Shane harris talks about the militarys use of cyberspace to wage war. He discusses the involvement of private Companies Like google and microsoft in this fifth domain of warfare. This hourlong Program Starts now on booktv. Im pleased to welcome shane harris this evening to discuss his new book, alt war the rise of the military complex, in which he chronicles the fifth domain of warfare. He explains how Government Agencies are teaming up with the likes of google and microsoft to monitor cyberspace and collect information and what that means for us as individuals and a nation. This is harris second book. The watchers the rise of americas surveillance state, won the Helen Bernstein book award for excellence in journalism. Hes currently a Senior Writer covering intelligence and National Security at the the daily beast, hes also worked as a Senior Writer for foreign policy, and his work has appeared in the new york times, the wall street journal and the washington post. Hes also a fellow at the new america foundation. Were pleased to welcome him back for his second appearance at politics prose. Please help me welcome shane harris. [applause] thank you very much for that great introduction. Thank you all for coming out on a night like tonight. You could be sitting on veranda someplace drinking wine and enjoying this summer evening that were having. So im glad you chose to come out here and spend it with me. Its great to see so many friends and colleagues as well. Ive been touring around with the book and speaking at a number of bookstores around the country, and this one really is just prized for the way that it brings people out in the community, and its so great to see such a large gathering. This is great for a book talk, so thank you very much. Youre making me very happy. So, um, this booker, war, its a story, but it really is a narrative about how it is that cybersecurity became sort of a fixation and a top priority for National Security in the United States right now. Cybersecurity, which we define as broadly speaking or threats in cyberspace to include espionage, cyber crime, attacks over Computer Networks that can damage physical infrastructure like disrupting power grids or disabling Water Utilities or affecting banks, the risk of these attacks for the past two years has topped the Intelligence Communitys list of global threats. Every year the Intelligence Community puppets out sort of the puts out sort of the big things that keep people up at night. James comey, formerly the Deputy Attorney general, has said that the risk of Cyber Attacks and a related rise in cyber crime will be the most significant National Security threat over the next decade. And hes putting that at the top of the list above terrorism. Just last week the director of the National Security agency, michael rogers, testified before congress that Cyber Attacks were costing hundreds of billions of dollars to u. S. Companies and that multiple foreign governments had probed the systems that control and regulate our electric power grid. He said this is not theoretical, quote a truly significant, almost catastrophic failure will occur if we do not take action. So how is it we got to this point where all of our top National Security officials are telling us that the risk of a catastrophic cyber attack, espionage against u. S. Companies is the thing we should be most worried about, and what does that mean for all of us who exist and use exist in cyberspace and use the internet every day . And that book tries to answer those questions. It starts with a story, and for appropriate, i guess, for a book like this a rather scary story, which ill relate to now. This begins in the summer of 2007. The ceos of the major defense contractors, the raytheons and Northrop Grummans of the world, are called to a meeting at the pentagon. They figure if theyve all been called here on short notice, this cant be good news. They are ushered into a room called a sensitive compartmented information facility. If youre a fan of homeland or spy movies, its the thing where you have to drop your cell phone outside before you go in sort of soundproof room that is actually impermeable to eavesdropping. You only receive the most secret of secrets. And these executives are brought in and sat down and given whats called a threat briefing where a number of military officials describe to them how hackers, believed to be in china, are accessing Computer Systems that contain some of the most classified information in the military, specifically things like plans for the joint strike fighter, the f35 which is to be our next generation military aircraft, as well as a number of other military programs have all been overrun by cyber spies. That seems pretty scary to these ceos, but whats even more scary is the spies did not access the information by getting into military networks, they got into the networks of these companies, the ceos companies. These hackers had made an end run around the pentagons rather formidable Cyber Defenses and attacked contractors instead that were working on some of the most sense ty military programs. Sensitive military programs. A lot of executives went in with dark hair, and when they came out, it had turned white. They were very disturbed to find out not only had these spies gotten into their systems, but that they knew very little about it. The pentagon says to them you have a security problem, therefore, you have a security problem. We have to do something about this, and youre going to take our help. What begins at this point is something that i think really epitomizes our Current National approach to cybersecurity. The pentagon teamed up with these contractors in an information and intelligencesharing arrangement. The contractors agreed to report to the pentagon threats that they were seeing on their network including when they had been breached. The pentagon agreed not to disclose this publicly because companies do not like to say when theyve had hackers inside their network. And in return the pentagon was going to provide these corporations with information that it was gathering from its own intelligence operations. Effectively, the fruit of espionage that agencies like the nsa were gathering about these threats in china and how they might affect american businesses. So this partnership, essentially, sets up whereby private sector and public are coming together for the mutual purpose of defending these Computer Networks. The companies are essential in this arrangement, and this is true across the board when we talk about defending Critical Systems in the u. S. Companies own roughly 85 of the Network Infrastructure in the United States. The government does not physically control it. So companies have to participate with the government in this intelligencesharing and mutual security arrangement if were actually going to protect the internet. The effort that began after that pentagon meeting became something known as the Defense Industrial base initiative or the dib which occurs throughout my book. About a hundred companies are members in this today. There were only a dozen or so when it began in late 2007. This model has now been expanded to other sectors of the economy beyond the Defense Industrial base. So today the National Security agency, via the Homeland Security department, showers this kind of Threat Intelligence shares this kind of Threat Intelligence with Internet Service providers in the hopes that they will then program those threat signatures into their own systems scanning for Malicious Software and intrusions and then protect the people who are their customers downstream. Big Name Technology companies have struck up relationships with the Intelligence Community. One that i write about in the book is google. Google, obviously, has a privileged kind of peering into networks all over the world. They move much of our Communications Traffic that were all using every day. Google struck up a secret relationship with the nsa in 2010 after it was hacked by chinese spies where they agree, much like the defense contractors, to share information that theyre seeing on their network in turn for the nsa providing information to them. So defending cyberspace and also spying in it and attacking in it has actually become a cooperative effort between the government and Intelligence Community and its technology industry. That is what im referring to, this coming together of these two powerful forces. And i am deliberately hearkening back to president eisenhowers military Industrial Complex speech from 1961 which ill talk about later. So this arrangement begins at the tail end of the bush administration, and it took a number of years for president bush and some of his senior National Security advisers to start taking the threat of Cyber Attacks and Cyber Espionage seriously. There had been talk about this at the highest levels of government for years. President bush was famously not the most technologically inclined chief executive. He once said that he used the google to look at satellite images of his ranch in texas. Not to pick on president bush, president clinton reportedly only sent one email in the entire time he was in office. The internet was a fairly nascent infrastructure at the time. Where this takes off, not surprisingly, is under president obama. Who, of course, used the internet masterfully in his campaign, very much our first internet president , you might say. President obama actually got a firsthand experience with Cyber Espionage when he was on the campaign and his Campaign Email system was hacked by spies believed to be in china. As an equal opportunity offender here, they hacked john mccains email system as well. So obama comes into office with a firsthand kind of glimpse of this and a real appreciation for the vulnerabilities in cyberspace. And pretty much from day one when hes given his briefings, his classified briefings about various National Security threats, cyber is placed very near the top. So not one to waste time, he adds a whole new dimension to the governments approach for dealing with this threat. In may 2009 obama gives a speech in the east room of the white house, and east room if youve been there, its a very, very large room, and its reserved only for the most momentous of speeches that the president wants to give when he really wants to draw attention to it. So he gives a speech, stands up and unveils his plan for securing cyberspace. He says that his Campaign Email was hacked. He actually acknowledges that the electrical grid, the systems that control the grid had been probed by outsiders. He doesnt say government, and he doesnt name them, but this is the president of the United States standing up and saying effectively our Critical Systems the things that control the machinery that we depend upon for our daily life are vulnerable and wide open to attack, and he intends to do something about it. Again, hearkening to this model that has developed, he says, quote the vast majority of our critical information infrastructure in the United States is owned and operated by the private sector. We will collaborate with industry to find technology to insure and secure and promote our prosperity. The internet is a Strategic National asset, and we intend to protect it as such. So you have obama really defining cyberspace as a National Asset even though it is something that is largely privately owned. So theres attention there as well. He sets out on a very Ambitious Program of putting the government at the center of efforts to try and secure cyberspace. Not to try and is control that, but to try and influence it. And i write more about this in the book. Whats important here is that obama, just like bush before him, is starting to see and to describe cyberspace as a battlefield. The military now refers to cyberspace as the fifth domain of warfare after land, air, sea and outer space. And it views trying to achieve supremacy there as vital as it is in the other four. To give you some sense of kind of how the military has prioritized this in particular, its always good to follow the money in washington, as we know. So if you were to take a look at the budget, the Defense Budget for cyber programs, in 2014 just in Cyber Defense programs mostly on protecting Government Computers and sharing intelligence with industry, the government allocated 13 billion on Cyber Defense programs. This doesnt even touch the offensive side of the ledger or Intelligence Agency programs. So 13 billion on defense. Putting that in perspective, in 2014 the government plans to spend 11. 6 billion on direct efforts to combat Climate Change which president obama called in his speech, quote the greatest threat of our time. So 13 billion on Cyber Defense, 11. 6 billion on Climate Change. The 2012 pentagon budget had the word cyber in it 12 times. The 2014 pentagon budget has the word cyber in it 147 times. So a twelvefold increase just in the mention of the world. N. , its become sort of a in fact, its become sort of a joke that its really the only part of the dod budget thats growing. If you want money for your project, just slap the word cyber on it. [laughter] a couple of weeks ago, the senior dod official joked he was starting to see a lot of proposals for things like cyber tank crossing his desk. [laughter] no such thing as a cyber tank. So government officials have really taken to talking about our vulnerabilities and the way that were victimized, the way that our companies are being robbed by spies which is true. But i think that theyre doing this, theres a bit of a cynical calculation in here. Kind of playing the victim is a good way of focusing National Attention and drumming up money for defense programs. But it tends to obscure the other side of the story, which is what this book is also about. Were quick to be a victim, but we are doing many of the same things that we blast other countries for doing to us and to our corporations. We really have become masters in offense in cyberspace. We have become very good at waging cyber warfare. And, in fact, it is going to become an integral component of how we fight wars in the future. And one story i like that i tell in the beginning of the book that i think really captures how cyber is being integrated into the physical realm of how we fight wars, this actually takes place also in 2007. Theres a lot of 2007 activity in this book, if you read it. Youll see this. Its kind of the year things took off. That was the in 2007 youll remember that president bush ordered tens of thousands of additional combat troops to iraq as part of the surge which was engineered to quell violence that was spiraling out of control in iraq, to prevent a civil war and in particular to do battle with an insurgent terrorist group known as alqaeda in iraq which later morphed into isis which were hearing a lot more about today. So those tens of thousands of troops go, we form alliances with sunni tribes to turn them against alqaeda in iraq. These are two pillars of the surge strategy, but theres a third pillar that i report about in the book. The nsa tapped into the telecommunications and internet infrastructure of the country of iraq and effectively owned the entire networks of the country of iraq. It intercepted every cell phone call, every email message, every text message. Now, what was it doing with all this information . Partly, it was to try and understand the way that these groups, these terrorist networks had organized themselves by studying the patterns of their communications. I write about a guy in the book named bob who was a young Army Lieutenant at the time who had deployed to iraq and was working in the signals intelligence group. So gathering up Electronic Communications for the army and working with the nsa. Bob was a real fan of the hbo series the wire. Have people watched this show . Familiar with it . Right . Theres a character thats an old Police Detective named Lester Freeman who decided hes going to unlock the hierarchy of the drug rings in baltimore who these shadowy players are not by walking the beat and trying to tap human sources, but by monitoring their cell phones. And particularly, the dispose able cell phones that they use for a couple of calls and throw away. Lester starts mapping out the networks of who these people are and who is important in the hierarchy. Well, bob did this as well. This information was then handed off to ground forces, boots on the ground, who would then go out and find these insurgents and capture or kill them. Some more of the daring exploits that i write about, they started sending fake Text Messages to individual insurgents posing as people that they knew and directing them to meet at a particular place where when they got there, they fell into a trap. They penetrated web sites that were used by these groups and implanted spyware so when people would go the these chat forums, their computers were being infected with spyware that would hone in on their location. This was really ingenious hacking with a physical goal. This wasnt just to steal information, it was to locate people and to help a war effort on the ground. Cyber was being integrated into this conventional military conflict. The people i interviewed for the book will say absent this particular dimension of the surge, the surge does not staunch violence in iraq, it does not become this temporary victory that we all know now where we did prevent a civil war and managed to bring some stability back to the country. This was the secret weapon. The surge was won by a cyber war campaign. David petraeus, not one given to hyperbole, said publicly that this intelligencegathering operation was, quote a prime reason for the significant progress made by u. S. Troops in the surge and was, quote directly responsible for enabling the removal of almost 4,000 insurgents from the battlefield. You can actually chart where the surges of violation goes down, and violence goes down and how the intelligence operations were ramping up. So iraq changed the way that the nsa spied, but it also changed the way the United States fights wars, and it showed us that Cyber Operations will be a part of that. So why does this matter to us, right . I argue that in the book in the governments zeal, particularly the National Security agencys efforts to dominate cyberspace and the nsa is really the center of gravity of our Cyber Operations that the government is doing things that fundamentally undermine the security and the protections of the internet that we all depend upon. And its making it actually a less safe place for all of us to operate. Give you a couple of examples. Nsas in the business of spying on and breaking into technology. Well, we all use commercial technology that is found in other countries as well. Theres no proprietary u. S. Systems or proprietary other foreign systems. A lot of this is ubiquitous foreign technology. The nsa is constantly looking for ways to find flaws in softwares and computer operating systems that would give them a way into a system that no one else knows about. These are frequently called zero day absolutely necialtds, meaning that once someone has found a particular way into a computer and nobody else knows it, there would be zero days to defend against it if you chose to attack it or exploit it. So the nsa is gobbling up and hoarding this information in order to build offensive capabilities. Cyber weapons, if you like. One might argue if nsa is in the business of defending national cyberspace, you should be disclosing the vulnerabilities and letting the public know about it. Imagine that the nsa was sort of a Security Guard in your neighborhood or a cop on the beat and it found there was an open window in your house but didnt tell you, or found there was a flaw in all the windowing with used on the block being used on the block but didnt tell anybody . Thats the analogy i look in the book. Not telling the public about them, the nsa is essentially not doing its job of making the internet safer. Another example is the nsas efforts to undermine something called encryption. You may not be familiar with this, but encryption is basically a way of jumbling up a communication so that only you and the recipient can unlock and understand what it says. You can use encryption in your email, end description may be be encryption may be used with your bank to make sure that your account data cant be stolen. We know the nsa has been secretly inserting flaws into encryption products that are then marketed with the seal of of approval of the nsa. And we know of some instances in which theyve been putting an endorsement on a product that they know to be flawed in a way that only the nsa thinks it understands. This would be sort of like if the nsa if the government was marketing a particular kind of door lock and said, everybody in america, go buy this lock for your front door, it cant be penetrated, but the nsa has a a key for that lock, and its actually not hidden that well. Part of its mission to dominate is actually making cyberspace less safe for all of us and putting us at risk. All of this has emerged, the story that i write about in the book, with practically no debate and with, actually, very little reporting and public commentary. This con junction of a huge warfighting machine with a growing technology i have is, i think as president eisenhower described the military Industrial Complex of a previous generation, quote new in the american experience, and it is changing how we use the internet and exist in this fifth domain. I think cyberspace is too vast, too pervasive and too important to how we live now to allow a single entity or any alliance to govern it or dictate the norms of behavior. And i argue in the book that this authority should certainly not be vested inside a secret Intelligence Agency. Theres no neat way to define cyberspace, and i dont attempt to do so in the book. Its not a commons, but its also not private. Weve come to depend upon it like a public utility, like electricity and water, but it is still mostly a collection of privatelyowned devices which makes making policy in this area particularly difficult. Yet cyberspace is undeniably a collective which is why i think its incouple p bent upon everyone who touches it, all of us, to take a stake in how we treat it and define the, quote essential agreements of great moment, the wise resolution of which will better shape the future of the nation. Thanks for your attention, and ill be happy to take your questions. [applause] so if you could come to the microphone, because this is being recorded not by the nsa, as far as i know. [laughter] and, yeah. Yes, please, thanks. Thank you for coming. The director, director comey, he has said several times in recent weeks that he is very much opposed to what google and apple have done with their encryption technology, making it so that even google and apple if they wanted to, they couldnt decrypt their own devices. Do you think the director will be successful in any effort to force google and apple to change their current right. Yeah. The short answer is i think probably not. You know, at least not in the near term. Whats interesting about this argument, this is jim comey has come out and basically said among other things that this device, for instance, the iphone 6 is, essentially, a threat to Law Enforcement, an obstacle to Law Enforcement because if you arrest somebody with this phone and theyve encrypted it, it cannot be unencrypted including by the manufacturer. So only i know the code, and if im not giving it up, the fbis not getting into it. I think this is actually sort of a proxy for a much Larger Mission that the fbi has been on to extend Surveillance Authority to the internet. Without getting too much into the weeds of it, there are laws in place that require Telephone Companies to build their networks in certain ways so that they can be tapped when the fbi or another agency has a lawful order to intercept communications. But Internet Technologies and p Companies Like google and apple have never been precisely or neatly governed by that law, and the fbi would like them to be. So i think that director comey, who i know and think very highly of, is overstating the particular risk that this device poses to Law Enforcement, and hes actually really should be talking about the broader debate which is the fbi wants to extend for Surveillance Authority to cyberspace. Thank you. Im wondering how paranoid we should be. [laughter] everyone asks that question. You know [laughter] you know, youre not paranoid if its real. Right. You know, i was afraid to go to certain web sites like wikileaks, that it would flag something, and i thought i was being overparanoid, and then nsa stuff broke, and it turned out to be much worse than i could have imagined. I know someone at Homeland Security who has a high position, and i told her i was i just wanted to check out wikileaks, and she said dont go to wikileaks, and i figured she was in a position to know. Im wondering if you access certain web sites, are you flagged . What if i wanted to learn about alqaeda and just wanted to learn what it believes in . Right. Are they watching everything . What you said in iraq, they had control of everything. Right. Iraq was a very particular example, obviously, because its not the United States. So we should remember there are, there are surveillance laws and restrictions in place for what the nsa and the fbi in particular can do with american citizens individual communications. They cannot listen to your phone calls without a warrant, they cant they cant read your emails without a warrant. Is that right . Thats right. It may not necessarily be the case, but it is correct if they want to monitor your individual phone call, target you, they need a warrant to do that. If you are in communication with someone overtea seas overseas, however, and that persons communications are scooped up which doesnt require a warrant the same way it does for you, and your information is collected incidentally to that collection, the government can go back, search through the data thats been collected and come across your information and read it without a warrant because the presumption is that it was lawfully collected in the first place. Yeah, i know. It kind of puzzles me, too, and this is a debate thats going on right now within the corners of National Security law that cover this stuff. Its very difficult to know at any particular given time what legal theory the government is using to access certain kinds of information. They use different parts of the law to access different kinds of information. But i think its safe to say that if they can find a way to technically and legally acquire information, they probably will do it. So that would lead us to conclude that the rules should be tight on how on the use of information as opposed to the acquisition of the information. I dont know if that puts your mind at ease any about not at all. Certain web sites that you can go to. [laughter] so are certain things flagged . I dont know if you were today to go visit wikileaks that it would necessarily flag you. If you were on a government computer, it would. Yeah. Yeah. If you were in fact, Government Employees have been told do not go to wikileaks because theres classified documents displayed on it. Whether or not you sitting here today from your computer in washington, d. C. Would that be flagged . I dont think so. [laughter] thats reassuring. Yeah. [laughter] hey, shane. Hi. So what do we know about how much stuff we can do to them . Yeah. So you can pretty much be sure that anything that were afraid of people doing to us we can do to them, and we very well may have already done out. The first half of the book really is about the offensive side of cyber war, and i dont want to give everything away and spoil the story, but go ahead. Whats that . Go ahead. Go ahead, go ahead. Thanks, john. I already bought the book. Okay, good, then youre fine. Everyone else, plug your ears. [laughter] we have, the military and the nsa have are, i should say, very elite cadres of hackers. Theres actually one group that i write about called the tailored access operations unit, and theyre sort of like the Impossible Mission forest of nsa hackers force of nsa hackers. These are the guys that they call in. In fact, some of the people i write about in the book actually have worked in it. So we are very, very good. The problem is that we dont have enough people to go out and wage these operations compared to our add adversaries. That is, if we are measuring this in terms of if we were to ever go to war with a big country in cyberspace, how would we match up against them . The chinese have thrown thousands more people at gathering espionage information from companies that we have digital spies going out and gathering information. Our advantage probably comes from our technological prowess. Just today, in fact, there was news you may have read about this this new computer virus that was discovered called regin, im not exactly sure how to pronounce i want. Reagan. Its reagan. Its a name from no, sir mythology norse mythology. This fascinating piece of malware that was discovered and dissected and found that it could, basically, gather huge amounts of information from Computer Systems and barely be detected. It was probably engineered around twist and looks suspiciously like another computer virus called stuxnet which we know that the nsa designed. We havent confirmed it yet, but there are very few countries in the world that could design something that sophisticated, and we are one of them. So were very good on the offensive side of it. Just follow up. I once recently spoke with a British Intelligence officer cyber guy who said that the chinese get into everything but the people theyre really most afraid of are the russians because they dont leave fingerprints, and we dont know what they can do. We only know theyre good. Is that accurate . I think that is accurate. The russians also have incredible prowess. The chinese are shameless about it, and they deny everything. The russians are very, very good at covering their tracks. You have a lot of, well, you know, several years ago after the demise of the soviet union, you had a lot of very highly skilled computer engineers with suddennenly, you know, not suddenly, you know, not great employment prospects. A lot of these people have gone to work for criminal organizations, and the russian government not only turns a blamed eye to this, they aid and abet it to some degree. Financial crime in particular. I was told by one senior u. S. Official who works on cyber investigations that they have found a number of cases where theyre zeroing in on a russian hacker, and they find out that the russian government tipped them off and said theyre on to you. So were dealing with a government and an apparatus that is very highly skilled and, as you said, is good at not leaving traces. Um, this is a slight aside, but you mentioned that the internet is not a utility in the United States, and its not legislated as one or anything in that way. But if the fcc changes its rules, if the Obama Administration gets them to treat it as a utility, do what sort of effects do you think that would have in this arena . Um, i think it would make it a lot easier for the government to regulate and enforce security standards. So to Tell Companies you must implement the following minimum security protocols and procedures. And president obama, i think it was last week in his weekly address, talked about treating the internet as a utility. Now, this was sort of in the context of Net Neutrality and the debate over whether or not companies should be allowed to charge more for higher volumes of traffic. But what i found striking about that was, wait a second, if you treat the internet as a utility, the government can regulate it, and that means they can regulate security just like they regulate security at Food Processing plants and, you know, any number of physical infrastructure facilities. The fcc, as you said, would have to go along with this. But if that happened, i suspect that would open the door to much tougher government regulation of security. And we have been having this debate, by the way. There are those who very much favor government coming in and regulating this. The flipside of that, and i write about this in the book too, the threats are evolving so fast that theres no guarantee that the government is going to know what the most uptodate intelligence is. And, in fact, a number of Companies Including google have received threat briefings from the government and been very unimpressed by what theyve been told because they say weve already heard about this. Private security researchers already know about this, tell us something else. So theres no guarantee that the government has the right answer for setting security standards. Would you comment on congressional oversight with respect to the military internet complex . I get the impression that way too many of our elected representatives are totally out of their depth when it comes to these kinds of questions. Right. There is, theres a technological learning curve, to be sure. Yeah. I mean, i think that look, intelligence oversight in general is, ive been a critic of it for a long time. I think its pretty anemic, and a lot of this activity is taking place under the auspices of an intelligent agency, the Intelligence Agency, the nsa. Where congress has mostly been focusing is on legislation that would try and set some of these basic minimum standards for security that companies would have to follow. And those efforts have been shot down largely at the we hes of behest of companies who fear regulation. So i think this is a real issue, and i think if legislators arent smart about this and really becoming more proficient in the language of technology, they risk being duped, frankly, by intelligence officials who are persuading them that the threats are maybe more severe than they actually are and persuade them to give them money that they maybe dont need and authorities that they dont need either. Its very much incumbent upon congress to not simply take the word, you know, the intelligence agencies words for it. Yes, there are threats in cyberspace, but they need to get a lot more in depth and fluent in the complexities of those threats before we begin, you know, making permanent laws. So if i can actually follow up on this ladys question with a very brief intro that a few of us in this room have worked with shane in his, in his journalistic capacity. Its been gratifying. Hes a great journalist, and its been gratifying to see the scope of his work and no doubt a lot more is to come. But to take the and so really to pose a journalistic question, if i can do that, take todays news about secretary hagel moving on. I notice that his names not indexed here. I assume that may Say Something about hagel. Ill give you a couple of ways of going at it. Is there something that hagel should have done, could have done, or is it just too much nsa, and then that leads to the question of the next defense secretary and the senate and changes in congress, republicans taking the senate, new chairman in the house. What would you advise them to do, what kind of policy issues should they be focusing on . Yeah. I do think in general theres too much authority and leadership on the issue vested in the National Security agency. We do have this new organization, its about four years old now, called u. S. Cyber command, and its meant to be a combatant command like Central Command which is running the war in iraq and afghanistan. I think that if youre going to Start Talking about Cyber Operations and warfare and integrating that into military doctrine, that should be run by a military organization, not by an Intelligence Agency. Now, the nsa is also a military organization, its a military Intelligence Agency. The head of that agency is also right now the commander of Cyber Command. So you can see how the deck is sort of stacked in favor of nsa. Hagel never made any, very few public statements at all about cybersecurity and cyber warfare. I hope that the next defense secretary will come in and start to make it a priority to get some of those authorities out of the agency and put them over with Cyber Command where i think they more properly belong. I think you actually can get better oversight of a military organization than you can of the nsa. If i can interrupt with one other follow on. Go to the mic. Follow on thank you, followon question. Is this another part of kind of defense policy where the white house and the nsc or even the Justice Department has scooped up some of the sexy aspects, the hot button kinds of issues . To some extent, yeah. The white house certainly was, you know, involved and aware of what the nsa was doing in this realm. But, you know, theres somebody i write about in the book, keith alexander, who was the director of the nsa, longest serving director and just retired recently. He managed to really accumulate a lot of the bureaucratic momentum and the sort of mojo, really masterful at it. Theres some people in washington who can do that. Leon panetta, actually, was another one, hagels predecessor who fared better in the job than secretary hagel. And understood cyber threats, too, by the way. I think a lot of this was kind of captured by the agency, and the white house probably needed to get more involved as kind of the gatekeeper via the National Security adviser of setting these policies. I thought that obama kind of kicking off in the east room of the white house in 2009 and making it a National Security priority and it is, it definitely is. But then i feel like the energy slipped a bit away from the white house. So the political momentum was coming from there, but the real bureaucratic engine of it was at this other agency, and i think knew you need to now you need to take some of that authority back. You mentioned our Water Systems and the electric grid. Could you say some more about the internet of things and other systems that might be on it like, for instance, do they really run metro off the internet . [laughter] so the internet of things is this notion that everything that is every device is now connected to the network; your appliances, you know, your phone, you know . The air Traffic Control system. I dont know specifically whether metro is run via the internet, but it absolutely could be. It creates these marvelous efficiencies and this interconnectedness, and it makes our life easier. But the more devices you put on the network, the more vulnerable those devices are. I mean, definitionally anything that is connected to the network can be hacked, can be compromised. Youll often hear how the internet was not designed with security in mind, sort of one of these tropes. It began as a research network, and nobody ever thought about protecting it. Well, thats generally true. As we keep adding more and more devices to the network, were not putting the security of those devices and the people who use them, first and foremost. I think thats going to change the more that you see some of these higher profile breaches with things like the home depot and the target breach. You know, data being stolen. As some of these devices start to fail or be manipulated, i think you might see some real urgency on the part of the users of those devices to start protecting themselves. Its going the take people getting, you know, wounded really, i think, to focus the attention. Yes. Were going to have to well take the questioners already lined up, but after that i think well promise to go fast. This will be, this will be quick. This is not universally important, but i manage a web site that is connected, that is part of my church community. In october we had a huge spike of hits on the web site, and the dashboard report showed that almost 50 of those hits on the web site came from china. Does that mean the red army is monitoring our Church Web Site . It depends what you know, what are you into . I mean, its totally innocuous. Its important for those of us in the community but could not possibly have any kind of universal i think its a subversive Group Shipping propaganda in china maybe. Is there some point we should be concerned about this kind of right. I mean well, you should always be concerned about somebody whos not supposed to be in your network and your system being in it. But in a way, as bizarre as it sounds that your church group would be being picked by the chinese pinged by the chinese, at the same time, it doesnt surprise me at all. Their whole mo is to throw lots of bodies at the problem and see what sticks. Who knows why they were poking around that day on your Church Web Site. Yeah. So the question is, you know, should we be concerned, or is there anything that we can do . You should have good network security, and if you have somebody managing your web site, make sure you have the right protocols and antivirus in place, and do not open any emails from people that you dont know. Be careful about opening emails from people that you do know. I know im telling you to be really, really scared, but there are basic procedures you can take to make yourself less vulnerable. And if theyre not pinging the network and not getting in, you know, dont worry too much. Yes. Hi. Just wondered if you could speculate a little bit about the future and sort of make an analogy. Do you foresee a point in the future where theres something roughly similar to mutually, mutual assured destruction evolving . This is with respect to cyber warfare and especially, as you say, allout cyber warfare. Or is there any technical reason why, um, if somebody took the first step, that theyd have a decided advantage and be thinking about the power grid or whatever . Right, right. First strike capability. Yeah, right. Yeah. A lot of the cold war mod pells work up to a point model es work up to a point. Mutually assured is one. There are a lot of incentives for large nationstates not to attack our Critical Systems. The chinese arent going to crash the American Financial system because theyre our biggest lender, so anything they do to us is going to flow back on them. I think that if there was a, an attack on the power grid to shut the lights off in a major city and we believe that it was coming from china, we would probably have bombers on the way to beijing because we would presume that was the opening salvo to some kind of larger military campaign and not necessary hi an isolated necessarily an isolated event. But where this starts to break down is mutually assured destruction worked because we knew it would be the soviets firing the missiles at us a, and they knew it would be us firing at them. It is not that easy in cyberspace to attribute the source of the attack. Youve frequently heard this referred to as the at transcribes problem attribution problem. I write in the book about how i think the government has gotten a lot better at attribution than they would like to let on, but that is where the deterrent model breaks down. If someone were to effectively cloak where they came from, we wouldnt necessarily know who to retaliate against. So thats, you know, where we find ourselves sort of groping for how do we deal with cyber space. Thats a huge, unanswered question. Hi. Im sor of the sort of interested in the education aspect of this. There was an article in the a little while back in the post a little while back about certain universities that are training the next generation of Cyber Warriors or socalled white hat hackers. Right. But if youve read anything about, say, anonymous, you know that the relationship between being white hat and black hat can be very slippery. Uhhuh. So im wondering if the government is involved in the educational process at all . Are they awar of these programs . Are they working with these programs . Is there a military, internet education complex . Yeah. There is . Yeah. So nsa, actually, for a number of colleges and universities helps write curriculum in cybersecurity. And it does that because it wants to help field and educate a new generation of potential employees. It has a program whereby they will pay for the fouryear degree in Computer Science and engineering of someone, and then that person comes and works for the nsa for four or five years to pay them back. I actually interviewed one person about this who went to School Thanks to the nsa, became a hacker, went to work for the agency for five years and then left and started a private cybersecurity startup in silicon valley. So, yes, theres absolutely a connection between those. And the nsa in particular feels like colleges and universities are where a lot of the next best talents going to come from, and its taking steps to influence that process and attract new talent. Postsnowden thats not going to be as easy as it may have been pre. Obviously, the kinds of people who, i think, are attracted to this kind of work, many of them may have a sort of antiauthoritarian streak [laughter] and they may not necessarily be the ones who are that interested in signing up for this. That said, the military is also another source of recruitment, and i write about a number of soldiers in the book who became Cyber Warriors. And for them, i think the draw of service and also being part of a new kind of war and a new kind of warfare is very alluring. And i think the nsa will have a lot of success recruiting from the ranks of the military for these operations. Wow. Yes, sir. Our last question. Yeah. Thats really amazing, what im hearing. You know, just to switch, to switch emphasis from this being a tremendous tool whereby we kill one another which is usually the emphasis to anything done now by the defense establishment, how to kill other people more successfully, what about in the field of medicine, the field of health . Is there, is there, are there people working in the field specifically with health, trying to understand well, i know that there are people working with molecular structures and trying to understand it, but how far is that progress . And does the one feed off the other . I mean, is there any indication that we can use this kind of technology to improve our health sure. Scenario . So ill give you one uplifting story, then ill leave you with a scary one. [laughter] and a depressing one. So, certainly, in the realm of, you know, Big Data Analytics and the kind of capabilities that we bring to bear on assessing threats to Computer Networks, absolutely. Theres potential for that to conduct genetic modeling and sequencing and experimental drug treatments and all of that. Theres tremendous promise in this level of, you know, highpowered computing that the nsa specializes in, you know, to do tremendous good. And scientists are, in fact, tapping into that in a kind of big data revolution. Where my mind was going when you mentioned health care was the vulnerability of medical technology and medical devices. So homeland fans out there may remember the pacemaker. Im not going to spoig anything, but the pacemaker plot line with the Vice President . Okay. There are people out there, i actually interviewed one for the book, who kind of game out scenarios to train particularly people at nsa and network defenders. And this guy that i interviewed had a scenario whereby he said, okay, a foreign dignitary is coming to the United States for medical treatment at a, you know, pick your name brand hospital. People who want to kill him find out where hes staying, they hack into the prescription dispenser in the hospital that regulates his medication because these things are all now regulated and, by the way, many of them are connected to the internet for auditing purposes they change the dosage on his medication, the nurse gives him the wrong amount, and she kills him. So medical Device Security because of this internet of things is actually another place that people are very worried about. Hospitals have been defined as a Critical Infrastructure sector the same way that the electrical grid and the Financial System have been. So, you know, anything that is connected to the internet can be manipulated, and there are people who are trying to head off people who would but arent execute this dastardly scenario. Yeah. I was thinking more from we have millions of cells in our body, and cancer is, you know, has just been impossible to track, you know, what is what, and, you know, how does it change. Thats the kind of stuff im thinking of. Yeah. Not to kill some dweeb who ends up in right. In the Hotel Downtown and you want to take out. Youre determined to make me leave this on an uplifting note. Yeah, exactly. I would point back to the data mining and highpowered computing that can be used to track tackle some of these problems. Cancer researchers are using the same kind of technology that can be deployed for less helpful ends, i guess we should say. Right, right. Ill leave it to you to promote that field. Okay. All right, thank you all very much, and ill be happy to sign your books. [applause] we have books behind the register, and were going to form a signing line. [inaudible conversations] every weekend booktv offers programming focused on nonfiction authors and ask books. And books. Keep watching for more here on cspan2 and watch any of our past programs online at booktv. Org. And now joining us on booktv is Dennis Johnson who is the copublisher of melville house. Melville house is publishing the Senate IntelligenceCommittee Report on torture. Mr. Johnson, whats the purpose of publishing something thats in the Public Domain . Guest well, for one thing its not