Cyber Law Dialogues with Chris Painter
In this comprehensive interview with the former White House cyber policy advisor, I had the chance to learn about Christopher’s extensive career spanning from prosecution to international diplomacy, and his insights on the evolving cybersecurity landscape.
Christopher shared valuable perspectives on unifying diverse government viewpoints into coherent cyber policy, the evolution of cybercriminal threats from lone hackers to nation-state actors, and his concerns about the current administration's approach to AI regulation and capacity building initiatives.
Find the transcript of our conversation below.
Steph: Welcome back to Cyberlaw Dialogues. a series dedicated to creating inclusive conversations around cyber law and policy. Today, I'm honored to be joined by Christopher Painter, a former White House advisor on tech policy, prosecutor, and a leading expert in cyber diplomacy. Christopher, thank you so much for joining us. This really means a lot to me.
Christopher: Very happy to be here.
Steph: In our previous conversation, you discussed producing the 60-day cyber policy review, chairing interagency meetings that led to the first international strategy for cyberspace, and establishing a unified U.S. position on cyber policy during the Obama administration. You accomplished a lot of impressive work under the administration. Looking back, what would you say was your proudest moment, and can you walk us through your role in bringing these initiatives to life, from policy discussions to real-world implementation?
Christopher: It's hard to pick just one. I’ve been involved in various aspects of this work for over 30 years—as a prosecutor, at the White House, and later at the State Department. During my time at the White House from 2009 to 2011, when Obama first took office, there was a real focus on cyber as a priority, not just one of many competing priorities. Of all the initiatives, I’m particularly proud of launching the international strategy and making it a major area of foreign policy. It simply didn’t exist before. It was about creating something new, it was about being entrepreneurial in government, and shaping something that would grow over time. When I was at the State Department, I saw many other countries adopt that approach, integrating cyber policy into their broader foreign policy strategies. That was incredibly rewarding.
Steph: Were there any unexpected challenges that refined your approach to policy making in cyberspace?
Christopher: Yes. When we started the international strategy, it emerged from the 60-day policy review that Obama had ordered. One of its recommendations was to unify our position on cyber policy, particularly internationally. Even within the same agency—like the State Department—there were different perspectives depending on whether you spoke with the human rights folks, the cybersecurity folks, the counterterrorism folks, or the arms control people. These divisions were magnified across the entire government. The challenge was to unify these diverse viewpoints into a single narrative.
I remember our first meeting with around 14 different agencies—economic agencies, security agencies, human rights representatives. They didn’t even speak the same language. Security and intelligence officials talked about cybersecurity and cyberspace, while economic experts focused on internet policy, and human rights advocates had a completely different framework. You didn’t even have a commonality of language. What I thought was interesting was that over a year and a half, we crafted a strategy that brought these perspectives together into a coherent policy framework. The final strategy covered economic aspects, cybersecurity and stability, military considerations, and human rights—tying it all to a broader goal of creating an interoperable, reliable, and secure information infrastructure. It was a major step toward a unified approach in the U.S. government and international discussions. This was the first strategy in the world. It was a big deal to get everyone to sing the same song and be able to have these agencies carry those messages forward.
But it was challenging—dealing with those linguistic differences, dealing with those different viewpoint differences, dealing with the inherent conflicts that can arise between those different communities on some of these issues, was difficult. But I think it was really rewarding to get them all to come together, to understand the different viewpoints and to have a more unified mission.
Steph: That’s incredible to hear, thank you so much for sharing. Moving into the cybercrime realm, who were the most significant cyber threat actors when you first entered the field, and how has the threat landscape evolved? In particular, how has the U.S. government’s approach changed across the Obama, Trump, and Biden administrations?
Christopher: When I started as a federal prosecutor focusing on cybercrime, it was serious but not well understood by the public. Society—from banking to communication to social life—wasn’t as dependent on technology as it is now. Back then, high-profile hacking cases made front-page news, like the Mitnick case, but people didn’t grasp the full implications. They were disruptive, but people didn’t understand how serious they were. We had some resources—FBI, the U.S. Attorneys' offices—but they were limited, and there was a prevailing belief in online anonymity.
Over time, the landscape changed dramatically. You still have script kiddies, and lone gunman hackers, as I call them, but you have much more of a couple different things. We now have transnational organized criminal groups, particularly with ransomware. Nation-states have also become more involved, not just for political goals but financial ones—for instance North Korea, who has a political goal, but is also trying to get hard currencies so they engage in fraud and attacking things like the Bank of Bangladesh. The sophistication of attackers has increased, and our dependence on digital infrastructure has made us more vulnerable.
We had a pretty good cyber crime law, which we have amended a couple times, 18.USC.1030. A lot of the rest of the world didn't, but now many countries in the world, because of the Budapest Cybercrime Convention, have the basic laws in place. And now there's been a new UN convention, so maybe more countries will sign up for either the Budapest or a new convention. Back then, you didn’t have much substantive crime to punish. Nowadays, we do. In response, I’ve seen maturity in terms of legal structures, training for law enforcement, which is critically important international cooperation, like the 24/7 network that I helped run at one point, that was started through the G8 and many more successful transnational takedowns of groups.
However, ransomware has become particularly pernicious. And the bad thing about that obviously, it's disruptive. It targets even hospitals and others. The only silver lining is, governments and businesses take cybersecurity more seriously. Under the Biden administration, ransomware became a G7 priority and led to the creation of the Counter Ransomware Initiative, which now includes 68 countries. That level of attention is critical to making progress.
Steph: Shifting to AI, there’s been a lot of discussion about its role in cybersecurity. AI models are advancing rapidly, like with what we’re seeing with DeepSeek. What opportunities does this present for cybersecurity, and what risks do you see?
Christopher: I think cybersecurity companies are rightly relying on AI to automate responses, but even more importantly, to analyze vast amounts of alerts. However, attackers are also using AI to craft more sophisticated phishing attacks and adapt their methods in real-time. On the other hand, we've been quite worried about attackers using artificial intelligence to craft better attacks and to be more nimble. It will be a constant cat-and-mouse game.
Steph: Cybercrime costs are projected to hit $10.5 trillion this year, making it the world’s third-largest economy. Just recently, on February 21st, the Lazarus Group stole $1.5 billion in the largest crypto heist in history. From your experience tracking and prosecuting cybercriminals, are stolen funds truly lost forever, or can government agencies intervene?
Christopher: It depends. When you talk about numbers, people often guess that number is the economic damage; but we don’t have great data on that. We have a lot of anecdotal data and estimates. I don’t dispute it’s a huge issue, however. On the issue of being able to claw back some money, Occasionally, funds are recovered, as we’ve seen in some ransomware cases where the DOJ and Treasury have successfully clawed back payments. Success depends on access to wallets, tracking criminal operations, and international cooperation. But it’s not going to work in every case.
Longer term, there are things that this ransomware task force that I've been co chairing for a number of years has suggested, which is, to not regulate crypto completely, but use things like, “Know Your Customer” policies, money laundering rules, things that we use in other payment systems, and have better international cooperation on those systems, which I think would help trace some of these funds and make sure that we can either get them back or make it harder for the criminals to even access them.
Steph: What regulatory gaps still exist in combating cybercrime, particularly regarding emerging technologies?
Christopher: It’s always been a problem that technology moves quickly. As the old adage goes, regulation and laws move slowly. But I think we have a lot of tools to go after this now. For crypto, it’s about applying traditional solutions that worked in other areas. For instance, there was a lot of money laundering at one point, but we created money laundering rules. It doesn't mean to abolish crypto, but it’s about how do you make sure it’s used responsibly?
I think the challenge is lawmakers don’t understand these technologies, either here or abroad. It's fast moving, and you want to have regulations that are technology neutral so they don't get outdated in like five minutes, so you don't have to keep changing them. But that's a challenge, especially when these things are new, and you're trying to figure out the best way to approach them without actually hurting their utility.
Steph: I especially agree with your last point—we want regulations to be nimble and evolve at the pace of technology.
Christopher: I think we’re not going to see that in this administration. I think they're very anti regulation. Both parties have been for many years, and the change in that was in the National Cyber Security Strategy under the Biden administration, which, for the first time really said, we have to look at this, both for critical infrastructure and for software vendors. But I suspect that in this administration, it's unclear whether that will continue to be a priority.
Steph: Turning to global policy discussions on technology and emerging technologies, the Paris AI summit brought nearly 100 nations together recently to discuss the safe development and use of AI and had these nations sign a declaration that's critical for establishing comment guidelines and international cooperation. However, the US has declined to sign the summit declaration. Can you provide the readers some of the background, the significance of the summit and the declaration and explain just what this decision might signal to the world?
Christopher: Well, I think the summit was an interesting idea. I helped work on a paper submitted by the Paris Peace Forum on drawing out the cybersecurity aspects of AI and what a governance framework could look like. When the administration came in, they revoked the Biden AI order—the safe use of AI and the guardrails around certain things.
Again, it's still early in the administration, and it's hard to tell with everything else going on. However, my sense is that by repealing that order, refusing to sign anything in Paris, and making statements against the EU's attempt to regulate AI—despite its own flaws—the U.S. has made it clear that, at least initially, it does not want to be bound by any restrictions.
There are real safety considerations with AI, but in the short term, until they establish a successor to the order or release something new, they seem unwilling to impose restraints on AI development—more for competitive reasons than anything else.
I attended a conference in London about six months ago, before the election, where a speaker said that the only real competitors in AI would be the U.S. and China because the EU had regulated itself out of the race. While I don’t completely agree with that, I think it reflects the U.S.'s current stance—they don’t want to regulate something they don’t fully understand or risk hurting their competitiveness. That decision could have real consequences, but for now, we’ll have to wait and see how it unfolds.
Steph: That's so fascinating. On the point of this push to deregulate technology and emerging technology, if you could advise the current administration to do one thing in the cybersecurity strategy, what do you wish they could hear from you?
Christopher: There's two different aspects of that. I do think smart regulation is still important—I just don't suspect that's something the administration is gonna take up. What we finally had gotten to is at a political level, this being treated as a national and economic security issue, and we had resources devoted to that. We had more planning devoted to that, like the counter ransomware initiative, I just worry that the US will not continue to lead in that area, not because they may not want to, just because it's not at the top of their list of priorities. And I think that would be a mistake because the US plays a critical role in driving these policies and making sure you have better cyber security around the world, which helps us. I mean, it's not just altruistic. It helps the U.S., and that includes things like capacity building. You've heard all the stories about them. I mean, I think just today, they're shutting down the USAID. Those programs, at least the ones I know of, are designed to help us. Eventually, if you help a country or the State Department's programs, if you have a country build its capacity to have technical abilities. That helps us, because we need to cooperate with them when the adversaries are attacking them as proxies.
So I'd say, continue to make it a priority. Get good people in place. And I think they're just starting to get some people in place, so that has to be filled out. Don't drop the ball on it. Even if it's not a personal priority for President Trump, it should still be a priority for the administration. They did make good progress, even in the last administration, last Trump administration. Outside of some statements by the National Security Advisor Waltz about China, there hasn't been a lot coming out of the administration yet on that.
Steph: Who in particular in the administration do you have your eyes on that you are excited to see what kind of stances they take on cybersecurity policy?
Christopher: Some haven’t been named or even rumored yet, so I haven’t heard many names for my old job at the State Department yet. So that would be critical. I think that the new National Cyber director at the White House is someone who is senior but doesn't have a lot of cyber experience, but has a lot of political experience. That would work out well if he has the ear of the West Wing, so we'll have to see where that goes, but that's just recently announced. The Directorate and the National Security Council, that Anne Neuberger used to run, they're sort of downgrading that a little bit. But as long as we have clear lines of responsibility between the NSC and the National Cyber Director of the White House, rather than having it kind of a jump ball, that could be good. A critical one's gonna be at DHS and CISA. I saw an announcement just the other day that Karen Evans, who used to be in the Bush administration, then in the first Trump administration at the Department of Energy. She’s a very competent person.
So what I think is we'll have to see, and I think all those have to work together and DOD as well and Commerce and Treasury, they have to be a team.
But I think we're gonna be a few months before we see that team starting to operate and see things come out of it. You also heard the administration talk. The one thing they've said about cyber often now, you've heard it from the CIA, you've heard it from National security advisors—they wanted to be much more aggressive offensively in cyberspace. And I think the Biden administration had also moved in that direction, but I'd say that is one tool in your toolkit, one arrow in your quiver, if you will. But it's not the only one. You have to like to look at all the other tools to have a unified response. Sometimes cyber is not the best response to even the cyber incident, but having strong tools make sense.
Steph: Can you go more into depth on that? Can you get an example of a scenario where cyber, just a cyber response may not be the full picture? What other tools do we need?
Christopher: Well, if you have a cyber incident, it's just like anything else if you had a physical attack, you look at all the range of options you have, you could use military responses, you could use economic responses, diplomatic responses, cyber responses, to disrupt the adversary. You could do all those things. And you have to do the same thing. So if you have a denial of service attack—that is not espionage, because espionage is a different category—but something that's disruptive, cyber response might be one of your options, but then you have to have access to the systems you're trying to do. You're trying to bring consequences to the adversary. So what are those? And how can you achieve that with cyber so they don't just reset? Economic responses might be stronger. Diplomatic responses—working with other countries—might be stronger. A challenge there is, I think a lot of our allies are a little wary of us right now, but you need those partners to work together, because they're targets, too. And then military responses are part of the picture, but you have to tailor it. You got to look at who's doing this to you and say, What is it gonna change their mind? What's gonna make them think this is not worth it for them? And that's gonna be different for whoever the adversary is. It's gonna be different for Russia than it is for China. It's gonna be different for North Korea than it is for Iran. So you've got to have a unified response and organized response, and a cyber response could well be part of it, but may not be the best or the only one.
Steph: I think what’s really interesting about that is—I think of cyber crime as almost a business, and it's, it's currently a very lucrative one. The goal, as you mentioned, is to remove the financial incentives, making it a less attractive business proposition. But what’s particularly challenging is when cybercriminal operations are backed by countries that already have strained or severed ties with the U.S. and its allies. In those cases, there’s less diplomatic or economic leverage to deter their actions without risking a significant escalation of tensions.
Christopher: There’s a continuum there: if you're going after a nation state, you're going to use different tools than when you’re going after a criminal group because you want to lock up the criminals, you want to interrupt their money flow. But if those nation states are acting as safe harbors, as we've seen with Russia, for ransomware groups and criminals, then you have to think about how else you can reach them. And that's not always that easy, right?
Steph: Completely agreed.
Christopher: And then, the other thing I'd say is that you have, there are, they're kind of like minded countries, but there are a lot of countries in the middle. And that's why things like capacity building are so important, because a lot of those countries may not help us now, not because they don't want to, but they just don't have the capability to do it. You need to work with them, to bring them along, so that they will help us in these things. So that's not the Russians and China's in the world, but it’s a lot of the countries who are maybe less developed and don't have the tools and we'd be willing to help.
Steph: On your work with your work as president of the Global Forum on Cyber Expertise (GFCE), I'd love to hear about some of the initiatives that the group has brought to make that happen, and to bridge those gaps.
Christopher: I was the president for five years. I just stepped down from that, but was still involved with them. And the whole idea of that group was to set up a better coordination mechanism so that the limited resources you have for this are used in a judicious way, that you really reach into countries in a demand driven way, instead of just saying, we give you something. But what do they really need? You follow up with those countries, you understand the political goal of these countries. You could create a sharing platform so they can share information among and between them more efficiently. And all that succeeded. Now I think it's great. I think that there's 260 members and partners, including over 60 countries and private sector, civil society, and others. So there's been a number of initiatives, including trying to bring the traditional development community, like the World Bank, and the cyber community to talk to each other together to make a common purpose.
There's a big conference coming up in Geneva, the second one of these, the global conference on the Global Cyber Capacity Building Conference, the GC3B which will be in Geneva in May. And that brings these communities together. It's another way to move forward. And so it's really organizing and helping create a community for this somewhere more efficient and in these activities.
Steph: Are you interested in seeing how the upcoming conference in Geneva will contribute to capacity building? In other words, are there specific countries you’re particularly eager to watch as they develop their cyber capacity?
Christopher: We've seen some real activity. For instance, the ASEAN countries, Singapore has played a pretty key role there in working with those countries, creating a training center for them. So that's one area. There's been growth in Latin America and more generally, the OAS, the organization for American States, has been involved working with GFCE and really making sure that as many more countries have national strategies, and which is sort of the foundational thing you need, but also capabilities, Africa is still a big issue. We've created an African cyber experts network and a hub there, which is important. The Pacific Islands is another place that often is a proxy for attack by some adversaries and others, and I think they've been more active. So really, it's not any one country or area in the world, it's really everyone. And I think that I've seen real progress, but there's a whole lot left to do. You go to these UN meetings, and the number one thing you hear from a lot of the developing countries is we need this help, that this is the most important thing to us. Unfortunately, there's simply not enough resources to go around right now.
Steph: For our readers that aren't as familiar with what cyber capacity building means, can you elaborate on what it means and what the primary goals are?
Christopher: It's a range of different issues, everything from technical training, to policy training. On the policy front, the GFCE is organized into several pillars.
One is national strategy and policy. Having a national strategy for cyberspace, for cybersecurity (or broader cyber and digital issues) signals that the country has the political will, and it sets up the roadmap, and that's key. And lots of countries have that, but still many don't.
The second one is incident response and Computer Emergency Response Teams (CERTs). So having a national level CERT dealing with incident response is really important.
Third one is cyber crime: having laws in place, trained officials, etc.
Fourth one is awareness skills and training, obviously important.
And the fifth one, which is new, is emerging technologies.
So in each of those categories, we're helping countries really understand this. The reason that's important, as I said before this, it's not just altruistic. Obviously, you want to help countries not have a weakest link—you want to help them have stronger cybersecurity. But from the U.S. perspective, there are two things that capacity building helps do. One, which is not the goal, but the result, is if you're helping countries, they then kind of understand your general viewpoint. We want an open, free, interoperable cyberspace. Some other countries want much more of a closed system with state control. They want to moderate content and go after dissent. That's not what we want. So a lot of these countries are on the fence. They like the idea of stability, but they want security. And it begins, I think that begins to help them think, okay, that this, this view of the world is better for us. It's better for our economies and our people. But I think one of the primary goals is that when you help these countries build their technical capabilities, they can work more closely with you, your technical people, your policy people, to respond to and to deal with cyber incidents that cross many different national borders. And I think that's a key thing going forward, too. And so I think the more we do that, the better the payoff is for the U.S. and other countries in the long run.
Steph: We're nearing the end of our time here. I just have two more questions. The first question is, given your roles on the board of the Center for Internet Security and your involvement in the GFCE, how do you envision the evolution of public private partnerships? And so I know you've mentioned, you touched on this briefly, of how businesses and government are interacting to respond to enhancing both national and global cyber security. What innovative initiatives do you think are emerging to build cyber capacity through those partnerships?
Christopher: I think it's critical to have those. There's been this whole debate in the UN about stakeholders, both civil society and industry, participating, and the Russians blocking a lot of them for more geopolitical reasons. But industry often has the best view of what's actually going on out there, and when the tools are because they operate, a lot of infrastructure. Civil society has unique perspectives that governments often don't have, and you need those voices at the table. The GFCE was constructed this way, to have these different pillars. We have civil society, we have academia, we have a couple dozen industry players. We have governments. And that works well. There has been some what we call multi-stakeholder activity in the UN—it's still not perfect. There were some good ones with the Cybercrime Convention, again, not perfect, but, I think it's critical to have them there. Now, the other things, we've talked about public private partnership for as long as I can remember, and it's become kind of a mantra.
There are some good examples where you have industry and government, like on the same response floor, but I think we need to expand that and understand that all these parties have a role to play here. Even governments will not be able to handle this on their own.
Steph: I think being in the legal field must bring a really interesting vantage point,where you get to reach across the aisle and understand issues from various angles—for you, across civil society, industry, and government. How has your law degree informed your perspectives on cyber security policy? How has it helped you develop the skill sets that you need to bridge some of the existing gaps between the policy and technical communities?
Christopher: I think I went to law school for the same reason many people go to law school, since I wasn't exactly sure what I wanted to do when I wanted to have a lot of options. And law school seemed like a good option, that it seemed like was interesting. But I really like law school. You don't need to be a lawyer to go into cyber policy, but it really teaches you a way of thinking and analyzing problems that I think is very helpful to your later career, even if you're not doing straight law anymore. I think in the policy realm, it helps you think critically about issues, write critically about issues, understand competing priorities in a way that you might be able to find other disciplines. But I think law is particularly good at honing those skills and training those skills.
It's a big investment of time and money, but I think law school really helps you, and also, depending on where you go to law school. The law school I went to, they trained you to be a lawyer, but they also talked a lot about policy issues. They talked about legal policy issues. They went beyond just the learning contracts or torts or criminal law. They really went to the kind of larger issues that informed all those and I think that, again, helps you think about how you, how you approach these issues when you go out of law school. So I think it's, I think it's excellent training. I think it's also a good environment, usually, where you have a lot of compatriots, classmates from different walks of life and different backgrounds, that helps you think about these issues in a broader way as well.
Steph: For those aspiring to such a career at the intersection of technology, law and policy, what advice can you give? What essential skills and experiences should they seek out?
Christopher: I didn't have a clear career path. I think it's clearer now for people. But, you know, I think the key thing is just to have a passion for the subject, to really care about it. This is really what you want to do, and to be open to new opportunities. You may not get the first job or the best job, you may not get the best job you want as the first job, or you might, but you don't, you don't have to continue to do anything for the rest of your life. You can move around like I did, and I think those different perspectives help you.
So I think it's useful to have a little bit of technical training. You don't need to be a coder to be a cyber policy wonk. Indeed, I think that scared away a lot of the top decision makers on this. They thought it was too technical, but it's, it's just like nuclear: you don't need to be a nuclear engineer to understand nuclear policy issues. I think where lawyers are particularly valuable, is being able to translate between the technical community and the policy community, because often they speak different languages, they're not good at communicating. If you could be that bridge, that's very useful.
I think the positive news is there's many more opportunities out there than there were, you know, 20 years ago or 30 years ago. This is still a growth area. There's lots of, you know, things and companies, think tanks, government (although we'll see how big our government's going to be after a few months), but I think there certainly are more opportunities, and it's still something that's being prioritized, and I think that's going to continue to grow. So if you have that enthusiasm to really care about this, I think it's going to make a big difference.
Steph: Christopher, thank you so much for sharing your incredible insights. It's been so fascinating to hear about your journey and how you've shaped and are continuing to shape the future of cybersecurity and policy. Your work is really inspiring, and I definitely see myself following in similar footsteps, in a similar path, and it's really been an honor to have you on this hybrid jurist. Thank you so much.
Christopher: My pleasure.
