Emily Crose, Former US Intelligence Officer Discusses Cybersecurity’s Role In Politics And Ethical Challenges In Corporate Security
Categories :
Emily Crose, a cybersecurity expert, former US Intelligence Officer, and author of ‘Hack to the Future’, talks about how cybersecurity affects politics and the ethical challenges faced by companies in protecting their systems, in the latest episode of the Dinis Guarda Podcast. The podcast is powered by Businessabc.net, Citiesabc.com, Wisdomia.ai, and Sportsabc.org.
Emily Crose is an expert in technology, cybersecurity, and government transparency, with over ten years of experience. She spent seven years in the U.S. intelligence community, working with the CIA, NSA, and United States Army INSCOM. Emily co-founded Hacking History, a project studying the dynamic between hackers and the U.S. government.
She also authored ‘Hack to the Future’ published by Wiley in October 2024, a book exploring hacker culture's impact on government policy. As a transgender woman, Emily actively advocates for LGBT+ inclusion and diversity in tech. She regularly speaks at renowned events, including the International Spy Museum and the Dragos Industrial Security Conference, sharing her insights on cybersecurity and privacy.
During the interview with Dinis Guarda, Emily Crose explains the complexities of ethical versus legal frameworks in cybersecurity, especially regarding nation-state hacking.
"Government-authorised hackers kind of fall outside of the normal framework that we use for white hat and black hat hackers, or at least in my opinion. I’m sure other people have different options on this.
Depending on whether you are being hacked or you are the hacker in the context of, like, a nation-state offence and defence, you probably would define an NSA computer operator differently based on your own context in the world.
A target of the NSA is probably going to feel that an NSA officer is probably a black hat, right? But in the context of American law, they would fall pretty squarely in the white hat hacker category because they've been authorised to do all of this.
That’s a legal framework... It’s a little bit different than a moral and ethical framework that you might otherwise use to judge these actions.”
Cybersecurity in politics: Balancing optimism and challenges
Emily discusses the changing role of cybersecurity in politics, focusing on the challenges caused by influence campaigns and the public's limited understanding of these threats:
"We’ve made a lot of strides in the past 20 or 30 years on establishing what norms look like with regards to hacking and what the expectations should be from one nation doing it to another.
Elections, for example, have become very much a flashpoint for this topic because it seems to happen every election now, and what we expect as a society around that has also evolved.
In 2016, Russian interference in U.S. elections was really more of an influence campaign than it was a direct effort to hack the vote. There was not enough effort that actually resulted in votes changing, based on the information I’ve seen."
There is an ever-present campaign of influence happening throughout the world from one nation to another. It could be considered interference, but how much that actually changes the outcome of an election is something that is very difficult to place.
Am I optimistic or pessimistic? Honestly, I’m pessimistic about the government’s ability to respond to any crisis at the moment. My hope is that it improves.
We have several other areas that have required attention from our lawmakers for a very long time, and it’s been woefully inadequate to actually solve many of those problems. I would like to see more action there, more measures taken."
Corporate Cybersecurity: AI and the digital literacy
Emily discusses the complexities surrounding the idea of corporations employing offensive cybersecurity measures, such as hacking back at attackers:
"There’s been some analysis on how AI has changed the offensive security space. I don’t know that it’s made a major impact yet, but that may change in five years’ time or a shorter period than that.
It’s not a morally sound argument to hire a hacker to go after somebody who’s hacked you if you’re a company. There are a lot of complexities with doing that, like how do you know exactly who it was?
With the nature of being able to reroute network connections, it could be really hard to figure out things like attribution for an attack, which is one of the things you would have to know to effectively do this.
One of the more interesting questions to me is what is the true level of corporate espionage that we have in the United States. I haven’t seen a whole lot of sources of information that deal with that question.
Is it possible that ransomware actors, for example, have been hired as part of a corporate espionage campaign? Could they be ‘double dipping’—getting paid by one corporate entity to go after another and then making a second amount of money off a ransom campaign?
There are a lot of interesting questions that I don’t think we’ve caught up to in the public understanding of where hacking is right now.
It’s a very fast-moving environment that is endlessly fascinating but always disappointing. You can never have enough information, it seems."
Emily discusses with Dinis, how the growing impact of AI on cybersecurity and the urgent need for increased digital literacy:
“Folks have to have some level of awareness of what is developing—at least a vague idea of what the cutting edge is—or at least know somebody who knows that, so we can all better understand what our security exposures are.
There is always going to be the compartment of technology and business that we can't control—like who provides our power, who generates our electricity and distributes it to us, for example.
What I see AI as being able to do is to sort of fill some of those gaps as an assistive technology, rather than something that can completely replace people.
Especially if we have a potential industrial accident or the conditions for that forming, I can see Artificial Intelligence being an assistive technology to avoid those types of outcomes or to investigate problems.
"AI can shorten the duration of an incident report in the aftermath of a breach, for example, and there are areas that I can definitely see that technology being applied.
I co-founded a small company called Neuralized AI, and what we are trying to do is parse tons and tons of logs generated by businesses—hundreds of gigabytes, terabytes of logs—to understand and manage them at scale.
Cybersecurity: U.S. Intelligence and evolving threats
Emily explains the dynamic nature of counter-extremism, operations and responsibilities of U.S. intelligence agencies, such as the FBI, NSA, and CIA, in fulfilling requirements for intelligence collection.
She explains the evolving threat of extremism:
"Things like counter-extremism are... an ever-evolving threat. It's not a thing that just exists in one form forever in the exact same way. There are markers that are similar between cases.
Emily discusses the roles of U.S. intelligence agencies:
"In the United States, we have three three-letter agencies: FBI, NSA, and CIA, and they all have requirements for intelligence collection. Most of those requirements come from either military sources or other U.S. legislative sources. For example, even the president can have requirements for intelligence collection.
Emily also explains the methods of intelligence collection:
“It’s up to the three-letter agencies, the intelligence community, to gather as much intelligence about those areas of interest as they can, using the techniques that they have available to them.
Whether that means talking to an individual, getting it through what we call human intelligence or HUMINT, or, hey, we think they may be transferring information over a signal-based device or a computer, send it to a different three-letter agency and then they go and get it.
Part of that, especially in the last, let’s say, 20 years, has been due to signals intelligence, or what we call SIGINT in the intelligence community.
A newer component of signals intelligence is what I do, which is computer security. Offensive computer security is one component of that. You try to grab intelligence off of computers.
Once you get the raw information, you have to send it to people who can piece the entire picture together as the analysts that work within the intelligence community."
Emily also discusses the difference between white hat, black hat, and grey hat hackers.
"The most basic difference between white hat and black hat hackers is that one group—the white hat hackers—typically have a formal permission-based system that they use. They have a scope, sign contracts, and have goals in mind that benefit the folks that they sign the contract with.
Black hats, on the other hand, sort of make their own rules and they don’t ask for permission when they do their work.
Gray hats kind of live in the spaces in between... Maybe they do have permission, but the permission only goes so far, or maybe they didn’t get permission, but they have a very specific goal in mind."
Shikha Negi is a Content Writer at ztudium with expertise in writing and proofreading content. Having created more than 500 articles encompassing a diverse range of educational topics, from breaking news to in-depth analysis and long-form content, Shikha has a deep understanding of emerging trends in business, technology (including AI, blockchain, and the metaverse), and societal shifts, As the author at Sarvgyan News, Shikha has demonstrated expertise in crafting engaging and informative content tailored for various audiences, including students, educators, and professionals.
