Vanderbilt hosted its third annual Summit on Modern Conflict and Emerging Threats from April 17-18. Centered on China’s relationship with and challenges to the United States, the summit featured keynote speakers General Timothy Haugh, commander of U.S. Cyber Command, and Christopher Wray, director of the Federal Bureau of Investigation, among other government leaders.
The Hustler sat down with Haugh to discuss his career, the U.S.’s cybersecurity infrastructure and international relations. Haugh also shared his advice for college students and tips for everyday Americans.
The Hustler: How did you navigate your early career and get to where you are today?
Haugh: My dad was in the Marines. He instilled an idea of service, and he served for five years, and then he went to college. He taught me the Marine Corps hymn pretty early, so the idea of service stuck. But when I started service, it was right about the time when the Soviet Union was really still our preeminent threat. I wanted to be an intelligence officer, and I thought I was going to be writing about the Soviet Union. Maybe I showed that I wasn’t going to be the best intel officer out of the gate because before I came on active duty, the [Berlin] Wall came down — and the world changed. Then as I came on active duty, I began to work with the National Security Agency. I realized that ‘wow, this is an exciting place to work,’ but I need a more technical background. I went back and got a master’s degree in telecommunications, and then the Air Force has allowed me to serve in intel jobs, in different disciplines and then cyber jobs that have really allowed me to work in both NSA and Cyber Command throughout my career. It’s just been a really wonderful opportunity to work with a lot of great people.
Where do you see cybersecurity within the U.S. and internationally going, in the near future? Obviously, it’s growing in relevance and prevalence, especially compounded by the resurgence or surge of AI, how do you see that continuing to move forward?
It really is about how we accelerate the partnerships so we think about U.S. national security. Cybersecurity will be foundational to our national security. It starts with how do we protect our economy and really at the core of our economy the ability of our nation to innovate. That innovation has been stolen by a number of nations targeting our intellectual property through cyberspace. So for us, within the U.S. government, it’s about who all needs to be on that team to allow us to have increased cybersecurity. That certainly includes the U.S. government. We want to be able to drive those things we are responsible for, but the partnerships with industry really are the foundation of cybersecurity inside our nation. So for things that go beyond when we think normally about national security, we ask things like ‘how do we protect water systems?,’ ‘How do we protect our power grid?’ That’s really done by state and local entities and industry. We want to be able to provide a really foundational set of understanding of what those threats look like. I think that’s a core role we can play that really helps our nation.
How does the U.S. compare to some of our adversaries — to China, for instance, Russia — and where else do you see us having to take steps forward to catch up or just combat some of that?
We are still the leader from our nation’s perspective — when you think about what it looks like in our industry, in our government and how we are able to leverage technology in terms of generating our economy but also our defense. The areas [in which] we have to make sure we sustain that is really through how we think about the public-private partnership. For the future, much of that’s going to be about: How do we collectively leverage compute power for both generating innovation within our economy but also from a defense perspective and the data that we have to process? Previously, we would have done that all internally. That’s clearly an area now where we have to leverage what it looks like to leverage the large cloud service providers that are able to generate, compute. What does that look like for us in the future? It’s an area that we’ve got to work really collaboratively [as] a public-private partnership.
We’ve seen recently new documents like AUKUS Pillar II. What other efforts have you seen the U.S. making to collaborate with foreign nations to increase these joint capabilities, especially when it’s meant to combat adversaries such as China, Russia, etc.?
Part of it is that we’re able to make partnerships. China doesn’t have that. To build a partnership with nations that are under the AUKUS framework, starting with Australia and the UK, and then other partners throughout the region are things that we want to do because there’s mutual benefit, to be able to protect not only our economies, but also how we view the world and the common set of values of democracy and freedom. We have the ability to make those partnerships, and I think you continue to see those within cyberspace. There are many areas that we contribute to with that. One of those is how we expose cyber threats. So when you talk about the China threat, one of the things that we’ve done is expose in really great detail exactly how China has targeted our infrastructure in the United States, as well as those of our partners, sharing that [information] at an unclassified level. So we can understand that threat and work collaboratively with other nations with our industry to be able to combat it. That’s a high demand item. The other one is how other nations, militaries begin to think about cybersecurity. So they will in many cases, ask CYBERCOM for partnerships so we can help accelerate their ability to defend themselves in cyberspace. That’s an area that will continue to grow.
You talked a bit about the national level and this international coalition building, but what about on the individual level? What can everyday Americans do to protect their data, especially when there’s a little bit of a knowledge disparity there? What are we telling them?
First, what we really spend time doing is: How do we educate our own workforce? Within the Department of Defense, how do we make sure people understand cybersecurity? And then how do we educate them to be able to bring that home? For us, that starts with things like…[handing] out pamphlets about how to secure your own home network. How do you secure your cell phone? What do you think about in terms of privacy settings on your phone? These are all conversations we need to have — we need to have it with people that we work with, but we also need to have it with our family and being able to also help them navigate what it looks like in terms of: What is spear phishing? And what does that mean if somebody’s going to target you to get you to click on a malicious link and steal your information and maybe some money from you? That’s at the personal level.
At the company level, there’s also work that has to be done when you think about ransomware and criminal organizations that are using cyber capabilities to extort dollars from businesses. How we think about cybersecurity and education really has to begin in every part of our educational system, but we have to continue it, and we should all be emphasizing with our families and the people we work with.
In some government organizations, we’ve seen the ban on TikTok, and how that exists. Obviously as a college paper, many of our readers, as students, love TikTok. Do you see that ban expanding to the U.S. as a whole? In your eyes, do you see TikTok as a cybersecurity risk for the nation as a whole?
Our role is really to articulate what the threat is. So for us, being able to identify — what’s the threat of our data being accessible by a foreign power? What is the threat from the potential manipulation of an algorithm within a company by a foreign power? What does that look like if we were in a crisis? What could that potentially mean for how both of those things and a platform could be misused? We want to communicate what the threat is and then allow policymakers and Congress to make decisions about what is the way forward, but we definitely believe that we’ve communicated what the threat is, and that will allow that decision to kind of play out. This [the TikTok ban] is one I think would be a great opportunity for everyone to understand: is an individual concerned about their data being accessible by another nation, on command? I don’t know that we’ve been able to completely communicate that in a way that allows everybody to really understand what that risk means. So I think it’s a really good question and one that is perfect for a debate at the university level that then informs the decision for our policymakers.
There are students on this campus that are interested in cybersecurity-related careers and going into the cyberspace field. What advice do you have for them given your role and all you’ve learned throughout your career?
It’s all about continual learning. What we found is a lot of the people that work in national security that bring cybersecurity emphasis is that they may start in one area, and it may start at writing code — but over time, they might become a leader in a work center, they might become somebody that gets really interested in the policy surrounding national security. It’s really continuing to educate, continuing to learn and then following interests. A career in cybersecurity today can lead you in so many different paths. Some of those can be in private industry, some can be in government, some could be in the military. Increasingly, we expect to see people being able to move throughout both industry and government to really help our nation in many different ways.
What about students who maybe aren’t super well-versed in the tech of it all, like those who want to pursue medicine? What do you say to students who recognize cybersecurity’s relevance but are a bit more detached from it?
I would just encourage anyone that feels like that to recognize that every discipline we have will, at its core, have some form of cyber engaged in it — whether it’s how AI is going to impact medicine or how an embedded operating system inside a medical device…[may] bring risk to either the hospital or the practice. All of it is a potential area that will have cyber implications. How do you protect your patients’ data? There’s going to be a cyber aspect to every role, and the earlier that education occurs will allow individuals to take advantage of that technology in a way that allows them to be more effective in whatever role they want to play.
Responses have been edited for clarity.