Podcast: Episode #11 - Kurt Sanger

March 3, 2023

On our most recent episode of the PrOTect OT Cybersecurity Podcast, we were thrilled to have Kurt Sanger as our guest. Kurt is widely recognized as a top-tier cybersecurity and national security professional, with extensive experience in legal and operational roles.

Kurt spent the last eight years of his career with U.S. Cyber Command, starting with the Marine component under Cyber Command as their senior attorney. He then moved up to Cyber Command where he held various roles, ultimately serving as their deputy staff judge advocate or deputy general counsel.

During his time at Cyber Command, Kurt and his team faced the challenge of navigating the absence of legal precedent in cyberspace, which left them without established rules or regulations to follow. They had to develop new laws and frameworks for the operations they were undertaking as they learned. Kurt and his team established the foundation of modern fundamental practices in this pioneering work. Their agility in adapting to the constantly evolving nature of cyberspace, and their ability to devise new legal frameworks, have established a groundwork for future cyber operations.

One of the other major concerns that Kurt faced as an attorney in cyberspace was the application of the law of armed conflict, which typically governs most armed conflicts and military operations. However, the law of armed conflict did not necessarily apply to cyberspace operations, as there was no immediate risk to civilians' lives, limbs, or significant property destruction. Kurt led the team to find new ways to apply the principles and values of the law of armed conflict to achieve similar results in cyberspace operations. They had to identify the values that needed protection and determine how to protect them, such as ensuring that cyberspace remained available for everyone's use, even though they were not protected by the law of armed conflict.

The under-reporting of cyber incidents is also a challenge to developing laws and regulation in this space. In many cases, people may not even realize that a cyber incident has occurred, and even if they do, they may not report it for various reasons. This is in contrast to physical activities, where incidents are often reported and commented on publicly, allowing for greater awareness and understanding of the event.

Another challenge is the lack of visibility into the decision-making processes, legal reviews, policy reviews, and operational debates in this area. In many cases, these activities are carried out behind closed doors, and only those with access to classified information are aware of the details. Even within the United States government, certain federal departments and agencies may not be aware of all the activities being carried out by others. This lack of transparency and visibility makes it difficult for stakeholders to fully understand and appreciate the complexities of cyber activities.

Regarding cyber insurance, it can serve as a valuable incentive for organizations to enhance their cybersecurity measures by transferring some risk to insurers. This can effectively reduce costs and minimize financial exposure. Insurers bring their expertise and tools to assist policyholders in bolstering their cybersecurity posture, even small businesses that may not have the necessary resources to protect their systems adequately. By sharing the risk with policyholders, insurers can apply their expert tools to enhance cybersecurity across the entire community, thereby benefiting all stakeholders.

Kurt also mentioned the need for regulation, but highlighted that it comes with a cost, including diverting work hours from an organization's primary activities and investing in tools to safeguard the system. Therefore, it is essential to strike a balance between regulation and the potential harm that can affect society. However, the lack of cybersecurity expertise in government organizations is a concern as it makes it challenging to develop appropriate and informed regulations and enforce them effectively. Furthermore, distinguishing between an organization's fault and factors beyond their control in cybersecurity breaches can be difficult, leading to organizations being unfairly blamed for circumstances such as facing a powerful adversary or having a system that invites malicious activity.

Kurt suggests inventive policy decision-making to find incentives for cybersecurity in the private sector. Tax breaks and insurance premium reduction could serve as incentives. Certification by a regulatory board can also provide special status and protection from critical activities in case of a cyber incident. Punishment is not the only solution to incentivize cybersecurity, and it is essential to find other ways because cybersecurity is a complex field that not all critical infrastructure owners may have expertise in.

It is imperative to address the need for cybersecurity professionals. With large tech companies' layoffs, approximately 40,000 cybersecurity experts have re-entered the workforce, presenting an opportunity to redistribute their talents to other critical tasks. While the National Security Agency (NSA) is attempting to attract these experts, other federal departments, agencies, and private sector organizations should also be actively pursuing them. It may require offering higher compensation, but their expertise is available and can prevent existential threats to an organization or individual's finances and reputation. Cybersecurity must receive the same level of attention as any other vital activity conducted by an organization or individual.

Kurt looks forward to the increasing cyber-savviness of future generations. With every passing year, people will be growing up with a greater understanding of technology and its capabilities than their predecessors, who had to rely on analogies to understand the beginnings of cyberspace operations. This bodes well for the future of cyberspace, especially in the military where cyber threats are a constant concern.

Reflecting on his time lecturing at the US Naval Academy, he met midshipmen majoring in cybersecurity and information technology. He believes these individuals will be better equipped to handle future cyber threats than he ever was, having grown up with technology as an integral part of their lives. This will be beneficial not only for cyberspace but for society as a whole.

The conversation wrapped up with Kurt’s thoughts centered on the transformative power of cyberspace and the internet, which can either unite or divide the world. He emphasized the importance of securing this space to enable people to conduct commerce with confidence, ensuring that their transactions are safe and reliable. Such trust can facilitate positive commercial, social, and political connections, leading to greater understanding among people with diverse backgrounds and ways of life. Ultimately, Kurt believes that securing cyberspace is crucial to fostering a more connected and inclusive world.

We appreciate Kurt for joining us on the podcast and sharing his valuable insights and experiences. We encourage our listeners to check out the full conversation on the PrOTect OT Cybersecurity Podcast for an even better appreciation of Kurt’s perspectives.