Skip to main content

tv   Book Discussion on Dark Territory  CSPAN  March 20, 2016 5:00pm-6:31pm EDT

5:00 pm
>> i think that the collection serves us really as a, strictly as historical documents for people who are interested in understanding the past. it could serve as a template for people who want to build on the movements of previous decades. >> for more information on booktv's recent visit to montgomery and the many other destinations on our cities tour, go to >> and now let me introduce fred. perhaps his most important distinction other than to say he was previously a new america fellow, but he has done one or
5:01 pm
two other things in his illustrious career. he is the national security columnist for slate and author of four books, most recently "the insurgents," which i think he will tell us has at least more crossover with this new book than some people might necessarily imagine. fred is a pulitzer prize-winning journalist back from his days in the "the boston globe", and i'm very pleased to be able to host him here today. just a word on format, shortly i'm going to ask fred to give a few minutes describing the book and telling us a little bit about what's in it, then i'm going to take the opportunity to have a conversation, dig into a little bit more of the detail and explore some of the themes and what we might conclude from that, and then i will open it up to the floor to give you the
5:02 pm
opportunity to ask fred some questions. we'll all to wrap up at 1:45. that'll actually give us plenty of time to get into some quite interesting conversation. so without more ado, fred. ms. . [applause] >> i'm just going to speak for a but minutes here. the subtitle of this book is "the secret history of cyber war," and when i was working on it, i had the subtitle already worked out. i didn't know what the title was going to be for a while. somebody said, well, how long of a history is this? most people think did it start with stuxnet, the discovery of that 12-story-wide building on the outskirts of shanghai? no, in fact, it goes all the way back to the dawn of the internet itself. and in 1967 when the arpa net was about to go up, that was, you know, a network where all the contractors of the defense
5:03 pm
department would be able to, you know, talk with one another in their computer programs, there was a man named willis ware. he was a computer pioneer. he was the head of the computer department at the rand corporation, and he was also -- though few knew that at the time -- he was on the scientific also visely board of the nsa -- advisory board of the nsa. he wrote a secret paper, it's been declassified, you can look it up, but he said he's the problem -- here's the problem: once you create a computer network, once you have access from multiple unsecure locations, you're not going to be able to keep secrets anymore. and so when i was doing my research, i talked with this man named steve lieu kasich who was the deputy director of arpa, and i said, did you read ware's paper? oh, yeah, sure. what did you think of it? i took it to the guys on the
5:04 pm
team, and i got the story confirmed by a couple of guys on the team, and they said, oh, jesus, don't saddle us with a security requirement too. look how hard it was to do this. it's like asking the wright brothers if their first plane has to fly 20 miles carrying 50 passengers. just let's do this one step at a time. and besides, the russians aren't going to be able to do this for decades. well, it was decades, two and a half, three decades, but by that time whole systems and networks had grown up with no provision for security whatsoever. so i see this as kind of, you know, the bitten apple in the digital garden of eden, the situation created from the very -- warned about and created from the very beginning. now, all of this was unnoticed until june of 1983 when ronald reagan watched the movie "war games" up at camp david. one of the guys who wrote it, not the one who's coming here
5:05 pm
tomorrow, his parents were in hollywood. they were hollywood producers, so they knew ronald reagan, so he got a copy of the film, and he watched it. the follow wednesday -- it was a saturday night. the following wednesday he's back in the white house, and there's a big meeting to discuss the mx missile, actually. some of you might remember that. and be at one point -- everybody's there, his national security adviser, some people on the hill. at one point he puts down the index cards, and he says has anybody seen this movie called war games? and nobody had seen it, it had just came out. he launches into this very lengthy plot description, and people are kind of looking around like where's this going, and he turns to the chairman of the joint chiefs of staff and says, general, could something like this really happen? could somebody just break into one of our most secure computers? well, i will look into that, mr. president. and he comes back a week later, and he says, mr. president, the problem is much worse than you
5:06 pm
think. and so one year later there was a national security decision directive signed by the president about telecommunications and computer security, first document of the sort. but it took a strange direction. it was basically written by the nsa. it was the only agency that knew anything about computers, and the way they wrote it, the nsa would control the standards for all computers in the united states; government, military, personal, business, everything. so there were some people on capitol hill who didn't go along with that. so they rewrote it so that, basically, the nsa would have security over, classified stuff, and the commerce department would have everything else. well, of course, the commerce department didn't know anything, they have no ability to do this. the nsa had no interest in securing these chinas. they were -- channels. they were interested at that time purely in exploiting security gaps, not in filling
5:07 pm
them. so for about a decade, nothing was done about this problem. and i won't go any further. it's just supposed to be a little introduction. but the point is that these two incidents, you know, willis ware writing this paper, "the dawn of the internet," and the extremely unlikely coincidence of ronald reagan watching "war games" and asking a question that had everybody in the room rolling their eyeballs like, oh, christ, where's the old man going now, led to the systems, the programs and more than that, the issues, the policies and the controversies and the tensions that persist to this very day. one more little thing about the "war games" connection before i go back down and sit down and we have a conversation. this is something that i discovered almost by accident. it turned out that the two writers of "war games," you probably have all -- i hope -- i'm assuming you're all seen or remember the movie.
5:08 pm
basically, the kid -- played by matthew broderick -- hacks into the norad computer with manager called demon dialing. he hooks up a system that automatically dials the phone numbers, every phone number in the area code, and when a modem is reached, it records that number. so he breaks into the norad computer like this. he thinks that he's just latched on to some new online game x he almost starts world war iii. but the screen writers were puzzled. they said, is this really plausible? could somebody just -- it's got to be a closed system, right? could somebody from the outside get into norad's number? they lived in santa monica, and they called the rand corporation. who can we talk to? oh, you'll want to talk to willis ware. he turned out to be a very nice guy, and they laid out the problem and he says, you know, i designed that computer, actually, i designed the software for that computer, and you're right, it is a closed system, but there's always some
5:09 pm
officer who wants to work from home on the weekend, so he leaves the port open. so, yeah, if somebody happened to dial that number, he could get in. and, you know, the thing is, the only secure computer is a computer that nobody can use. so that's sort of the lesson that we've all learned since, and now i'll sit and have a conversation. >> thank you very much, fred. one of those writers subsequently went on to write another movie called "sneaker." >> yeah, barry -- [inaudible] was the co-writer of that as well. >> and we will be talking to him on wednesday about what his next movie is about, so we can see where the direction is going. [laughter] but before we get there, you've written a history of cyber war. and traditionally when people write books about war, they write about battlefields and
5:10 pm
people tend to study those battles so that they can get a greater sense of how to fight battles in the future and appreciate strategy. >> right. >> what, what do you think having done your research, written your book are the events between 1983 and now that the student of cyber war should look back on. >>, you know, instead of -- and, you know, instead of walking the battlefield of gettysburg sort of take his lessons to study for the future? >> well, there are no battlefields to walk, unfortunately. but i guess a pivotal moment came in 1997. the new director of the nsa at the time, three-star air force general, had been commander of the warfare center in san
5:11 pm
antonio where they were doing a lot of things about what we would now call cybersecurity and cyber war. he couldn't get any of the other officers interested at all. you know, back then fighting wars was dropping bombs on people from the air force point of view. computer -- nobody even knew how to use computers, you know? so he decided, he couldn't get anybody interested. he knew about vulnerabilities, so he got permission to dod a war game where -- to do a war game where 25 red team members in the nsa would actually hack into all the networks of the defense department. now, they had to go through a lot of lawyers to get this done, and one of the conditions they had to use commercially-available equipment. they couldn't use their top secret stuff to mess with domestic networks. and so they did this, and they prepared for it for a few months, scoping out the networks, scoping out what they would do. the people who had been victimized were not to know about it. the only people who knew about
5:12 pm
it were the people actually doing it and the lawyers, like the attorney general and the secretary of defense. so they laid two weeks aside to do this. it turned out within four days they had hacked into all the defense department networks. including the national military command center which is, you know, how the president communicates and sends orders to the secretary of defense. all of it just mercilessly hacked, you know? sometimes they would just leave a marker, you know, kilroy was here. sometimes they would intercept messages, send back false messages, mess up orders. people's heads were being screwed with like, you know, what's going on here? i don't know what's happening. there was only one guy that was a marine out in the pacific who knew that something was going on. but, see, even if you knew what was going on, there were no protocols. what do you do about this? so he just unplugged the computer from the internet, which was the smart thing to do. everybody else, so when the debrief happened and they go
5:13 pm
through, you know, here's what we found and here are some passwords we dug out of a dumpster here, and here's a tape recording where the guy called up the secretary and said i'm an i.t. guy and need to change passwords, what's the password for everybody, and they told them and everything like that. and everybody was appalled, and that was when the deputy secretary of defense at the time said, okay, who's in charge? we need to fix this, who's in charge? and nobody was in charge. so, but then they started to set up some warning centers and some 24/7 watch centers, which was a good thing because within a few months, somebody starts hacking into the u.s. military. so maybe it had been going on longer than that. but the big thing there was something called solar sunrise where some serious hacking -- turned out to be two kids in california. and some people, somebody said, oh, whoo, just two kids in california. but other people said, wait a minute, two kids in california can do this, what are the
5:14 pm
nation-states? a few months later they called it solar sunrise, then something happened which was called moonlight maze which was somebody not just breaking into defense networks, but persisting and kind of looking around for things. they were looking for particular things. and eventually, they traced that back to a, it was the russians. it was using a server of the russian academy -- [inaudible] so those were the two, and then the chinese started doing it, and then operations -- oh, by the way, one thing very interesting. there's this war game could eligible receiver. when the nsa was inside the defense department networks, they noticed some french ips just kind of strolling around. so this is already really happening. in 1997. okay? so, but then there were other things. there were some sort of prototype of war things. a very big deal was remember when clinton was planning to
5:15 pm
invade haiti because some warlords had taken over, and they were working up war plans, and one part of it was, well, how do we get into, how do we get into -- haiti had a very rudimentary air defense system, but a lot of this was flying in people, you didn't want anybody getting shot down. and this is when this guy mini hand was in san antonio. one of his tech guys said, you know, boss, i found out that the haitian air defense system is wired into the commercial telephone system, and i know how to make all the phones in haiti busy at the same time. so that's how they were going to deflect, you know, defeat the air defense system. okay. years later yugoslavia, clinton's war against milosevic -- remember the bombing went on for weeks and weeks, months and months. well, there was a cyber element to this. and again it was phones, but computers were run by phones
5:16 pm
too. but they did some of the same things. they got into this serbian phone system, a cia guy went in, he put in a plant, and then the nsa was able to hone in on this plant. and they were, the air defense system was wired through the phone system. so they were able to go in there and mess with their radars so that on the screen it would look like they were some planes in the northwest, but actually they were coming from the west, so they would aim at the wrong spot. they would send messages to milosevic's cronies saying, you know, we know you own this copper plant. we're going to turn out the lights in the copper plant if you don't get rid of milosevic. and they said, oh, you know, forget about it. and they would turn out the lights in the copper, in the copper plant. and then they'd say, okay, if you keep this up, we're going to bomb you tomorrow. so he -- that's how milosevic lost his cronies. they were threatened by what was
5:17 pm
called information warfare. so this was the first information warfare campaign. some admiral gave a briefing, okay, this was both a success and a failure. we only used about one-tenth of what we could have done, but it was very interesting. and then after that, you know, we know about some of the things, stuxnet, there were some things -- i'll give one more, and then we should maybe move to a different -- when the israelis bombed the nascent syrian reactor which really was a nascent syrian reactor. they were helped by north korean scientists. what happened, a lot of people, even the syrians didn't acknowledge it because it meant that four israeli asset teams had to go about 150 miles inside of syrian territory without being detected even though they had just installed some new russian surface-to-air missiles and radar. they'd rather even acknowledge it ever happened. what happened was they used a program that was developed by the air force here and
5:18 pm
implemented by something called unit 8200 which is the israeli nsa. it intercepted not the radar and not the radar screens, but a data link between the radar and the screens. so that the people looking at the screens saw nothing. the radar was protecting planes and, in fact, the people in the planes were hearing bing, bing, bing, bing, so it took a little nerve to continue. but they also had people that were able to intercept the signal off the monitor that the radar operators were looking at to make sure that this worked, to make sure that they really were seeing nothing. and they were seeing nothing. so these planes got in, dropped the bomb, destroyed the factory, and people were saying, well, our screens show nothing. so that kind of thing. i should do one more, and that is the iraq war. i wrote a book called "the insurgents: david petraeus and the plot to change the american
5:19 pm
way of war" where i accepted the idea -- this is the only thing in this book i'll qualify or retract a little bit. you know, there was a big turn around in 2007. basically, the surge and the change of strategy towards counterinsurgency. well, there's one other thing, and that is the nsa got involved. the nsa actually sent over a two-year period 6,000 analysts to iraq. 22 of them were killed. they basically captured the computers, they got into the systems, they got into the passwords, they got into the e-mail connections, and they did things like they sent messages to other insurgents saying, okay, let's meet at such and such a place tomorrow at 4:00, and there would be these special operations forces waiting there to kill them. or they would detect some drones, somebody planting a roadside bomb and then running off. used to be you could follow them, but then you had to send the data back to washington, and it would take 16 hours.
5:20 pm
within one minute they could target these guys. so within -- in 2007 through these techniques, they killed 4,000 insurgents which is one reason why things really kind of turned around. i remember the first person i asked about this, and he looked a little alarmed that i knew anything about it, he said, well, yeah. when the histories really get written about this, this'll be the equivalent of, you know, breaking the german submarine codes in world war ii which, of course, wasn't revealed for decades after. so this cyber has been a part of these operations and these plans and thinking for quite a long time. >> just taking you back to moonlight maze, one of the anecdotes you tell, is the delegation that gets sent from moscow. very warmly welcomed -- >> yeah. so they started, when they realized that this was russia, and, of course, this was
5:21 pm
yeltsin, post-cold war. they're our friends. so we decided, well, maybe we should send a delegation to moscow. maybe they don't know this is going on, maybe it's not the government, you know? and we won't present it as national security, we'll present it as the fbi, we'll present it as a criminal investigation from which we are seeking assistance from the russian federation. and there was a controversy whether to do this. so they sent over this delegation. on the first day, you know, caviar, champagne, welcome our friends, and there was this one general in the military who was helping out. they brought over logs, guy brings out his own logs, and he's shocked. this is terrible! these bastards in intelligence, this is awful! we will not stand for this, we're going to clean this up. so they were going to be there for five or six days. second day, you know, we're going to have a sight-seeing tour today. we're going to go around, so
5:22 pm
they did sight-seeing. and then the third day they were going to do some more sight-seeing. then the fourth day there was nothing. so the fifth day, there was nothing. well, can we talk to this guy? well, he's busy now. there was -- so they left. the embassy is calling, the legal office saying, well, we need to -- oh, yeah, we will send you a memo on this. anyway, it's over. what they realized when they got back is that this was a government program, that this poor general who, god knows what happened to him for helping the united states -- [laughter] military and intelligence guys coming over, he just didn't know about it. and for a while, the hacking did stop. but then it started in again. and the chinese started doing it too. and, you know -- >> feels very distant in time. >> yeah, yeah, yeah. >> so the story that you have just told was a very military-heavy story, literally going through one of our
5:23 pm
military wars in the iraq. clearly solar sunrise, moonlight maze led to the establishment of a new organization, joint -- [inaudible] network defense which becomes computer network operations years later. but in the 1990, there's a sort of parallel development going on in the white house where people are starting to realize that critical infrastructure is vulnerable. >> yeah. >> do you want to talk a little bit more about richard clark and what he was up to? >> well, as all this other stuff was going on, eligible receiver and other things, a couple of years before then the oklahoma city bombings led to president clinton signed a presidential directive on terrorism, kind of a policy on terrorism, counterterrorism. and they started setting up a joint task force on, it was called the critical infrastructure working group
5:24 pm
because people are thinking, well, you know, they blew up a federal office building. and, you know, a lot of people were killed and a lot of damage. what happens if the next time they blow up a power dam or some electrical facilities? something that could affect the entire economy? we need to set up some policies for this. so the working group, they defined what critical infrastructure was. eight sectors of the economy; transportation, banking and finance, water works, dams, you know, so forth. and then they decided, as most working groups like this, to create a commission, a presidentially-appointed commission to look into this. well, the people who were on this working group and on this commission, they'd had some background in black programs, and they knew about this cyber element. and they thought, well, you know, it's pretty obvious how you protect something from physical damage. but there's this other thing going on, this vulnerability to electronic and computer hacking and that sort of thing. so as this report got written,
5:25 pm
half of it was about -- and this is where the term was first used -- they talked about two types of vulnerabilities, fiscal vulnerability and cyber vulnerability. and it said, you know, in the future somebody could do more damage with a keyboard than with a bomb. you know? that sort of thing. they were looking at this as the new nuclear weapon. so that was in 1997. and this analyst named richard clark, you've probably heard of since, was sort of put in charge of this. and he didn't know anything about computers. nobody did, as i said. and so he decided to go do a road trip with his staff. they went out to silicon valley, and they went to talk to all the executives x they learned that, well, you know, microsoft knows a lot about operating systems, and the guys at cisco know a lot about routers, and the guys at intel know a lot about chips, but nobody knew about anything else x they didn't know about the vulnerabilities in the
5:26 pm
things in between. and so he then -- i don't know how much you want me to get into this, but he basically meets up through an fbi contact with a hacker, a hacker who is -- his name is peter, but who goes by the name mudge who's, like, very famous in these kinds of fields. and he met him in harvard square, and his whole group was called the loft. they took him to the loft. it was on the second floor of a warehouse in boston. and they had stuff there, and they were able to do things there, hack into any password, replicate any kind of equipment, hack into anything. and that changed the whole threat model for clark. he realized, okay, you guys are doing things or are able to do things that we in the white house have said and the intelligence community have said only nation-states can do. and clark at the time was, he
5:27 pm
was head of counterterrorism. he was chasing osama bin laden all over the place. not physically, but -- and so he said, oh, this'll be great for part of my portfolio, cyber terrorism. because if these guys were terrorists, they could do acts of cyber terrorism. so that did expand the whole notion of cyber, cyber war and what it might result in. i think that's one thing that hasn't panned out at least yet. i don't think there are any terrorist groups now that are able to do quite the things that some of the white and gray hat hackers who are getting paid a lot of money to do certain things have actually done against our infrastructure. >> i want to take a moment just to why that hasn't happened. but just before we do, yet one more iteration where we have the arrival of mike haden at nsa -- hayden at nsa in 1990 where
5:28 pm
surveillance becomes part of the story. >> right. >> can you tell us sort of about the impact of the changes in technology that takes us pretty much up to snowden and the present day? >> right. well, you know, the nsa up to about this time that we've been talking about, they were still very much wedded to the analog world. tapping phone circuits, intercepting radio signals, intercepting microwave emissions, that kind of thing. and then in the early '90s, they noticed that, you know, they have these big listening towers and dishes all over the world. certain parts of the world nothing is coming in anymore. they're not getting any communications because they'd gone underground, they'd gone to fiber optics, or they'd gone to cellular, and they had no ability to do this. and somebody who had been director of the nsa before wrote a paper for a congressional, a very kind of classified congressional committee. the paper was called "are we
5:29 pm
going deaf," and they realized we're focused on the wrong things. and the cold war was ending about this too too. the nsa used to be divided into the a group which were the guys tracking the russians and the b group which was the rest of the world. the a group, shouldn't this be cut quite a lot? we're not really tracking the russians anymore. or not so much. so they, and this is where we get a little bit into the movie "sneakers." do you all remember "sneakers"? mike mcconnell, he was a career navy intelligence guy. he gets into the nsa, he's looking around. he's saying what, what does this big organization do? the cold war is over, we're not, we're not getting these radio signals anymore. what do we do? and, you know, people were coming to his office with these, okay, here's a map of sea lanes of communication. okay, now here's the happen you
5:30 pm
really need to look at, and they were maps of fiber optics. he goes, okay, that's very interesting. so then he went to see "sneakers," and for those who didn't see it, it's a movie about these hackers. this was 1993. i mean, nobody -- nothing like this really existed that much. but there's a whole kind of ridiculous plot where they get a call from the nsa, some bad guy has a decrypting code, and they want him to steal the black box, but it turns out the nsa was really the criminals, and this guy was working for the government, and they try to get it back. there's one scene where ben kingsley who's a kind of evil mastermind who used to be the college roommate of robert redford, there's this whole monologue, you know, marty, the war's now. it's not about bullets and bombs, marty, about the information. it's about zeros and ones. it's about who has the most information.
5:31 pm
so mike mcconnell sits up in his chair, and he realizes, this is our mission statement now. [laughter] so he goes back, and he gets the last reel of this film, and he has everybody in the senior executive at the nsa watch it. he tells everybody to go watch this movie, even take off the afternoon to go watch this movie, this is what we're doing now. he takes one of his best field officers, brings him back to fort meade, creates a job for him called the director of information warfare. and then all these kind of nascent cyber-type outfits around the bureaucracy and the military all of a sudden call themselves, this is when the air force information warfare center, they all -- information warfare is the new thing. that's where the money is, that's where it's happening. but what they really did do and then when hayden came along, they created something called the tailored access, tao. so these were the guys who figured out how to get into computers, how to make us not guess anymore.
5:32 pm
so the president says i need to get in this guy's e-mail, they figure out how to do it. they're the ones who break -- so the new codes, it's not phones anymore, it's not radio signals, it's fiber optickings. it's, oh, now they create an air gap where they unplug from the internet. how do we cross over the air gap? and there's something in the cia called the information operations center which it's kind of a joint operation. and they did this in yugoslavia the first time. they would go over and plant a device on a computer or put in a thumb drive, and that would insert some malware, and the nsa can get into it from that. that's how stuxnet happened, basically. so the tao, i mean, people asked me, they knew that i was doing this book, so they said, well, what can i do to protect myself? and i said, well, look, you know, if all you're interested in is keeping out, you know, petty criminals and kids
5:33 pm
trolling the net and, there are things you can do. there are things you can do that are pretty effective. it's like putting a good lock on your door, you know? and it's worth doing. but if somebody who really knows what he's doing really wants something that you have, especially if they're a nation-state, if they have the resources of a nation-state, there's really nothing you can do. and, in fact, you know, the pentagon -- this is skipping ahead a little bit, but a few years ago the defense science board had a special panel on cyber warfare. and they concluded that, they talked about the inherent fragility of our architecture, it's the same thing that willis ware had been talking about in 1967. the inherent fragility of our networks. all these things that had been built up over time, but it's an arms race. offense keeps up with defense. they reported, they looked at the records of a lot of red team/blue team war games, and
5:34 pm
the red team was hacking in. they always got in. they always got in. so now the buzzwords in pentagon circles for this, they don't talk about prevention really much anymore. i mean, you do, you try to, you know, you don't just leave your doors open, you know? you do lock them. but they're talking about detection and resilience. the important thing is that you can detect when somebody is hacking you. really fast. and resilience, you can kick them out and then repair or what damage has been done very quickly. that's what they're talking about -- they're saying the game is lost on keeping people out. i mean, yeah. again, you don't want to give up the game, but they're going to get in. they're going to get in. and, in fact, i learned this after i wrote the book, so it's not in the book. the navy, for example, is now teaching people how to use
5:35 pm
sexting to navigate with the stars because they think the gps might be hacked. our entire advantage in the military is built on things that are networked. and if they can hack into that, then, you know, it's back to, you know, m-1 tanks and m-16 rifles. i mean, what are we doing? so this' what people -- that's what people who think about this inside the military are very worried about. >> to puck up on that, i mean -- to pick up on that, i mean, one of the other themes that intersects with it is this dual-use nature of cyberspace. >> yeah. >> and which raises, i think, the important question of what this means for the nature of warfare going forward. if it's all about information and the adversary can attack civilian systems just as easily as military systems which may
5:36 pm
not be as well protected, what does this mean for if you're a student of national security? is this a game changer? >> well, it could be. i mean, you mentioned, you know, there are a lot of vital military networks that are unclassified. transportation, logistics, you know? somebody once said logistics is for professionals, strategies for amateurs. yeah. logistics. how do you get supplies over there? how do you get food, how do you get water? a lot of that is on open networks. and they played war games where people mess with that, you know? the air task orders, you know, they go over here instead of over there. or, you know, supposedly a plane is supposed to meet up with a refueling plane, but the refueling plane is way over here, so it crashes into the ocean. you can do a lot of funny
5:37 pm
business that and in a way that you don't even know that anything's happening. there's that sort of thing. in terms of the vulnerabilitying of infrastructure which is where all the things blew up about, you know, the idea -- and i don't know how much i really buy this, but the idea that, you know, there's a scenario in some war games that was, you know, china is exerting pressure on taiwan or in the south china sea, and they say, okay, you take your aircraft carriers out of here, or we're turning off all the lights on the eastern seaboard, and maybe they do. and then what do you do? as china becomes more plugged in, you know, deterrence begins to set in because we can do the same thing to them. a country like north korea, iran, this kind of thing? they don't have anything to hack so, you know, what is the response in kind? i don't know. but things like that can conceivably happen, and the
5:38 pm
interesting thing about civilian intervention over the past few decades as the military has become more aware of this, they have reduced the number of intersections between their own networks and the outside internet to about eight. it used to be a hundred. now it's about eight. so the nsa can it on those intersections, and they can do that dealey because they have the -- legally because they have the legal right with the military networks. so they can actually see when somebody's coming over. it's pretty good. civilians, even civilian government, there are hundreds, there are thousands of these intersections. there's no way that you can -- even if the nsa had the legal right to do this, which they don't, there's no way you could -- or department of homeland security which supposedly has, they don't have the statutory power to do this, but they're really out to lunch on all this stuff. so there's nobody who can do this.
5:39 pm
so this is what has led to a policy of cyber offense. quite a long time ago they came up with this computer network defense, cnd, computer network attack, cna, and then there's something in the middle called computer network exploitation, cne. now, this is a dual-edged sword. cne means you want to get inside the other guy's network, roam around, see what's going on. you could say, in fact, this is active defense. it's really the only way i can tell whether they're planning an attack. i can hack into their networks and see what they're doing. at the same time, it's just one step short of computer network attack. you in there -- you're in there, all you have to do is push a button, and you're attacking. okay. we're into their stuff this way, they're into our stuff this way. it's kind of generally accepted that they can do this and that we can do it to them and they can do it to us. to what extent, how much, i don't know.
5:40 pm
but one reason they're able to do it is that for years, ever since back to this reagan plan in '83, this directive and then the clinton plan as well, they've tried to get critical infrastructure which is all privately owned to kind of, you know, man up on this and get some security going. banks have actually done pretty well with this because, you know, what are banks into? they're into taking your money and making you feel trusted, you trust that your money won't get lost. so there are actually some very good information security departments within banks. and while we hear a lot about hacking into banks, there are thousands of attempts a day on, like, chase manhattan. not very many get in. but power companies, electrical power grids, you know, dams, things like this, they really still aren't paying much attention because, first of all, okay, you given us some advice on what is best practices. maybe i'll spend $10 million
5:41 pm
getting there, but it seems to me the other guy, the bad guys, will just work some way around that, and i'd spend another $10 million. and besides, the amount of money it costs to do this preventively isn't that much less the cost of cleaning it afterwards and maybe i can get you, the government, to pay for it anyway. one thing that clark tried to do when he was in the white house was to lay down some mandatory security requirements for critical infrastructure. but lobbyists always resisted this. the secretaries of treasury and commerce always resisted it. because, you know, you're going to impede r&d, you're going to make their servers slower, it's going to reduce their competitiveness. all of which is true. i mean, you know, these people aren't evil, but they have their own self-interests, and their self-interest is contrary to what this kind of interest is. >> and we've observed over the last few years the regulators have actually gotten more
5:42 pm
interested in this space. until i realize your book -- read your book, i appreciated just how far back the tension between the dod and the rest of government, exactly how much, how involved -- >> i mean, for example, president obama -- yeah. president obama just signed something called the cybersecurity national action plan which if you read the book sounds a lot like about eight or nine other commissions that have been formed or planned over the last 20 years. he's done a few things interesting in this one that haven't been done before, but one thing he's done, it's half a good idea. he created something called an information security, a chief information security officer for the whole federal government. but the thing is, this guy -- there's no executive order giving him the power. so this guy, it's kind of like the director of national as well as. he's supposed to sit atop all of
5:43 pm
this, but he doesn't have any authority to hire anybody or fire anybody or set budgets. a real guy like this would have the authority to go to an agency which is just -- [inaudible] and they have passwords that say, one, two, three, four, five. okay, i'm taking you off the internet, and you have a month to fix this. nobody has the power to do that, you know? you know, one thing that several people told me is that they learned just the executive branch in general, maybe some of you know this, people going to the executive branch and saying, come on, i'm going to set policy, i'm going to create policy. well, about 10% of it is creating policy, and the other 90% is implementing it and then going back time and time and time to make sure it's still implemented. and this implementing part is what has, again, except within the defense realm, is what has always been lacking in this. and, again, this is something that's not new. it didn't start with stuxnet.
5:44 pm
it's something that has been known on a presidential level for more than 30 years. >> we hope that michael daniel and his wife seen here a few weeks ago at the rollout, what michael would tell you is that one reason to set up a commission is to sort of not necessarily create new ideas, but to take ideas that everybody has and build bipartisan interest in them. >> when it works, it works, you know? this commission that i talked about, that really did have an impact in the early '90s. sometimes it's just a way of sloughing it off. >> yeah. and, you know, i think for all of us, we're rather hoping -- >> but in this case, i mean, this thing is going to land on the doorstep of the next administration. i mean, the commission -- they fixed the commission. the held of the commission a few -- the head of the commission a few weeks ago, i don't know if the other commissioners have been chosen.
5:45 pm
they don't have clearances, they have to be vetted, they have to find a space to work. this could take months. so let's say it'll be completed on january 17, 2017, and treated by the next administration the way that everything from the previous administration is treated by the next administration which is something to, you know, put your wobbly desk on on to top of. >> once the new administration has readjusted the furniture and gotten into office, you arrive with a copy of your book. what lessons should they take from that about how they should go forward? >> oh, well -- >> what can they learn from the history that you've just written? >> right. you know, i don't want write books -- i don't write books that have explicit policy directives at the end. i wrote one book kind of like that, but, yeah, they would look at that. well, again, i hope that some of
5:46 pm
the lesson is taken from the subtitle. there is a long history of this. this has been going on for a very long time, and read the histories as you would case studies and see why this actually led to something and why this didn't lead to anything and try to make it seem more like -- i think one thing, you do need, i think and just to say ignore the resistance, something like this, you need somebody in the executive branch who does have a lot of power to get, you need, you know, they all -- czar is now one of the most overused words in washington. he's the energy czar, he's the -- you need to create a czar. and who has direct access to the president. and the president who at least is kind of interested in this. i mean, the problem is, of course, i mean, i don't know how these people who work in places like the white house, i mean, i
5:47 pm
wouldn't be able to stay awake, you know, in this kind of dead zone. you have got 20 crises hitting you every day from 30 different subjects. and then somebody comes in and says, you know, we might have a problem with critical infrastructure, you know? it's just like -- [laughter] excuse me, i've got people being kidnapped and killed over here right now. your 30-year plan on the cybersecurity, let's put that -- it's like that scene in all the president's men where the editorial meeting and one of the editors says, man, i think home rule might have a chance this time. i think we ought to put it on the front page. it still looks very theoretical to a lot of people. and it looks something distant, especially -- and when you have crises building up where something has to be decided tomorrow, you know, it is very difficult to focus your attention on something as complicated as this. and for which there doesn't seem to be an obvious solution. there's something, okay, well,
5:48 pm
yeah, let's flip this switch on. if it were that easy, it would have been done a long time ago. but it's not. >> we have a room full of people who are focused on this issue, so now is an opportunity to take some questions. so please, when i call on you, identify yourself, give your affiliation, keep your question short, end it with a question mark. gentleman in the maroon sweater. >> yeah. ken meyer, world doc. a few months back wall street, united airlines and "wall street journal" all came down more or less simultaneously. you think that was coincidental? >> i mean, i don't know. some things really are coincidental, you know? but i think "the wall street journal," wasn't that the syrian electronic army or something like that? that's what i remember.
5:49 pm
i mean, the thing is there are now about 20 nations whose military have explicit cyber units. i mean, some are, some are better than others. i don't know how many much cyber -- the cyber electronic army, you know, is very good at hacking into "the new york times" and "the wall street journal." i think "the new york times" has now hired fireeye to do their security, so maybe it's a little harder to get into, you know? so, you know, i don't know, and i don't know if anybody knows, and, you know, another thing about, you know, if somebody launches a ballistic missile at you, you can kind of trace the arc. you can see where it came from. they're getting much better at tracking cyber, but you're launching a cyber attack, you can hop from one place to another to another, and you can disguise where you came from ultimately. they're getting better at tracing that. but it's still not a 100% thing.
5:50 pm
do you want to know the reason why we know that the north koreans attacked sony? any yeses? [laughter] well, basically, they weren't doing this in realtime, because there was no reason to. we are so infiltrated into the north korean computer network that going back into the files, the elite nsa hackers could actually watch on their monitors what the north korean hackers were watching on their hon to haves -- monitors while they were doing the hack. in that case the fbi said we have extremely high confidence that north korea did this, which is unusually certain language in these things. and do you remember a lot -- initially, a lot of computer experts said, no, i don't believe it. this looks more like an inside job, can the north koreans really do this. but, no, they absolutely knew, and that's how.
5:51 pm
>> gentleman right in the back and then gentleman here and then over here. so we'll -- gentleman in the back. >> hi. my name's ethan berger, i'm with cybersecurity center. and i'm wondering if you looked at the commodities sector in terms of the stock market, the commodities exchange, because from my perception since just a bunch of numbers on a screen, you're free to mess up the economy of a country -- [inaudible] and if you're a foreign power, do a lot of damage to a country's economy. >> oh, yeah. >> i wonder if you've looked at it or if you know people who are. >> it wasn't the focus of my book but, sure, that's part of it. and, you know, one thing that's interesting, the intelligence
5:52 pm
community knows how to get into every foreign nation's bank accounts. they know where the must must ms being kept. they have made an explicit exception. mr. president, we know where mr. putin's bank account is, saddam hussein's bank account is, and there's been a decision made by the cabinet that, no, listen, we do not want to go down that road, because it can go the other way. they did mess with the bank accounts of milosevic's cronies. they can do that sort of thing, but there was an explicit decision because of the backlash. they don't want it happening to us. now, does that mean somebody could do it to us anyway? i mean, look at opm, you know, office of personnel management. they have everybody's personnel records which were not protected as all. and, you know, that kind of thing, remember, they asked clapper about this. and he said, are we -- what kind of retaliation are we plotting
5:53 pm
against china for doing this? well, you know, this wasn't an attack, it was an intelligence operation, and it's similar to certain things that we do sometimes. i don't blame them for getting into this ridiculously-unprotected network. [laughter] it's not like they were attacking anything, they're just getting information. it's like intelligence but on a grand, grand scale. but in terms of messing with the stock market or voting tabulations or -- yeah, no. it's all out there and open, and is, you know, we don't know. what if -- this has been going on for decades, as i keep saying, and there is only now a defense science board panel writing a report on cyber deterrence. and one of the things that they're trying to do is to define what that means. you know, like what are you trying to deter? is it really the government's responsibility to deter or an attack on a bank?
5:54 pm
or two banks or ten banks? is it just government facilities? how do you define what -- you know, nuclear deterrence, it's pretty clear what deterrence means. cyber deterrence, so what are you trying to deter, how big an attack, you know? at one point -- there was -- robert gates asked at one point when he was secretary of defense, at what point does an attack like this constitute an act of war? and two years later the lawyers in the defense department said, well, yes, under certain circumstances this could -- [laughter] they couldn't define it. because nobody has. it's not, it's not ab issue for lawyers -- an issue for lawyers in the pentagon to define. there has not been, and, you know, with nuclear weapons there's a very, very thick red line between using nuclear weapons and not using them. and that's one reason why nobody is using them in the past 630 years, because you -- 60 years, because you don't know what's
5:55 pm
going to happen afterwards. there are cyber attacks going on thousands of a -- of times a day. and nobody knows where each individual country's cyber line of attack is. the first time a president said we are going to retaliate against this attack that just happened was when the north koreans attacked sony over a movie. i mean, who would have thunk that, right? i mean, there are many opportunities for misunderstanding, miscommunication, things getting out of hand because one person's nuisance turns out to be another person's grave national threat. and then what happens on day two? i mean, nobody -- people, i mean, i was interviewing this one guy pretty high up in intelligence. he, i interviewed him a few times before. we sit down, he says what's your thinking about cyber deterrence? i said, you know, i don't know,
5:56 pm
nobody seems to know. he said, oh, it's a shame, i'm on this panel, i thought you might want to be on it. i thought, oh, my god, their considering asking me. i would never do it because it's classified. they're so desperate, they're asking me if i'm interested in joining this science board on cyber deterrence. it's something that they just have not thought through. and part of the reason is that for decades this has been tied up in the nsa which, you know, the joke used to be that nsa stood for no such agency, you know, the most classified. and so even when the bomb went off in 1945, certain things about that were classified. but the general workings and, certainly, the effects were well understood. and from the very beginning, you had civilian strategists thinking about, well, what does it mean? how does this affect war? what does deterrence mean in this context? can we use these weapons?
5:57 pm
you had serious people who were not wrapped up in highly classified things with the military thinking about this and actually having influential thoughts. in cyber, until very recently, you have to have like a tssci clearance to know about a lot of things that are even going on. so there's nobody who can think about this who is really in a position to think about it. and, in fact, the title of this book, "dark territory," i'll tell you where the title comes from. it's actually a pretty good story. so when i write my books, i always say, oh, the title will emerge from my notes. okay? it never does. but this time it did. i was looking over my notes from an interview with robert gates, and he was saying he was talking with a lot of his colleagues, cyber attacks all the time, and he was thinking, you know, we need to get together with the other major cyber powers to figure out some rules of the road. because, you know, what kinds of targets we can't attack. even the depths, the darkest
5:58 pm
depths of the cold war, there were some rules. like americans and russians, they didn't kill each other's spies. something as simple as that. it just didn't happen. there's nothing like this. and, you know, we're wandering in dark territory here. and i said, there's the title of my book, "dark territory." so then i looked it up. i did a google search on dark territory, what does this mean? i don't want to have some obscenity. [laughter] so it turns out that this is a term of art in the north american railroads to signify a stretch of track that is ungoverned by signals. and i'm thinking, wow, that's just perfect. that's a perfect metaphor. so i wrote him an e-mail, and i said, did you know this? he said, oh, yeah, my grandfather worked as a station master on the santa fe railroad for 50 years. we talked railroad terminology around the house all the time. so that's where -- it's a perfect description of what's going on except that, you know, the stretch is much bigger, the engineers are unknown, the
5:59 pm
consequences of a collision are far more cataclysmic than, you know, two trains running into -- that is the situation we're in now. >> do i have -- i have no interest in speaking for the u.s. government or right, but i think they would tell you that there are beginning to be some elements, established norms in relation to the chinese and -- >> they're talking about, they're talking about setting up a forum to discuss a process by which they can discuss rules of the road. i mean, it's kind of that far out. but now, you know, that was -- gates said this when you were talking about there's russia, there's israel, there's france, there's china. now, how do you bring north korea and iran and syria? how do you bring these guys into this cooperative back room, you know, the five family meeting in a back room someplace to discuss
6:00 pm
how to divvy up the heroin market, you know? how do you do this now? it's a tough one. there's a document, one of the documents that snowden put out is something called ppd-20 which was cyber operations policy. and it had certain things that different departments were going to do. and one of them was precisely this, you know, setting rules of the road kind of thing. state department. then there was a progress report like a year later, you know, pending. progress report for this was pending. it's the hardest thing in the world to do because the other thing is we don't, you know, if you're going to say, okay, let's stay out of each other's whatever, you know, electrical power plants, that means you've got to stay out too, and how can this be verified anyway? how do you know that they're not -- the one time, the first discovery of a known intrusion
6:01 pm
into a classified network happened in 2008, it was an operation called buckshot yankee. and they discovered soviet, russian ups and other things -- ips and other things. and the way they discovered this was they were pretty confident they had the entrance points blocked, you know? and somebody in the nsa said what if somebody's already in there messing around? we ought to go look through the networks and see if anybody's in there. and they discovered somebody in there. so if they hadn't gone looking, maybe he'd still be in there. so it's a very, you know, we're talking about things where you've got zillions of lines of code. there might be malware taking up 150 lines of code. how do you even detect that? how do you detect 150 lines of code within something that's, you know, millions of lines of
6:02 pm
code? be it's very difficult. >> should just say buckshot yankee caused a significant, if nor no other reason that it leads to the establishment of u.s. cyber command. >> well, that's true. what happened was, so on a friday afternoon the guy in charge of this unit called the information assurance directorate in the n, a which does the -- nsa which does the defensive stuff, he comes to the director, general alexander, general, we have a problem. here's the thing. within five minutes they come up with a conceptual solution. within 24 hours they have devised a solution, tested it and put it in motion. within -- so general gates is watching this from the pentagon where by monday morning people are alerted to this, and they're going around counting the number of computers that might be infected. and he's saying, this is ridiculous, you know? here i am, you know? this has been going on, and they don't know what to do.
6:03 pm
so he did what people had been urging him to do for a while which is he set up something called cyber command and put the director of the nsa in charge of cyber command as well. and that is when the unit key of offense and defense, what happened. but, you know, the problem with it and, you know, under the premise of offense and defense, same technology, it's the same -- and the only company that knows how to do this ask -- is the nsa, and everybody else is completely out to lunch on it. but the problem is we now have $7 billion being spent on cyber command. they have links with all the combatant commands. they're devising war plans. they have action, battle plans, you know, all kinds of attack plans, tens of thousands of people assigned to this. you go to, like, the military academies, where's your area of growth? oh, it's cyber, cyber. and yet, as i was just saying a bit, a few minutes ago, nobody
6:04 pm
knows what they're doing. there's no concept of deterrence, there's no concept of what happens on the second day of the cyber war. so you have this whole machinery, and it's all incredibly classified. this machinery growing up, and you're going way advanced in the technology field before even the finished layer of policy and strategy have been really cemented onto the foundations. so that's kind of a dangerous thing. >> i'd love to dig into this, but i -- the gentleman in the middle, and then i think there was a gentleman over here. >> you answered my question -- [inaudible] >> oh, okay. [laughter] >> then gentleman in the white shirt. >> hi, david spencer, georgetown student and army officer. so what do you propose we do to respond to strategic-level cyber attacks, and that was it. >> well, what do you mean by
6:05 pm
strategic-level cyber attacks? >> so an actual cyber attack rather than cyber espionage -- >> on what? >> so strategically or hypothetically in this situation not, not energy, but another critical infrastructure sector, say transportation. >> well -- [laughter] if i knew the answer to that one. well, you know, one thing that's true about our economy, i mean, it's not centralized. so, you know, if you shut down, you know, the subway system in new york, it doesn't really affect much of what goes on in washington or in san francisco, you know? some countries if you shut down can, like, the transportation in tokyo, you really kind of mess up all of japan. but in electrical power, you know, they are extending, the smart grid, you know, which is, like, stupid grid for cyber
6:06 pm
purposes. but still, it doesn't take up the entire country. but, i mean, you know, in some ways, you know about data, you know, everything is hooked up to the computer networks now. and this is for perfectly rational reasons, you know? it's cheaper, you have more economies of scale, you you don't have to have personnel, you have everything monitored by sensors, and it's all -- makes perfect sense. >> [inaudible] >> oh, well, god, i can't even remember what the initials stand for. it's basically that everything is controlled by computer networks. you know? you don't, like how did stuxnet work? they didn't shut down the centrifuges, they shut down the -- they manipulated the control devices that were governing how fast the centrifuge were spinning, okay? so it was the control device way away from -- same thing.
6:07 pm
so you can, there's something that's controlling the amount of water going in and out of a dam or the amount of voltage flowing through the electrical line. so you don't deal with the hardware, you deal with the soft -- [inaudible] in some ways, i mean, you know, it's like what willis ware says. once these networks are set up, it's hard to come up with a way to defend them. you know? the trend in economics and commerce is to make them more and more centralized, you know? a company would want to have something going out the entire southwest region of the united states controlled by this one set of, you know, when this was done, when this commission that clinton set up, maybe go talk to the industry heads. and they'd say what are you doing about security? the head of some train company or pg&e. they looked at them, security? what do you mean? they hadn't even thought about
6:08 pm
this. so you can do things to make these networks more secure, but more secure isn't secure. maybe, you know, the barn door's been open for years, and the cows have all escaped, and, you know, short of starting all over -- which nobody's going to do -- and it's hard, and, you know, it's like when a company, companies can do this, like, on their company. like, you know, they will control. and so sometimes they'll go to the government, and they'll say what can you do to help us? and they'll say, well, one thing we could do is to have the fbi, which really means the nsa, just sitting on your network. do you want us to do that? they think about it for a minute, and they say, well, no, not really. well, that's, that's what we can offer you. [laughter] however, we can give you some
6:09 pm
ideas. some of these things that obama has set up, these information-sharing ideas. here's some things that we do. come in for the secret-level briefing, and here's some tools that you can use and, you know, here's what we do over in the justice department, and here's what -- yeah. go off and do that. but, again, you know, that might work for six months. you know, this is a tough one. it's just, this is, this is not a book with a terribly happy ening. >> it's also the case though that there's been a couple of decades since people started talking about cyber pearl harbors, and we haven't seen that devastating attack. >> it's true. >> you might argue there is some kind of deterrence, but it's not deterrence within cyberspace that -- >> well, and, in fact, we have said, the government has said we reserve the right to respond to a cyber attack by non-cyber means. there is a certain amount of deterrence. and, you know, russia and china
6:10 pm
now have more of their stuff hooked up to computer networks. the more that this happens, that kind of mutual assured destruction thing rises up. but, again, it's the wandering in dark territory part. there is no solid red line. and that's where it seems to start to go haywire. >> so let's start at the front here and work our way back. >> [inaudible] >> could you wait for the people who -- >> frank ostroff. question, well, in many areas u.s. is the technology leader. everything i've seen suggests government is slow and behind, technology leaders. as far as you're aware, has the government done anything to create classified or a clean room or some kind of safe environment for our technology leaders to be talking to them
6:11 pm
about what they're working on so that the government could be aware and leverage that? >> there has been that sort of thing in some defense industries. there was something created,dsb, defense security base? anybody here -- anyway, there are lots of interchanges like this with, you know, lockheed martin or -- luckily, there are only about three big defense companies left, so it doesn't require that much. but there are things like that that are available. and, you know, in recent years, again, there are information-sharing systems with even banks. you come in for the brief, and here's what you can do. but, no. and, you know, when dick clark was this cyber guy in the white house, and dick has a certain authoritarian personality, he wanted to control everything. and he wanted to lay down mandatory security requirements.
6:12 pm
and he wanted to create something called fib net. it was basically an internet for critical infrastructure where their internet would be hooked up to something like a government agency which would be able to tell when they were being hacked, and they could come to the rescue. but, again, government, i mean, private industry didn't want that. and the commerce department didn't want it. and the treasury department didn't want it. so that idea kind of went by the wayside. again, it's hard, you know? you have to accept the whole package. and most people don't want the whole package which is why the nsa is, you know, by statute prevented from doing certain things in a domestic context unless they have a court order or letter signed by the attorney general. there are some very good people. i would say even ahead of private industry in certain respects in the nsa but, again,
6:13 pm
they can't really show their stuff with -- >> [inaudible] lock he'd martin -- [inaudible] >> yep. no, they're slow. >> speak into the mic, please. >> they were saying lockheed is very slow. >> yeah. so that's what i'm thinking that there, you know, the government should make the effort to do what it can to make the fact that innovative companies like mine or other companies, we need to make them comfortable about what they're doing, because it would be a decision advantage for the u.s. >> yeah, but, you know, then again, when you have a big corporation, it's hard to do that. one of the hackers in my book, this guy named mudge, we went to work for dartmouth for about 18 months, and he created 140 projects, the most expensive of which cost $100,000, which did all kinds of very interesting things in cybersecurity.
6:14 pm
he was the guy who funded that experiment where the guy hacked into a jeep cherokee to show people that, hey, this is vulnerable, you've got to do something about this. but, it's got to be very -- i've always thought like, you know, the obamacare online program, it's such a mess because they gave it to an aerospace company. what they should have done is picked, like, the top ten graduates from cal tech and mit, given them a couple hundred thousand dollars apiece and put them in a room and said, okay, here's the task, go work on it. that would have been a much better way to do government i.t. of any sort. yeah, you're absolutely right. it's way too bureaucratic, and also it takes, like, you know, a couple of years to get a system going, and there's already been three psychs of up-- cycles of upgrading the offense, defense, cyber arms race. so, no, it's insane. >> just this week ash carter's
6:15 pm
been out in silicon valley and announced the establishment of a defense innovation advisory board with the chairman of our board chairing that, eric schmidt. so -- >> he, you know, deigned to get involved with it, yeah. >> and also on wednesday at our conference we have commerce secretary suzanne spaulding from dhs, security official specifically trying about public/private partnerships, and please ask that question then. >> yeah, see what they say. >> gentleman here. >> mark broadsky, retired physicist. spent a lot of my career at ibm. if i look around in the defense department, a very vulnerable place to attack or intercept signals would be the drone program. you would think, you know, somehow those signals are going out over the air someplace and to be summit to fiddling --
6:16 pm
subject to fiddling with. any stories about that attempted or happening? >> there have been rumors that's why certain drones attack. the thing about drones, they're very localized. it's in this one area. but i get -- there is this signal that goes from the command in nevada or whatever. but even so they would have to have, i mean, hacking certain things, it's not actually easy. you know, they would have to have certain things located where they could get boo this signal. into this signal. and, in fact, there are redundant signals with this, and they change channels fairly frequently. and also how, is it really worth it? i mean, is it worth expending a lot of effort to get into the signal of one drone that is going to attack something? or maybe it's even signaling a drone that's just doing surveillance. it's a lot of effort to go after one thing that's not maybe going to do much to your own
6:17 pm
interests. but that's for a localized thing. if you're talking about within a network which sends -- well, for example, i'll give you an idea. one of the early cyber war games was something that had just been created at the time called the 609th information warfare wing. and they had a little war game where, you know, they're going to hack into the command and control, and basically, they did some of the things that i was talking about which is they messed with the air traffic orders, a refueling plane was sent over here, they didn't get their water in time. that kind of thing could be done. that stuff is still very vulnerable. the thing about the drones is that it is a very narrow bandwidth, and, again, they change it a lot. it's to one thing, and maybe you've hacked into the signal of this one drone. you know, you don't even know what this drone is doing.
6:18 pm
it'd just be a pot shot, and then it crashes x what have you -- crashes, and what have you proved? maybe it just happened that that drone -- drones crash, you know? it happens. and it's not that big a deal because there isn't a pilot in there. so, you know, and they're cheap relatively. but, yeah, there were some rumors. there were a couple of things that crashed in iraq, and somebody claimed that we hacked, that they hacked into it, but i've never seen that verified, and i don't even know if it's verifiable. so, yeah. >> we're watching, sort of watching the u.s. watching -- >> there could be that. like, what is this, what is this drone look at? you could hack into the field. that's possible. and then you could learn things about what the u.s. was interested in, the kinds of things they're watching. >> we're running short of time, so with we're going to group tht few questions, four questions. >> and i'm going to be signing
6:19 pm
books out there. >> fine. so i'm going to take on this side, gentleman in the light jacket and gentleman in the back behind. if we have time, we'll take them, if not, but fred will be happy to answer your questions when he's signing books. >> hello. martin mctarian, i'm a graduate student at george washington cybersecurity. you were going to talk about it early, and you never circled back to it. why do you think there has not been a cyber terrorist attack of any note? >> ah. well, i think right now they don't have, they don't have ability to do it. i mean, again, it's not -- you don't need to have a manhattan project, you know? you need to have a room full with some pretty adept people at computers and the computers to do it. i don't think isis has that. i don't think al-qaeda has that. now, what they -- there's reports that they're been shopping around for freelancers or to do that. but maybe this aren't that many freelancers who are willing to
6:20 pm
work for -- who can do this who are willing to work for a terrorist organization. and, you know, the intelligence community has it eyes on certain blackhat hacker groups that do work for bad guys. you know, like this outfit dark soul which does stuff for the north koreans who are operating out of singapore and thailand. they know pretty much what these guys are doing. so, yeah. but, again, it's not, it's not something that's inherently impossible, it's just i think that -- and isis, you know, they have enough money that they actually do get a permanent foothold, that's something that they could get invested in. i think al-qaeda it was still a little early in their heyday. so it's not out of the question. but i think the conerer generals of force -- convergence of forces hasn't happened yet. >> does have a really dramatic
6:21 pm
impact -- [inaudible] >> yeah. >> okay. so last question in the -- [inaudible] >> my name is ron robinson. i'm interested in your opinion on the struggle between the fbi and apple. >> how much time? [laughter] >> talking about, you know, industry being ahead of government. >> right, right. okay. so there are a few things to say. i've written some columns about this in slate if you want my more elaborate thoughts. i think both sides are being a little bit disingenuous. the public statements of both sides do not really coincide with what they're up to. well, apple's a little bit. but fbi, i think, really doesn't need the information that's on this phone. i mean, they already have the metadata. remember all the discussion of metadata? like, the business record of what numbers my phone has dialed and what numbers have dialed my phone. that's already out there. that's not in the phone.
6:22 pm
they could have got that already from verizon or sprint or whoever. that's out there. in fact, the nsa director said in an interview that there are no foreign numbers in the metadata that they've seen. so i don't know what's in this phone that they need. if they really wanted, they thought there was something in here that we need right now for national security purposes, they could have sent a letter to the nsa, the nsa believed it, they could have gone to the attorney general, gotten an order, and they could have hacked into this phone in certain ways that did not require the active cooperation of apple. they can do -- there are many wayses they can do this. ways they can do this. same time, apple -- so i think, basically, what the fbi is trying to do and i think apple is right about this, they are looking for a new legal precedent that gives them authority to do this sort of thing before encryption gets really, really hard, this new generation of encryption which
6:23 pm
is going to make it much harder for law enforcement and intelligence. not impossible, but much harder to break into. apple, however, i -- when this started happening, i talked with a number of people, kind of whitehat hackers, some ex people in the intelligence agency, and i'm pretty convinced that there's a way that apple could have cooperated without having to write a whole new operating system which they say they were being forced to do, and it violates their first amendment rights and their whole commercial image and everything. the fbi could, you know, the way that this works is, as you know, they don't want them to unlock the phone, which apple has done 70 times, by the way. so the principle of we don't want to cooperate with this is a little bit blown to begin with. but they want them to, there's a security feature that if you type in ten pass codes and they're all wrong, then all the data disappears. what the fbi could do and, in fact, what they offered is, okay, look, you create a
6:24 pm
program. we don't even have to be in the same room, we'll have nothing to do with it, just change that so that the data is erased after a thousand tries or ten thousand tries. then we'll come in, or even you could come in, because there's commercially-available password sniffer programmings that just, you know -- programs that just, you know, brute force, like 5,000 passwords a second, you know? eventually you'll get in. but we need to have you take away this layer first. i'm told -- and, again, i'm not a computer scientist. i don't know. but i'm told even by people who are very much on apple's side in this that there are ways they could make that change without writing a whole new operating system. i think what they are concerned about is once they succumb to this, then that could be the precedent for succumbing to other things or for the chinese saying, hey, that thing that the fbi had you do, we want you to do this with -- although i think the chinese could do that
6:25 pm
anyway, right? i don't know why they need the precedent of the fbi. so i think it's a peculiar case though for tim cook to make this a big deal. somebody very much on apple's side said i don't know if i wouldn't just quietly cooperate on this one. because you're talking about the guy is dead, so he has no pryce rights. he -- privacy rights. he didn't own the phone. san bernardino county owns the phone. they've already given their consent, yeah, you can do whatever you want. and we're talking about a guy who shot up a room full of people and had been in touch with isis. so for legal reasons, constitutional reasons, practical reasons and political optics, this doesn't look like a great test case for apple. some people are a little puzzled. and also, you know, some of the bigger brethren in silicon valley are writing amicus briefs, it'll be interesting to read those, because they've not
6:26 pm
too nuts about this. look, here's the thing, if you have a contract with the government -- which apple doesn't, but these other guys do -- you want to sell an operating system to the government, say the defense department. it has to be vetted for security by information director of the nsa. the first windows program that went lu this process, the nsa found 1500 points of vulnerability in the program. now, then they helped them patch it. but not all of them. they left a few open, you know, so they could get into it later. and microsoft knew that, and they were fine with that. a few years ago google, their chrome system, the source code was hacked by the chinese. the nsa helped them repair that problem. so they know -- there's been this two-way street. and i, you know, when they all got -- when the snowden stuff came out, oh, my god. i liken it to the scene in casablanca where the captain
6:27 pm
says, i'm shocked, shocked there's gambling going on while the cruise director delivers his winnings for the night. so there's a bit of hypocrisy. tim cook, it's partly his commercial brand, but he really does believe in this very strongly. in fact, somebody at nsa told me they often go the companies and say, you know, can we talk about a meeting for issues of mutual interest? cook has never had one of these meetings. he's not interested in having these meetings. so among the industry of libertarians, he is, you know, he is aiming for purity. although again, you know, i forget, in fact, maybe he wasn't chair at the time when apple opened up these other 70 phones. but the way that both sides have elevated this battle to a battle of principle, it could el up having -- it could end up having, and the other side is let's say they win the court battle. what i'm worried about is that somebody passes a law and, in
6:28 pm
fact, senator feinstein has co-written a law that would just require companies to strip away their encryption if presented with a lawful warrant. now, that's going a lot farther than what the fbi wants apple to do in this instance. so my worry is that especially in the current climate with terrorism and people worried about elections where their opponent in a primary accuses them of being soft on terrorism that the backlash of this could be really severe. so, again, i'm not quite sure why he decided to make a big political issue of this as a test case. >> again, wednesday we have peter swire, a member of the president's review group on intelligence, communications, technology and post-snowden and michael -- [inaudible] both featured in fred's book coming to debate this very issue, so please come and join us. fred, final word. what is the one thing that we
6:29 pm
should take away from your book and the one, the one thing that people should buy this book in order to understand? >> it's really a lot of fun to read. [laughter] how many cyber books can you say that about? [laughter] >> ladies and gentlemen, thank you very much for coming. [applause] fred, thank you very much. [applause] [inaudible conversations] >> this is booktv on c-span2, television for serious readers. here's our prime time lineup.
6:30 pm
starting shortly, from last weekend's tucson festival of books, a panel on human rights with teresa duncan, margaret regan, followed by an interview with margaret regan, author of "detained and deports." then at eight, former first lady laura bush discusses the progress of women in afghanistan since 2001. on "after words" at nine eastern, former bush administration official john yoo looks at the growth of presidential power during the obama administration. and at ten, law professor dana matthew reports on racial inequalities within the american health care system. and we wrap up booktv in prime time at 11 with adam cohen. he looks at the use of eugenic sterilization in america by telling the story of carrie buck, a healthy young woman deemed an imbecile and sterilized in 1927. that all happens next on c-span2's booktv. first, a panel on human rights. ..


info Stream Only

Uploaded by TV Archive on