MODERATOR: Hi, everyone. Good morning. And thanks so much for joining today’s News of the Day Gaggle with National Security Communications Advisor John Kirby and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger. This call, as a reminder, is on the record. I’ll turn it over to John Kirby to kick us off.
MR. KIRBY: Hey. Good morning, everybody. Thanks for doing this during the holiday week. I hope, for those who celebrate, you all had a good Christmas and a peaceful and joyous Hanukkah season.
We are really lucky in this gaggle, this last gaggle of 2024, to have a guest with us today. As Eduardo said, our Deputy National Security Advisor for Cyber, Anne Neuberger, is on the line. Anne has an update on the Salt Typhoon incident that she’s going to provide. Then, I’m going to join. I’ve got a short topper on Russia-Ukraine that I want to share with you all. And then we’ll open up questions, and we’ll try to knock this out in about a half an hour and let you get back to your eggnog.
But, Anne, over to you.
MS. NEUBERGER: Thanks so much, John. Hello, everybody. And just echoing and repeating John’s happy holidays greetings to everybody and best wishes for a healthy new year.
So I wanted to provide an update on the Salt Typhoon incident as we’ve continued to work with the companies who were affected and as we’ve continued to better understand the techniques that the Chinese actors use to compromise our telecom infrastructure and what we need to do about it.
So, first — and then I will also provide a quick update on a rule that we’ll be posting shortly on the Federal Register related to the first update in 20 years of rules around protecting Americans’ healthcare data from rising cyber threats.
So, first, as we look at China’s compromise of now nine telecom companies, the first step is creating a defensible infrastructure. We wouldn’t leave our homes, our offices unlocked, and yet our critical infrastructure — the private companies owning and operating our critical infrastructure often do not have the basic cybersecurity practices in place that would make our infrastructure riskier, costlier, and harder for countries and criminals to attack.
So, the first step, as I’ve mentioned, is creating that defensible infrastructure. And what we’ve learned from the investigation, in fact, is that there’s four categories of things that are needed in this space: better management of configuration; better vulnerability management of networks; better work across the telecom sector to share information when incidents occur and the same techniques are used to compromise telecoms.
That’s why we stood up the Enduring Security Framework 60-day effort that involves all of the telecoms. Their CEOs signed off on their participating. And we are documenting rapid, high-impact efforts, bringing the best experts from the intelligence community, CISA, and the FBI, together with the best telecom security experts, to document what is needed.
However, we know that voluntary cybersecurity practices are inadequate to protect against China, Russia, and Iran hacking of our critical infrastructure. That is why the FCC launched their notice of a public rule. They’re waiting for all FCC commissioners to vote on that rule by January 15th, and we really are eager to have the bipartisan support across the FCC to ensure that telecom companies must put in place those basic cybersecurity practices that would make it harder, riskier, and costlier for the Chinese to compromise those networks in the future.
In addition, GSA is reviewing our government contracts to ensure that we’re using the power of government procurement to also require high-impact cybersecurity practices. And I would note that we would be following in the footsteps of Australia and the UK, who have already put in place telecom regulations because they recognize that the nation’s secrets, the nation’s economy lies on their telecommunications sector.
And when I talked with our UK colleagues and I asked, you know, “Do you believe your regulations would have prevented the Salt Typhoon attack,” their comment to me was, “We would have found it faster, we would have contained it faster, it wouldn’t have spread as widely and have had the impact and been as undiscovered for as long had those regulations been in place.” And that’s a powerful message.
In addition, I wanted to, as I mentioned, give an update on the notice that HHS will be publishing later today of a proposed rulemaking to modify the HIPAA security rule from 1996 to strengthen cybersecurity protections for electronic protected health information.
The proposed rule would add new cybersecurity requirements and improve existing security requirements, adding additional clarity and specificity. And this is — in the last five years, there’s been an alarming growth, 1,002 percent, in the number of Americans affected by large breaches of healthcare information, over 167 million individuals in 2023 alone. Since 2019, large breaching caused by hacking and ransomware have increased 89 percent and 102 percent.
And I must say, in this job, one of the most concerning and really troubling things we deal with is hacking of hospitals, hacking of healthcare data. We see hospitals forced to operate manually. We see Americans’ sensitive healthcare data, sensitive mental health procedures, sensitive procedures being leaked on the dark web with the opportunity to blackmail individuals with that.
And because of that, you know, the Biden administration, President Biden, HHS is committed to protecting the security of health information.
Given the significant increase in cyberattacks and common compliance deficiencies, HHS is issuing this new rule. And what I want to highlight is the security rule was first published in 2003. It was last revised in 2013. So, this is the first update to this 20-year rule in over a decade. And it will require entities who maintain healthcare data to do things like encrypt that data so if it’s hacked, it cannot be leaked on the Web and endanger individuals and monitor their networks, do compliance checks of their networks to see that they meet those cybersecurity rules. And I’m happy to go into more details or further questions later.
I want to hit the question of cost. While there would indeed be an increase in the implementation costs for the proposed rule, if finalized — and we estimate it would be $9 billion for the first year, $6 billion for year two to five — the cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences.
I’ll give just two examples. In 2023, the average cost of a breach in healthcare was $10.1 million. The two biggest healthcare breaches we have ever experienced, Ascension Health and Change Healthcare, both occurred in the last year, and you may have noted Change Healthcare noted that the cost of the breach will be approaching $800 million in the cost of recovery and the cost of operations, and, frankly, in the cost to Americans’ healthcare data and the operations of hospitals affected by it.
So, happy to answer questions. And with that, I’ll turn it over to John with warmest wishes for you for a happy holiday season.
MR. KIRBY: Thank you, Anne. And same to you. I appreciate that very much.
Okay, so what I wanted to talk a little bit about was the situation in and around Kursk. We now assess that North Korean forces are conducting massed — massed, dismounted assaults against Ukrainian positions in Kursk. And these human wave tactics that we’re seeing haven’t really been all that effective. In fact, we assess that they’ve resulted in heavy casualties for these North Korean forces. Our estimate is that, to date, they have suffered more than 1,000 killed or wounded in this particular fighting in just the past week of them fighting on the front lines. So, 1,000 in just the past week.
It is clear that Russian and North Korean military leaders are treating these troops as expendable and ordering them on hopeless assaults against Ukrainian defenses. These North Korean soldiers appear to be highly indoctrinated, pushing attacks even when it is clear that those attacks are futile.
We also have reports of North Korean soldiers taking their own lives rather than surrendering to Ukrainian forces, likely out of fear of reprisal against their families in North Korea in the event that they’re captured.
And I think it’s important to keep all this in mind and it all comes in context, of course, is the — in the early hours of Christmas when the Russians launched waves of missiles and drones against Ukrainian cities, particularly critical energy infrastructure. No doubt this was all about weaponizing winter and weaponizing energy, making it harder for the Ukrainian people to get the heat that they need simply to subsist.
That’s why we’re going to stay absolutely committed to making sure that we are bolstering Ukrainian air defense capabilities as well as other capabilities, of course. And I think you’re going to see — well, no, I know you’re going to see here in the next day or so, certainly over the course of the next couple of days, yet another security assistance package by the United States, approved by the President, which will include, of course, air defense systems for Ukraine to help them beat back against these attacks and also to help them in fighting in and around Kursk to beat back these North Korean waves, as well as continue their defensive operations against the Russians in the east, where the Russians continue to make some plotting progress.
So with that, Eduardo, we can open it up for questions.
MODERATOR: Awesome. Thank you. First up, we’ll go to the line of Mike Memoli.
Q Hey, John. Greetings from St. Croix. I hope you’re having a good holiday.
I wanted to ask about comments overnight from President Putin seeming to signal openness to peace talks in Slovakia. The prime minister had just been at the Kremlin and reiterated and made that offer to the Russians. What does the U.S. think of that possibility?
And secondly, if I can ask as well, I’m wondering if you can weigh in any more on how the U.S. assesses the possibility of Russia having downed that Azerbaijan jet. Obviously, we had a statement yesterday, but how — if there’s anything more you can say about how the U.S. came to that assessment.
MR. KIRBY: So, on your first question, we have always said from the beginning: Nothing about Ukraine without Ukraine. Ukraine has got to be center stage when it comes to any kind of negotiation. We’ve also always said that any other nation that wants to get involved in helping a negotiated settlement in this war needs to be in complete lockstep with President Zelenskyy and the Ukrainian people. He gets to determine if and when he’s ready to negotiate, and he gets to determine the circumstances and the conditions under which he would do that.
The last thing I’d say, Mike, is that Putin’s comments are pretty vacuous. I mean, he has shown absolutely zero interest in a negotiated settlement. I mean, as I just said — mentioned in my topper and you saw the statement by the President, I mean, just over Christmas Day he’s launching waves of missiles and drones against Ukrainian infrastructure. This is not a man who anyone should take seriously when it comes to saying he’s ready for a negotiated settlement. He has proven quite the contrary in almost every single possible way.
So, again, we would obviously want to make sure that if and when it comes to a negotiated settlement, no matter who hosts that settlement, that it is done in full concert with President Zelenskyy. And in the meantime, until he’s ready, we’re going to make sure that he can negotiate in the best position of strength, which is why, as I said earlier, you’re going to see yet another presidential drawdown package here in coming days that will continue to bolster his ability to defend himself.
On your second question, I really don’t have anything more to add. We do have — have seen some early indications that would certainly point to the possibility that this jet was brought down by Russian air defense systems. That said, there’s an ongoing investigation right now. Kazakhstan and Azerbaijan are conducting this jointly. We have offered our assistance to that investigation should they need it, should they want it. But we’re going to respect that process, and I really don’t have anything more to add.
MODERATOR: Next up, we’ll go to the line of Dustin Volz.
Q Hi there. Thank you so much for doing this. If I could just go back to Anne on Salt Typhoon. Thank you for the update. This ninth U.S. telecom victim, I was just wondering if you could give any more details on sort of the timing of that discussion, (inaudible), you could clarify sort of how recently that was detected, and if you anticipate that more victims will continue to be discovered as this investigation continues. Thank you.
MS. NEUBERGER: Thanks, Dustin. So, one of the steps we took early on was to release two guidance: one, a hunting guide and a hardening guide. And the hunting guide essentially captured the Chinese techniques, and it went out to key telecom companies to have them look for those techniques on their networks and call in for help if they discover it. So, from that, yes, a ninth company was identified.
And the hardening guidance is its companion. As we’ve been working with key telecom companies that were affected, on the hardening guidance, we’re now refining it based on what we’re learning. I mentioned that’s why we stood up the ESF effort, because we see that very specific things would actually make it riskier, costlier, and harder for the Chinese, managing the management plane of the network, treating configuration management differently, segmenting the network.
One of the things that happened is the Chinese gained access to networks, essentially had broad and full access. That’s why they’ve been able — we believe that’s why they had the capability to geolocate millions of individuals, to record phone calls at will, because they had that broad access.
So, some of the recommendations, some of the requirements that we’re looking for the FCC to include include segmenting the networks. Even if an attacker like the Chinese government gets access to a network, they’re controlled and they’re contained.
MODERATOR: Thank you. Next up we’ll go to the line of Karen DeYoung.
Q Hi. I wanted to ask about Yemen and the Israeli strikes against the international airport. I wondered if the United States is in agreement with that, targeting those places, especially when a lot of civilians are there, if you think that was a worthwhile strike.
Also, if you could give us a readout on the recent round of U.S. and UK strikes, how successful they were, and if you plan on continuing that.
And finally, to ask about the shipping. There seems to have been — we haven’t heard about any shipping-related strikes recently. Is that because the Houthis have sort of stopped attacking ships as they’ve been attacking Israel? Or is there some — do we have some shortage in our interceptor supplies?
MR. KIRBY: There’s an awful lot there, Karen. I’ll try to take them in order.
On your first question, I’ll let the IDF speak to their military operations, as we typically do. I’m not going to comment on individual strikes that they take to defend themselves. I would just say that the Houthis continue to pose a real, a present, and a viable threat to the safety and security of the Israeli people as the Houthis — and you mentioned it in your question to me — continue to launch strikes against Israeli soil itself. So they have a right to defend themselves.
Now, as we’ve also said and continue to say, how they defend themselves matters, of course, and we want to see them conduct our operations with a minimal impact on civilian infrastructure and certainly at much less risk to the civilian population, and that’s a conversation that we continue to have with them, and I can assure you that those conversations are ongoing.
On the strikes that we’ve been conducting as part of our coalition effort, I would point you to the Pentagon to speak to battle damage assessment. I’m afraid I don’t have that level of detail here this morning.
That said, those missions are important in terms of further degrading Houthi capabilities. We believe that, in the main, these strikes have been effective, but clearly there are continued threats posed by the Houthis, continued capabilities that they are able to deploy and use against commercial and warship activity in the Red Sea. And so, these strikes will continue for as long as that threat remains. Clearly, they still have some capability to conduct these attacks, and not just against shipping but against the Israeli people as well.
On the reduction, I think it’s most likely a combination of factors, Karen. We believe it is certainly due in part to the strikes that we have been conducting and the degradation of their capabilities. We haven’t eliminated that. They still have the ability to strike out at shipping, but we do believe we have further degraded their ability to do so.
We also have extensive defensive capabilities as well. I mean, we believe one of the reasons that you haven’t seen successful attacks against commercial shipping lately is because we also continue to sharpen and hone our defensive capabilities to prevent those attacks from succeeding. And then, as you rightly also noted, one other factor could be that they have increased their attention on Israeli soil and attacks against the nation of Israel.
So, I think it’s a combination of things, but the strikes will continue against their capabilities for as long as we believe those capabilities remain viable, and they still remain viable.
MODERATOR: Next up, we’ll go to the line of Martin Montague.
Q Good morning. Happy holidays. I have questions for
Anne. Anne, thank you for the update. Appreciate it.
You know, the number has come up from eight to nine. I’m wondering if there’s any evidence that any of the firms have been able to fully evict the Chinese from their networks.
And I’m also wondering if there’s any sort of idea, now that we’re a few weeks — few months, I should say, into this investigation, the total universe of Americans impacted by this breach, is there any sort of ballpark figure, rough estimate, back-of-the-envelope number you might be able to share? Thank you.
MS. NEUBERGER: Thanks so much, Martin. So, two things I would say. One is, you know, I’ve had the opportunity to lead both offensive and defensive operations, and the reality is that from what we’re seeing regarding the level of cybersecurity implemented across the telecom sector, those networks are not as defensible as they need to be to defend against a well-resourced, capable, offensive cyber actor like China.
The reality is that China is targeting critical infrastructure in the United States — those are private sector companies — and we still see companies not doing the basics. So, you know, in one telecoms case, there was one administrator account that had access to over 100,000 routers. So, when the Chinese compromised that account, they gained that kind of broad access across the network. That’s not meaningful cybersecurity to defend against a nation-state actor.
So I think, at this point, what we need to see is we need to see the FCC’s rules, we need to see every member of the — all the FCC commissioners vote to implement the required minimum cybersecurity practices across telecom, because once those are in place, once companies are taking those steps to make their networks defensible, we would feel more confident to say that the Chinese actors have been evicted and can continue to not be able to come in.
With regard to the total number impacted, we don’t yet have a good sense. Our understanding is that a large number of individuals were geolocated in the Washington, D.C./Virginia area. We believe it was the goal of identifying who those phones belong to and if they were government targets of interest for follow-on espionage and intelligence collection of communications, of texts, and phone calls on those particular phones.
So, we believe a large number of individuals were affected by geolocation and metadata of phones; a smaller number around actual collection of phone calls and texts. And I think the scale we’re talking about is far larger on the geolocation; probably less than 100 on the actual individuals.
But everything we’re learning — we’re continuing to learn in the incident. The Chinese, you know, were very careful about their techniques. They erased logs. In many cases, companies were not keeping adequate logs. So, there are details likely, Martin, that we will never know regarding the scope and scale of this. And that’s why we’re looking forward and saying let’s lock down this infrastructure. And, frankly, let’s hold the Chinese accountable for this.
You saw the action, I’ll just reference, that the Department of Commerce took regarding China telecom. There are further actions we’re working related to actions like that in that space as well that will be coming out over the next month and over the coming months. Thanks.
MODERATOR: Next up we’ll go to the line of Kellie Meyer.
Q Hi, thanks for taking my call. Merry Christmas, John. Thank you for doing this today.
On the plane crash, I wanted to ask: Is POTUS monitoring this, the latest he’s been watching? Can you share?
MR. KIRBY: Yeah, Kellie. Yeah, the President has been and will continue to be apprised and kept up to date on what’s going on. But as I said, it’s actively being investigated. He wanted to make sure that our team — and we did this both through our diplomats, but also through some NSC officials — made very clear to the Azerbaijani government that we stand ready and willing to help them, should they need it, with their investigation.
But again, I don’t want to get ahead of where we are.
MODERATOR: Next up, we’ll go to the line of Sara Cook.
Q Hey, thank you so much for doing this. I had a couple questions. One, on the crash. Can you expand on what these early indications are that you’re seeing that it might have been a Russian missile system?
And separately, can you comment on Marc Fogel receiving wrongfully detained status in Russia?
And if I may, on the strike that Israel conducted near a hospital on Thursday that left about 50 killed, including five hospital workers and five journalists, I’m wondering if you can comment on that as well.
MR. KIRBY: All right, I’m going to be completely unsatisfying to you on almost all of these.
I’m not going to get into what the early indications are that we’re looking at. I think hopefully you can understand why I won’t do that, but we do have early indications.
Again, I want to clarify: These are early indications. There is an active investigation going on, and I don’t want to get ahead of where we are right now.
I’m going to leave the State Department to speak to Mr. Fogel and his classification. That is a determination that they make, and they have a process for that. And I really think it’s better if you ask them what that — about that process and his particular case.
And on your last question, we’ve said time and time and time again: Hospitals should not be active scenes of combat and conflict. People should be able to — be able to feel safe going to a hospital, get the medical care that they desperately need. Sadly, we have seen in the past — again, time and time and time again — that Hamas uses civilian infrastructure, like schools and like hospitals, to store caches of weapons, to house fighters, to plan and coordinate.
I can’t speak to this particular strike. You guys are probably sick of me saying it, but I’ll say it again: I’m not going to speak to every IDF strike that they take. I’ll let them speak to their operations. But again, they still have an active threat from Hamas — Hamas fighters. They should speak to how they’re dealing with that threat. We don’t want to see hospitals as the scene of conflict. And I’ll leave it at that.
I do want to, if I could, while I remember — Karen DeYoung asked me about interceptor supplies for the United States Navy. Again, this will be an unsatisfying answer, but I didn’t want to think — I didn’t want Karen to think I was blowing that off. That would really be a question more for the Pentagon to speak to in terms of their inventory. I would be surprised if they’re willing to publicly disclose what their inventory of air defense interceptors are aboard their surface ships in the Red Sea. That’s not the kind of thing that we make public.
But again, I would point you to the U.S. Navy or to DOD, and I just didn’t want you to think I blew that part of your question off.
MODERATOR: Thank you. We’ve got time for a couple more questions. Next up, we’ll go to the line of Lucas Thompson.
Q John, is President Biden committed to the destruction of the Houthis in Yemen before he leaves office?
MR. KIRBY: Hey, Lucas. This is about destroying their ability to conduct these kinds of attacks. It’s not about wiping every Houthi fighter off the map. This is about preventing them from threatening commercial and, quite frankly, naval ship activity in and around the Red Sea, as well as helping degrade and prevent their ability to continue to launch drones and missiles at Israel. So that’s what this is about.
And as I said in my answer to Karen, we’re going to continue that effort. For as long as he’s Commander-in-Chief, we’re going to continue to conduct those kinds of strikes and continue to try to degrade those capabilities.
MODERATOR: Next up, we’ll go to the line of Eric Bazail.
Q John, thanks so much for doing this. Do you have any updates on the state of Gaza ceasefire talks, especially in light of some back-and-forth comments between Israeli and some of the Hamas leaders on Wednesday that Al Jazeera and other outlets reported on?
MR. KIRBY: What I can tell you, in all honesty — and we had a conversation on this this morning — that our backs are to it, and we are continuing to work on this as hard as we can to try to get a ceasefire deal in place before we leave office. And the team is, again, actively working this even today.
I don’t have any specific updates to share with you. Obviously, if we did, we would be sharing with you if we had some kind of breakthrough; we’re not there yet.
I would just add again that Hamas is the obstacle. As you get down towards what you believe is a conclusion of a negotiation, which we believe we are close to, it’s the specific details that become the issues over which the sides barter. And the closer you get to the end, the more detailed those discussions occur. And that’s where it gets more difficult, and that’s really where we are. And it is because of Hamas throwing up obstacles or refusing to move on any of these details that we are still not at a conclusion.
But we believe, as Jake has said, we’re very, very close, and so we’re not going to give up on it.
MODERATOR: Next up, we’ll go to the line of Dmitry Anopchenko.
Q Hello. Thank you very much for taking my question. John, two short questions please. Firstly, you mentioned the situation with the North Koreans. Previously, it was reported that Ukraine will have the opportunity to use the American or Western long-range missiles or long-range capabilities hitting any territory where the North Korea troops are. So could you clarify the policy?
And secondly, there are a lot of talks about the upcoming meeting of the Ukrainian Defense Contact Group, the Ramstein Format, scheduled for January. Could you share your understanding: Do you believe that it might be on the leaders’ level, or it will be on ministers’ level, as it was before? Thank you.
MR. KIRBY: I don’t have an update on the next Ukraine Defense Contact Group, Ramstein Format that you mentioned. We’ll have more to say as we get closer to that, and I’m sure I’d point you to DOD to be the prime speaker to their plans for that.
On your first question, I’ll let the Ukrainians talk about their operations and how they’re conducting their operations in and around Kursk. Nothing has changed about our guidance to them in terms of how they can use long-range capabilities to defend themselves in that area. But they should speak to what they’re doing, how they’re doing it, what they’re using. I’m not going to get into that. I haven’t done that for three years, and I’m not going to start doing it now.
I’ll just say what I said before, and this kind of ties back to my topper: It remains deeply troubling that Mr. Putin has decided to use foreign troops on Russian soil to defend that soil, which is a historic move; hasn’t been done for decades. We believe — continue to believe it’s a sign of his desperation as he tries to spread forces around a pretty wide front there and defend against the Ukrainians in and around Kursk.
And as we said when they decided to move forward on this, those North Korean troops would be doing it at their own peril. And, clearly, they’re under peril. In just the last week alone, as I said, a thousand casualties that’s killed or wounded in the space of, what, seven, eight days.
So I hope that for all the things — and I’ve said this before, but I’ll say it again — for all the things that the Russian military has given these guys, whether it’s a rifle, ammunition, artillery, knapsacks, whatever the heck they’re getting, I hope they’re loading up their commanders with a bunch of body bags, because they’re clearly going to need it.
MODERATOR: Our last question will go to the line of Courtney Kube.
Q Hi. Thank you. I know you don’t want to talk about the indications that you guys have on the plane, but I wonder if you can even say whether the U.S. indications, early indications, are more than just sort of the visual things that we’ve been hearing about from experts who are looking at the holes and saying it could be shrapnel and things. Do you have actual — some kind of intelligence or information, whether it’s like infrared or something that’s beyond just sort of the informed speculation we’ve been seeing?
MR. KIRBY: Short answer to your question, Court, is yes. And I’ll leave it at that.
MODERATOR: And that’s all the time we have for today. Thank you, Kirby, and thank you, Anne, for joining. And thanks, everyone, for listening in and asking your questions.
If you have any follow-up questions, feel free to reach out to our team, and we’ll get back to you. Hope everyone has a great rest of your day.
11:10 A.M. EST
Mortgage News From Whitehouse.gov
