Defensive line: interview with Brett Williams

When Brett Williams was flying F-15 fighter jets for the U.S. Air Force, he never dreamed he would become one of the nation’s leading cybersecurity experts. But when you answer the nation’s call, you accept whatever mission you’re given. For him, it was becoming director of operations at the U.S. Cyber Command, a unified combatant command launched in 2010 to strengthen the Department of Defense’s (DOD) cyber capabilities and expertise. Maj. Gen. Williams ended up leading a team of 400 people responsible for the global operations and protection of all DOD computer networks as well as the planning and execution of authorized offensive operations.  

During his time as an Air Force general officer, Williams served in significant senior executive leadership positions, including director of operations for the U.S. Air Force. He was also 18th Wing Commander in Okinawa, Japan, where he led the largest combat wing in the Air Force and oversaw a community of over 25,000 U.S. service members, their families, and Japanese employees. His 33-year Air Force career also included more than 100 combat missions as a F-15C fighter pilot.

Upon his retirement from the military in 2014, Williams moved into the business world, where he co-founded IronNet Cybersecurity. He is a recognized cybersecurity expert and sought-after speaker as well as a guest professor at his alma mater, Duke University, where he earned his B.S. in computer science. He also holds three graduate degrees in management and national security studies. 

Williams was recently a guest on DC Velocity’s “Logistics Matters” podcast, where he spoke with Group Editorial Director David Maloney. 

Q: How did you make the journey from military commander to cybersecurity expert?

A: I was in the Air Force for 33 years, 28 years as an F-15 pilot. Then I passed a highly selective screening process to move over to the IT and cyber world. I finished up at the U.S. Cyber Command and had broad responsibility for making sure Department of Defense networks were defended as well as planning offensive operations.

When I moved into this space about 12 years ago, I didn’t have any background in this field other than a 1981 computer science degree from Duke. But I put in the effort to develop a bit of technical expertise.

That’s something that I think is extremely important for business leaders to do. They can’t afford to delegate the risk decisions in the world of cybersecurity solely to the technical experts, whether they’re in-house experts or outside contractors. Leaders need to gain some relevant knowledge in this field so they can decide what is appropriate for their companies and what steps need to be taken. They need to be able to have an intelligent conversation with the providers of their cybersecurity services in the same way they do with everybody else on their leadership teams.

I encourage them all to spend a little time to get familiar with these issues so they can ask the right questions and make sure the answers they’re getting make sense to protect their businesses.

Q: We continue to hear about breaches of security systems, such as hacking and ransomware attacks. What are the biggest threats to our information systems right now, and where are they coming from?

A: There are two broad groups of threats out there. There are what we refer to as the “nation state threats,” and for the United States that continues to be China, Russia, North Korea, and Iran. And then there are the criminal groups.

I think the most important thing for people to keep in mind is that the worry is no longer about a teenager in his basement in a hoodie who is hacking for fun. Both the nation state threats and the criminal groups are well resourced and trained. They have vast expertise and tools, and they are deploying them broadly. I would argue that there is no company of any size in any sector that doesn’t have to consider the possibility that it could fall victim to a very advanced type of cyberattack.

Q: Along those lines, I think many companies feel that they’re too small to be threatened, that no one would bother to come after them. But the threat is real for everybody, correct?

A: That is 100 percent right and especially in the logistics and supply chain business. Every company that is part of that supply chain is a potential target.

Maybe you just supply some software that helps people manage inventory or maybe you’re a very large trucking or rail company that coordinates deliveries all over the country or the world—no matter how big or small your company is, you have a critical role in the supply chain that supports both our national economy and our national security. The people who are threats know that smaller companies are the least well defended, even though they are frequently a critical cog in this supply chain.

So, the first thing I would ask folks to consider is that you have a role in our national security. I would argue that your ability to make supply chains work and not bring risk is a national security issue, and I ask you to take it seriously.

Q: In what ways are our supply chains under threat?

A: The first thing to understand is that Covid brought the term “supply chain” into the vernacular and made people aware that disruptions to the supply chain are serious issues—including those who would seek to cause us harm, particularly those nation state threats I talked about. They know that if they can interrupt these national supply chains that impact our economy, our security, and our ability to “do” logistics, they can cause significant internal friction and really set us back on our heels.

Looking at the supply chain from a more tactical perspective, what you have to think about is that none of these companies operates alone. You have a supply chain that you rely on to make your business run, and, more than likely, you are part of a supply chain that makes another business run. So, as you look at your supply chain, you have to take it very seriously, particularly when you are sharing data or giving someone—such as a 3PL partner—access to your systems. What kind of security are those partners maintaining? How do you know if they are protecting your interests?

At the same time, you have a responsibility to do the same when you are providing services to another company. How are you protecting that data and ensuring you don’t become the security risk for that other company? You don’t want to bring risk to their operation, and there can be significant liability concerns if you somehow expose data or interrupt the operations of that company.

Q: If threats to our supply chains are a matter of national security, what are the potential costs to our country if our supply chains are severely disrupted?

A: Our adversaries are not going to attack us in physical space—say, in the South China Sea or someplace. They are first going to come to the homeland, if you will, and try to disrupt supply chains that maybe affect health care, or finance, or the delivery of critical goods and services. Or maybe they just get in and mess up things like our air traffic control system or the systems that control trucking around the country.

All of those have the effect of getting us to focus internally. They become political issues very quickly in our country, and the more we focus internally, the less we focus on those [actual] threats. That cultural issue to me is huge.

Then there are the real issues of not getting things to the places they need to be. That affects our economic system, which affects our national security. It is hard to think of anything that’s much more important than the supply chains that your [readers] support.

Q: Can you share some examples of how critical systems have been breached and the results of those breaches?

A: There was the attack called NotPetya that targeted Maersk, the giant global shipping agency. The total damages literally ran into the billions of dollars, and certainly Maersk wasn’t the only [company] that bore that cost, right? There were a lot of people relying on them. That was a system that was breached initially through ransomware and extortion, and then was completely locked up, preventing them from doing business the way they normally do it. We saw how quickly that cascaded through the global supply chain.

Another example was the ransomware attack on Colonial Pipeline. That one essentially targeted the company’s distribution and billing system. Colonial Pipeline could continue to move oil safely through the pipeline, but it couldn’t track how much went where.

About 25% of attacks in this sector of the economy are these types of ransomware attacks. So, make sure you practice good basic hygiene in your systems to protect them against ransomware. You can make yourself a slightly less attractive target than the next guy through basic security practices.

Q: What specifically should supply chain managers do to secure their systems and their supply chains against cyberattacks?

A: There are three quick things they should do. First, they need to identify their critical data. What data if it were exposed, manipulated, or destroyed and which system if it went down would have the biggest impact on their business? They have to prioritize their efforts to protect that data and those systems.

The second is to bolster password security by requiring two-factor authentication. The things people get very bored hearing about are nonetheless extremely important for basic security.

Then, number three, be very strict about identifying who will have access to your systems and have multiple ways to authenticate who they are and ensure that only authorized people are in those systems.

Then make certain that you have good backups for all your critical data and systems. These backups have to be done correctly. They can’t be connected to your normal system every day, because when the bad guys get into the system, they immediately look for a backup and then corrupt that as well. So, you really have to do backups and be careful about how they are managed.