies that decided that they were gonna offline the baseband capability of communications because that wasn’t high profit. And it was allowed by our regulatory environment. But in fact, what it did is opened up for China to come in and basically own our stack. And that’s hard to come on. If we had thought about that as an important capability for national security, proportionally commercial and disproportionately economic, we might’ve made a different story. So I get your point about blurring the lines of escalation. I think you can’t avoid considering the two together because we’ve not considered them together for so long that we have allowed an economic route. to actual physical path into eroding our overall security. So I think you have to just be a little cleverer in terms of considering them in aggregate. So you don’t get that blurring or dilution. But I think the opposite of not considering both, when you consider threats to free and open societies, it’s a much more perilous path.

ACME General: It just makes the job of articulating to our adversaries what we perceive as a national security threat much more difficult. Is the theft of IP the kind of thing that would prompt a strike on a facility in China? You appreciate where I’m going with this, right? The lines are just so blurry now.

SG: they are blurry, but they’re not getting clear by pretending they don’t exist. So let’s choose another domain that’s hard for us to figure out policy in that space, right? So we are using and should use commercial space capabilities for security purposes, they’ve used in Ukraine. What does that mean if an adversary takes out a commercial satellite? How should we respond? Right?

ACME General: Yeah, that’s a great one. That’s a great one.

SG: And the answer is both of us got the stunned mullet look because we’re like, uh, right. But I would say, is a commercial capability of the United States the responsibility of the US government? Should we allow an attack on that? Well, no. We would say no. It’s commercial, but no, it’s still one of our assets and one of our assets. But what’s the response? Is the response to take out one of their? So thinking about cross domain responses is one of the ways I think you get past this blurriness. In other words, yeah, maybe a missile strike isn’t the only thing that you do when you had theft of IP, but there might be another response that is isn’t just sanctions, but is somewhere between the two. It’s a it’s a good one.

ACME General: Yeah,

SG: Heck, you and I maybe ought to go into government again and figure this one out.

ACME General: no, thank you. Um, I mean, it does prompt all kinds of thought experiments about the continuum of escalation. And, you know, if you take out a, a target in which no one has hurt, but the security infrastructure is damaged, what’s the appropriate response. And we haven’t really articulated that at least not in a way that is transparent to our adversaries, which is the most important thing to avoid that kind of escalation.

SG: I don’t think we have. Right. You know, I, you know, we, we played a war game once and someone said, someone took out a commercial satellite and I said, we need a policy that says you take out a satellite, I take out a city. That’s clear, right? But,

ACME General: Really.

SG: but, but it would be right. Whether you think that’s the right policy have and whether we could get by with it or not. I think, I think back to your point about deterrence, if we, if we’re not clear, it’s just going to be pushed back on. You know, we could play out, you know, kind of what Xi is doing in Taiwan, where even deterrence, we’re kind of nervous about because he pushes back on it to say that it’s aggression. And the effect has been, man, we’re drifting toward war.

ACME General: I wanna… push back on something you said about the national security citizen and this idea that we need an educated public when it comes to these issues because everyone is a national security decision maker. And I’m just wondering if that is too much to expect of the body politic. In an information economy as complicated as ours, what we’re really talking about is It’s not every individual voter. We’re talking about interest groups. They’re the ones that really have leverage when it comes to these complicated decisions being made in Washington. Do you make that distinction?

SG: Fair enough. Yeah, I think that’s right. I think that’s a great clarification. When it comes to immediate things that are happening in Washington, and immediate, you know, 10-year error circle around it, right? I think that’s gonna be interest groups that have the most effect. You know, though, I just haven’t given up on the voter. This system, almost every ill we see in the system can be affected by voters who understand what they’re voting for and the power that they have about who they send to represent them. In addition, again, have you figured out that I’m an optimist?

ACME General: We need them. That’s good. 

SG: In addition, I think that this who is feeling flummoxed by the moment as though nothing could be done. You know, things, yes, the volumetric issues that we have of a large distributed population who can get their information any way they want is really problematic. But I also don’t think it’s… unnecessary tilting to try and get them to see themselves as consequential and involved in their decisions. So, yes, probably not Washington decision-making, but fundamentally the citizen does have the power to say, I need better from you. Right? And so I don’t think pushing on helping to educate, include and inspire the populace. is a zero-sum game. I think it can actually have effect. It probably doesn’t take effect for 50 years, but you know what? Best time to plant a tree is 10 years ago or today.

ACME General: That’s a great thing to keep in mind. All right, I want to close with a couple philosophical prompts. As an intelligence professional, you don’t really get to decide what’s in the national interest. You gather, you analyze, you present, and it’s the policymakers, going back to the wisdom of the voting public, it’s their representatives that get to decide that. How do you approach situations in which your intuition or really deeply held views about that is in direct conflict with those you’re briefing?

SG: Yeah, it’s a great question. I think the way I, historically, every single day approached it was to try and make sure that we not only had good, useful intelligence to offer, but that it was presented effectively for the person that needs to hear it and to not leave the room until you were sure it was heard. Right? That, and there were tricks that I played for myself. I would go into a national security council meeting and I would say, my team right before I walked out, I’d say, what do I need to make sure that I say before I leave the room and what do I need to make sure they don’t misunderstand? So I, to me, it was always not just the best information, but it was also the communication of that. I do think that it is a really different information world now. Decisions are moving so fast and there are so many and there’s so much information that influences them that historically intelligence has been a bit sacrosanct where I deliver my intelligence and you make the decision over here. I don’t think we can allow that space to be as big as it is. So I would advocate for more involvement in intelligence further along in the decision-making conclusions. But at the end of the day, the Constitution does not say that the president has to be right or good. And so you at some point, and my response was always to make us better in response to how whatever president was reacting under the presumption that they wanted to do the right thing. It carried me through a lot of years.

ACME General: I could not agree more. I have to add in the context of our current political moment that the president doesn’t have to be right, but the president does have to follow the law and the president does have to follow the constitution. And we don’t need to pull that apart, but I know you agree.

SG: Big time. I could not agree more. Couldn’t agree more. I think on that point in this moment, you know, the minute the American people elect an individual, they are no longer that individual. They’re the president with a set of prescribed authorities. No more, no less, they’re employed just like I am. And so… I am really resolute on this point. If that person does not believe in the rules, then you’re going to have downstream people saying, well, I guess I need to put my thumb on the scale to get the outcome. I believe it. And it just all breaks down. So to me, it isn’t as much about an individual as our system requires that everyone within it understand that they’re not an individual with personal preferences, but actually they’re playing a role that are given to them by the American people.

ACME General: That’s right. All right. I want to end with one more philosophical reaction to your observation that we are living in a fundamentally different information world. If you as Deputy D and I had to choose between an information pipeline to… to provide policymakers with the tools they need to make decisions that was derived only from locked file cabinets in our adversaries intelligence headquarters at the FSB or wherever or all of the open source intelligence you could possibly want. Which would you pick given the world we live in now?

SG: So just to be clear, because based on how you said it, I think I could choose one and pretend that I didn’t have to choose. So one is only that which is collected from locked away places, or only that is openly available.

ACME General: Yeah, I’m trying to get a sense of how valuable the, go ahead.

SG: Yeah, so I think what’s openly available is massively valuable. and I would never choose to exclude it. I think there are special things that you get from our historic approach. I think there are amazing gains that are delivered by our classified systems. But man, the world knows so much now and with the amount of data, with the advent of computing and some of the… tools coming to be able to make use of it, you’re going to be able to infer a lot of intent by aggregate action. So in this world, I would never, ever, ever give up being able to use open information recognizing the value that the special stuff has to.

ACME General: Yeah, that’s what I was pretty sure you would say. And it is a window into this brave new world we’re encountering. And you know what? I didn’t intend it this way, but Aldous Huxley envisioned a world that had so much information in it, as opposed to Orwell’s world where information was controlled, that you couldn’t tell what the truth was. It was an abundance of information that was the problem. That was the brave new world. And it’s good to hear that at least one person in your position sees that is where the real challenge and the real value is. It’s this ubiquity of information out there. And for all the locked filing cabinets that have great secrets in them, a lot of our advantage, most of it sounds like, is going to come from our ability to parse what everybody has access to.

SG: Yeah, I mean, I just, when we talk about intelligence, we always think about the data. It’s actually the craft of using that data that is the foundation of intelligence. And so this is a world where we just need to apply that craft to all the stuff that’s around it, and then we win the day. I’m absolutely confident of it.

ACME General: Great. Sue, do you have any thoughts on leadership to close us out?

SG: This is a leadership moment. And leadership does a whole bunch of really wonderful things. It sets vision. It eliminates barriers. It pushes responsibility down. And it takes responsibility at the end of the day. It feels like we’ve lived in a world that we understood for so long that leadership got smaller. Let’s make leadership bigger at every level and we’ll be OK.

ACME General: Thanks, Sue.

SG: Thanks.