comparemela.com
  1. Home
  2. Live Updates
  3. Transcripts For CSPAN2 Book Discussion On Dark Territory 20160320 : comparemela.com

Transcripts For CSPAN2 Book Discussion On Dark Territory 20160320

Two other things in his illustrious career. He is the National Security columnist for slate and author of four books, most recently the insurgents, which i think he will tell us has at least more crossover with this new book than some people might necessarily imagine. Fred is a pulitzer prizewinning journalist back from his days in the the boston globe, and im very pleased to be able to host him here today. Just a word on format, shortly im going to ask fred to give a few minutes describing the book and telling us a little bit about whats in it, then im going to take the opportunity to have a conversation, dig into a little bit more of the detail and explore some of the themes and what we might conclude from that, and then i will open it up to the floor to give you the opportunity to ask fred some questions. Well all to wrap up at 1 45. Thatll actually give us plenty of time to get into some quite interesting conversation. So without more ado, fred. Ms. [applause] im just going to speak for a but minutes here. The subtitle of this book is the secret history of cyber war, and when i was working on it, i had the subtitle already worked out. I didnt know what the title was going to be for a while. Somebody said, well, how long of a history is this . Most people think did it start with stuxnet, the discovery of that 12storywide building on the outskirts of shanghai . No, in fact, it goes all the way back to the dawn of the internet itself. And in 1967 when the arpa net was about to go up, that was, you know, a network where all the contractors of the Defense Department would be able to, you know, talk with one another in their computer programs, there was a man named willis ware. He was a computer pioneer. He was the head of the Computer Department at the rand corporation, and he was also though few knew that at the time he was on the scientific also visely board of the nsa Advisory Board of the nsa. He wrote a secret paper, its been declassified, you can look it up, but he said hes the problem heres the problem once you create a Computer Network, once you have access from multiple unsecure locations, youre not going to be able to keep secrets anymore. And so when i was doing my research, i talked with this man named steve lieu kasich who was the Deputy Director of arpa, and i said, did you read wares paper . Oh, yeah, sure. What did you think of it . I took it to the guys on the team, and i got the story confirmed by a couple of guys on the team, and they said, oh, jesus, dont saddle us with a security requirement too. Look how hard it was to do this. Its like asking the Wright Brothers if their first plane has to fly 20 miles carrying 50 passengers. Just lets do this one step at a time. And besides, the russians arent going to be able to do this for decades. Well, it was decades, two and a half, three decades, but by that time whole systems and networks had grown up with no provision for security whatsoever. So i see this as kind of, you know, the bitten apple in the digital garden of eden, the situation created from the very warned about and created from the very beginning. Now, all of this was unnoticed until june of 1983 when Ronald Reagan watched the movie war games up at camp david. One of the guys who wrote it, not the one whos coming here tomorrow, his parents were in hollywood. They were hollywood producers, so they knew Ronald Reagan, so he got a copy of the film, and he watched it. The follow wednesday it was a saturday night. The following wednesday hes back in the white house, and theres a big meeting to discuss the mx missile, actually. Some of you might remember that. And be at one point everybodys there, his National Security adviser, some people on the hill. At one point he puts down the index cards, and he says has anybody seen this movie called war games . And nobody had seen it, it had just came out. He launches into this very lengthy plot description, and people are kind of looking around like wheres this going, and he turns to the chairman of the joint chiefs of staff and says, general, could Something Like this really happen . Could Somebody Just break into one of our most secure computers . Well, i will look into that, mr. President. And he comes back a week later, and he says, mr. President , the problem is much worse than you think. And so one year later there was a National Security decision directive signed by the president about telecommunications and computer security, first document of the sort. But it took a strange direction. It was basically written by the nsa. It was the only agency that knew anything about computers, and the way they wrote it, the nsa would control the standards for all computers in the United States; government, military, personal, business, everything. So there were some people on capitol hill who didnt go along with that. So they rewrote it so that, basically, the nsa would have security over dot. Mil, classified stuff, and the Commerce Department would have everything else. Well, of course, the Commerce Department didnt know anything, they have no ability to do this. The nsa had no interest in securing these chinas. They were channels. They were interested at that time purely in exploiting security gaps, not in filling them. So for about a decade, nothing was done about this problem. And i wont go any further. Its just supposed to be a little introduction. But the point is that these two incidents, you know, willis ware writing this paper, the dawn of the internet, and the extremely unlikely coincidence of Ronald Reagan watching war games and asking a question that had everybody in the room rolling their eyeballs like, oh, christ, wheres the old man going now, led to the systems, the programs and more than that, the issues, the policies and the controversies and the tensions that persist to this very day. One more little thing about the war games connection before i go back down and sit down and we have a conversation. This is something that i discovered almost by accident. It turned out that the two writers of war games, you probably have all i hope im assuming youre all seen or remember the movie. Basically, the kid played by Matthew Broderick hacks into the norad computer with manager called demon dialing. He hooks up a system that automatically dials the phone numbers, every phone number in the area code, and when a modem is reached, it records that number. So he breaks into the norad computer like this. He thinks that hes just latched on to some new online game x he almost starts world war iii. But the screen writers were puzzled. They said, is this really plausible . Could Somebody Just its got to be a closed system, right . Could somebody from the outside get into norads number . They lived in santa monica, and they called the rand corporation. Who can we talk to . Oh, youll want to talk to willis ware. He turned out to be a very nice guy, and they laid out the problem and he says, you know, i designed that computer, actually, i designed the software for that computer, and youre right, it is a closed system, but theres always some officer who wants to work from home on the weekend, so he leaves the port open. So, yeah, if somebody happened to dial that number, he could get in. And, you know, the thing is, the only secure computer is a computer that nobody can use. So thats sort of the lesson that weve all learned since, and now ill sit and have a conversation. Thank you very much, fred. One of those writers subsequently went on to write another movie called sneaker. Yeah, barry [inaudible] was the cowriter of that as well. And we will be talking to him on wednesday about what his next movie is about, so we can see where the direction is going. [laughter] but before we get there, youve written a history of cyber war. And traditionally when people write books about war, they write about battlefields and people tend to study those battles so that they can get a greater sense of how to fight battles in the future and appreciate strategy. Right. What, what do you think having done your research, written your book are the events between 1983 and now that the student of cyber war should look back on. , you know, instead of and, you know, instead of walking the battlefield of gettysburg sort of take his lessons to study for the future . Well, there are no battlefields to walk, unfortunately. But i guess a Pivotal Moment came in 1997. The new director of the nsa at the time, threestar air force general, had been commander of the Warfare Center in san antonio where they were doing a lot of things about what we would now call cybersecurity and cyber war. He couldnt get any of the other officers interested at all. You know, back then fighting wars was dropping bombs on people from the air force point of view. Computer nobody even knew how to use computers, you know . So he decided, he couldnt get anybody interested. He knew about vulnerabilities, so he got permission to dod a war game where to do a war game where 25 Red Team Members in the nsa would actually hack into all the networks of the Defense Department. Now, they had to go through a lot of lawyers to get this done, and one of the conditions they had to use commerciallyavailable equipment. They couldnt use their top secret stuff to mess with domestic networks. And so they did this, and they prepared for it for a few months, scoping out the networks, scoping out what they would do. The people who had been victimized were not to know about it. The only people who knew about it were the people actually doing it and the lawyers, like the attorney general and the secretary of defense. So they laid two weeks aside to do this. It turned out within four days they had hacked into all the Defense Department networks. Including the National Military command center which is, you know, how the president communicates and sends orders to the secretary of defense. All of it just mercilessly hacked, you know . Sometimes they would just leave a marker, you know, kilroy was here. Sometimes they would intercept messages, send back false messages, mess up orders. Peoples heads were being screwed with like, you know, whats going on here . I dont know whats happening. There was only one guy that was a marine out in the pacific who knew that something was going on. But, see, even if you knew what was going on, there were no protocols. What do you do about this . So he just unplugged the computer from the internet, which was the smart thing to do. Everybody else, so when the debrief happened and they go through, you know, heres what we found and here are some passwords we dug out of a dumpster here, and heres a tape recording where the guy called up the secretary and said im an i. T. Guy and need to change passwords, whats the password for everybody, and they told them and everything like that. And everybody was appalled, and that was when the deputy secretary of defense at the time said, okay, whos in charge . We need to fix this, whos in charge . And nobody was in charge. So, but then they started to set up some Warning Centers and some 24 7 watch centers, which was a good thing because within a few months, somebody starts hacking into the u. S. Military. So maybe it had been going on longer than that. But the big thing there was something called solar sunrise where some serious hacking turned out to be two kids in california. And some people, somebody said, oh, whoo, just two kids in california. But other people said, wait a minute, two kids in california can do this, what are the nationstates . A few months later they called it solar sunrise, then something happened which was called moonlight maze which was somebody not just breaking into defense networks, but persisting and kind of looking around for things. They were looking for particular things. And eventually, they traced that back to a, it was the russians. It was using a server of the Russian Academy [inaudible] so those were the two, and then the chinese started doing it, and then operations oh, by the way, one thing very interesting. Theres this war game could eligible receiver. When the nsa was inside the Defense Department networks, they noticed some french ips just kind of strolling around. So this is already really happening. In 1997. Okay . So, but then there were other things. There were some sort of prototype of war things. A very big deal was remember when clinton was planning to invade haiti because some warlords had taken over, and they were working up war plans, and one part of it was, well, how do we get into, how do we get into haiti had a very rudimentary air Defense System, but a lot of this was flying in people, you didnt want anybody getting shot down. And this is when this guy mini hand was in san antonio. One of his tech guys said, you know, boss, i found out that the haitian air Defense System is wired into the commercial telephone system, and i know how to make all the phones in haiti busy at the same time. So thats how they were going to deflect, you know, defeat the air Defense System. Okay. Years later yugoslavia, clintons war against milosevic remember the bombing went on for weeks and weeks, months and months. Well, there was a cyber element to this. And again it was phones, but computers were run by phones too. But they did some of the same things. They got into this serbian phone system, a cia guy went in, he put in a plant, and then the nsa was able to hone in on this plant. And they were, the air Defense System was wired through the phone system. So they were able to go in there and mess with their radars so that on the screen it would look like they were some planes in the northwest, but actually they were coming from the west, so they would aim at the wrong spot. They would send messages to milosevics cronies saying, you know, we know you own this copper plant. Were going to turn out the lights in the copper plant if you dont get rid of milosevic. And they said, oh, you know, forget about it. And they would turn out the lights in the copper, in the copper plant. And then theyd say, okay, if you keep this up, were going to bomb you tomorrow. So he thats how milosevic lost his cronies. They were threatened by what was called Information Warfare. So this was the first Information Warfare campaign. Some admiral gave a briefing, okay, this was both a success and a failure. We only used about onetenth of what we could have done, but it was very interesting. And then after that, you know, we know about some of the things, stuxnet, there were some things ill give one more, and then we should maybe move to a different when the israelis bombed the nascent syrian reactor which really was a nascent syrian reactor. They were helped by north korean scientists. What happened, a lot of people, even the syrians didnt acknowledge it because it meant that four israeli asset teams had to go about 150 miles inside of syrian territory without being detected even though they had just installed some new russian surfacetoair missiles and radar. Theyd rather even acknowledge it ever happened. What happened was they used a program that was developed by the air force here and implemented by something called unit 8200 which is the israeli nsa. It intercepted not the radar and not the radar screens, but a data link between the radar and the screens. So that the people looking at the screens saw nothing. The radar was protecting planes and, in fact, the people in the planes were hearing bing, bing, bing, bing, so it took a little nerve to continue. But they also had people that were able to intercept the signal off the monitor that the radar operators were looking at to make sure that this worked, to make sure that they really were seeing nothing. And they were seeing nothing. So these planes got in, dropped the bomb, destroyed the factory, and people were saying, well, our screens show nothing. So that kind of thing. I should do one more, and that is the iraq war. I wrote a book called the insurgents David Petraeus and the plot to change the american way of war where i accepted the idea this is the only thing in this book ill qualify or retract a little bit. You know, there was a big turn around in 2007. Basically, the surge and the change of strategy towards counterinsurgency. Well, theres one other thing, and that is the nsa got involved. The nsa actually sent over a twoyear period 6,000 analysts to iraq. 22 of them were killed. They basically captured the computers, they got into the systems, they got into the passwords, they got into the email connections, and they did things like they sent messages to other insurgents saying, okay, lets meet at such and such a place tomorrow at 4 00, and there would be these special Operations Forces waiting there to kill them. Or they would detect some drones, somebody planting a roadside bomb and then running off. Used to be you could follow them, but then you had to send the data back to washington, and it would take 16 hours. Within one minute they could target these guys. So within in 2007 through these techniques, they killed 4,000 insurgents which is one reason why things really kind of turned around. I remember the first person i asked about this, and he looked a little alarmed that i knew anything about it, he said, well, yeah. When the histories really get written about this, thisll be the equivalent of, you know, breaking the german submarine codes in world war ii which, of course, wasnt revealed for decades after. So this cyber has been a part of these operations and these plans and thinking for quite a long time. Just taking you back to moonlight maze, one of the anecdotes you tell, is the delegation that gets sent from moscow. Very warmly welcomed yeah. So they started, when they realized that this was russia, and, of course, this was yeltsin, postcold war. Theyre our friends. So we decided, well, maybe we should send a delegation to moscow. Maybe they dont know this is going on, maybe its not the government, you know . And we wont present it as National Security, well present it as the fbi, well present it as a criminal investigation from which we are seeking assistance from the russian federation. And there was a controversy whether to do this. So they sent over this delegation. On the first day, you know, caviar, champagne, welcome our friends, and there was this one general in the military who was helping out. They brought over logs, guy brings out his own logs, and hes shocked. This is terrible these bastards in intelligence, this is awful we will not stand for this, were going to clean this up. So they were going to be there for five or six days. Second day, you know, were going to have a sightseeing tour today. Were going to go around, so they did sightseeing. And then the third day they were going to do some more sightseeing. Then the fourth day there was nothing. So the fifth day, there was nothing. Well, can we talk to this guy . Well, hes busy now. There was so they left. The embassy is calling, the legal office saying, well, we need to oh, yeah, we will send you a memo on this. Anyway, its over. What they realized when they got back is that this was a government program, that this poor general who, god knows what happened to him for helping the United States [laughter] military and intelligence guys coming over, he just didnt know about it. And for a while, the hacking did stop. But then it started in again. And the chinese started doing it too. And, you know feels very distant in time. Yeah, yeah, yeah. So the story that you have just told was a very militaryheavy story, literally going through one of our military wars in the iraq. Clearly solar sunrise, moonlight maze led to the establishment of a new organization, joint [inaudible] Network Defense which becomes Computer Network operations years later. But in the 1990, theres a sort of parallel Development Going on in the white house where people are starting to realize that Critical Infrastructure is vulnerable. Yeah. Do you want to talk a little bit more about Richard Clark and what he was up to . Well, as all this other stuff was going on, eligible receiver and other things, a couple of years before then the Oklahoma City bombings led to president clinton signed a president ial directive on terrorism, kind of a policy on terrorism, counterterrorism. And they started setting up a joint task force on, it was called the Critical Infrastructure working group because people are thinking, well, you know, they blew up a federal office building. And, you know, a lot of people were killed and a lot of damage. What happens if the next time they blow up a power dam or some electrical facilities . Something that could affect the entire economy . We need to set up some policies for this. So the working group, they defined what Critical Infrastructure was. Eight sectors of the economy; transportation, banking and finance, water works, dams, you know, so forth. And then they decided, as most working groups like this, to create a commission, a president iallyappointed commission to look into this. Well, the people who were on this working group and on this commission, theyd had some background in black programs, and they knew about this cyber element. And they thought, well, you know, its pretty obvious how you protect something from physical damage. But theres this other thing going on, this vulnerability to electronic and computer hacking and that sort of thing. So as this report got written, half of it was about and this is where the term was first used they talked about two types of vulnerabilities, fiscal vulnerability and cyber vulnerability. And it said, you know, in the future somebody could do more damage with a keyboard than with a bomb. You know . That sort of thing. They were looking at this as the new nuclear weapon. So that was in 1997. And this analyst named Richard Clark, youve probably heard of since, was sort of put in charge of this. And he didnt know anything about computers. Nobody did, as i said. And so he decided to go do a road trip with his staff. They went out to Silicon Valley, and they went to talk to all the executives x they learned that, well, you know, microsoft knows a lot about operating systems, and the guys at cisco know a lot about routers, and the guys at intel know a lot about chips, but nobody knew about anything else x they didnt know about the vulnerabilities in the things in between. And so he then i dont know how much you want me to get into this, but he basically meets up through an fbi contact with a hacker, a hacker who is his name is peter, but who goes by the name mudge whos, like, very famous in these kinds of fields. And he met him in harvard square, and his whole group was called the loft. They took him to the loft. It was on the second floor of a warehouse in boston. And they had stuff there, and they were able to do things there, hack into any password, replicate any kind of equipment, hack into anything. And that changed the whole threat model for clark. He realized, okay, you guys are doing things or are able to do things that we in the white house have said and the Intelligence Community have said only nationstates can do. And clark at the time was, he was head of counterterrorism. He was chasing Osama Bin Laden all over the place. Not physically, but and so he said, oh, thisll be great for part of my portfolio, cyber terrorism. Because if these guys were terrorists, they could do acts of cyber terrorism. So that did expand the whole notion of cyber, cyber war and what it might result in. I think thats one thing that hasnt panned out at least yet. I dont think there are any terrorist groups now that are able to do quite the things that some of the white and gray hat hackers who are getting paid a lot of money to do certain things have actually done against our infrastructure. I want to take a moment just to why that hasnt happened. But just before we do, yet one more iteration where we have the arrival of mike haden at nsa hayden at nsa in 1990 where surveillance becomes part of the story. Right. Can you tell us sort of about the impact of the changes in technology that takes us pretty much up to snowden and the present day . Right. Well, you know, the nsa up to about this time that weve been talking about, they were still very much wedded to the analog world. Tapping phone circuits, intercepting radio signals, intercepting microwave emissions, that kind of thing. And then in the early 90s, they noticed that, you know, they have these big listening towers and dishes all over the world. Certain parts of the world nothing is coming in anymore. Theyre not getting any communications because theyd gone underground, theyd gone to fiber optics, or theyd gone to cellular, and they had no ability to do this. And somebody who had been director of the nsa before wrote a paper for a congressional, a very kind of classified congressional committee. The paper was called are we going deaf, and they realized were focused on the wrong things. And the cold war was ending about this too too. The nsa used to be divided into the a group which were the guys tracking the russians and the b group which was the rest of the world. The a group, shouldnt this be cut quite a lot . Were not really tracking the russians anymore. Or not so much. So they, and this is where we get a little bit into the movie sneakers. Do you all remember sneakers . Mike mcconnell, he was a career Navy Intelligence guy. He gets into the nsa, hes looking around. Hes saying what, what does this Big Organization do . The cold war is over, were not, were not getting these radio signals anymore. What do we do . And, you know, people were coming to his office with these, okay, heres a map of sea lanes of communication. Okay, now heres the happen you really need to look at, and they were maps of fiber optics. He goes, okay, thats very interesting. So then he went to see sneakers, and for those who didnt see it, its a movie about these hackers. This was 1993. I mean, nobody nothing like this really existed that much. But theres a whole kind of ridiculous plot where they get a call from the nsa, some bad guy has a decrypting code, and they want him to steal the black box, but it turns out the nsa was really the criminals, and this guy was working for the government, and they try to get it back. Theres one scene where ben kingsley whos a kind of evil mastermind who used to be the College Roommate of robert redford, theres this whole monologue, you know, marty, the wars now. Its not about bullets and bombs, marty, about the information. Its about zeros and ones. Its about who has the most information. So Mike Mcconnell sits up in his chair, and he realizes, this is our Mission Statement now. [laughter] so he goes back, and he gets the last reel of this film, and he has everybody in the Senior Executive at the nsa watch it. He tells everybody to go watch this movie, even take off the afternoon to go watch this movie, this is what were doing now. He takes one of his best field officers, brings him back to fort meade, creates a job for him called the director of Information Warfare. And then all these kind of nascent cybertype outfits around the bureaucracy and the military all of a sudden call themselves, this is when the air force information Warfare Center, they all Information Warfare is the new thing. Thats where the money is, thats where its happening. But what they really did do and then when hayden came along, they created something called the tailored access, tao. So these were the guys who figured out how to get into computers, how to make us not guess anymore. So the president says i need to get in this guys email, they figure out how to do it. Theyre the ones who break so the new codes, its not phones anymore, its not radio signals, its fiber optickings. Its, oh, now they create an air gap where they unplug from the internet. How do we cross over the air gap . And theres something in the cia called the Information Operations center which its kind of a joint operation. And they did this in yugoslavia the first time. They would go over and plant a device on a computer or put in a thumb drive, and that would insert some malware, and the nsa can get into it from that. Thats how stuxnet happened, basically. So the tao, i mean, people asked me, they knew that i was doing this book, so they said, well, what can i do to protect myself . And i said, well, look, you know, if all youre interested in is keeping out, you know, petty criminals and kids trolling the net and, there are things you can do. There are things you can do that are pretty effective. Its like putting a good lock on your door, you know . And its worth doing. But if somebody who really knows what hes doing really wants something that you have, especially if theyre a nationstate, if they have the resources of a nationstate, theres really nothing you can do. And, in fact, you know, the pentagon this is skipping ahead a little bit, but a few years ago the defense Science Board had a special panel on cyber warfare. And they concluded that, they talked about the inherent fragility of our architecture, its the same thing that willis ware had been talking about in 1967. The inherent fragility of our networks. All these things that had been built up over time, but its an arms race. Offense keeps up with defense. They reported, they looked at the records of a lot of Red Team Blue team war games, and the red team was hacking in. They always got in. They always got in. So now the buzzwords in pentagon circles for this, they dont talk about prevention really much anymore. I mean, you do, you try to, you know, you dont just leave your doors open, you know . You do lock them. But theyre talking about detection and resilience. The important thing is that you can detect when somebody is hacking you. Really fast. And resilience, you can kick them out and then repair or what damage has been done very quickly. Thats what theyre talking about theyre saying the game is lost on keeping people out. I mean, yeah. Again, you dont want to give up the game, but theyre going to get in. Theyre going to get in. And, in fact, i learned this after i wrote the book, so its not in the book. The navy, for example, is now teaching people how to use sexting to navigate with the stars because they think the gps might be hacked. Our entire advantage in the military is built on things that are networked. And if they can hack into that, then, you know, its back to, you know, m1 tanks and m16 rifles. I mean, what are we doing . So this what people thats what people who think about this inside the military are very worried about. To puck up on that, i mean to pick up on that, i mean, one of the other themes that intersects with it is this dualuse nature of cyberspace. Yeah. And which raises, i think, the important question of what this means for the nature of warfare going forward. If its all about information and the adversary can attack civilian systems just as easily as military systems which may not be as well protected, what does this mean for if youre a student of National Security . Is this a game changer . Well, it could be. I mean, you mentioned, you know, there are a lot of vital military networks that are unclassified. Transportation, logistics, you know . Somebody once said logistics is for professionals, strategies for amateurs. Yeah. Logistics. How do you get supplies over there . How do you get food, how do you get water . A lot of that is on open networks. And they played war games where people mess with that, you know . The air task orders, you know, they go over here instead of over there. Or, you know, supposedly a plane is supposed to meet up with a refueling plane, but the refueling plane is way over here, so it crashes into the ocean. You can do a lot of funny business that and in a way that you dont even know that anythings happening. Theres that sort of thing. In terms of the vulnerabilitying of infrastructure which is where all the things blew up about, you know, the idea and i dont know how much i really buy this, but the idea that, you know, theres a scenario in some war games that was, you know, china is exerting pressure on taiwan or in the south china sea, and they say, okay, you take your aircraft carriers out of here, or were turning off all the lights on the eastern seaboard, and maybe they do. And then what do you do . As china becomes more plugged in, you know, deterrence begins to set in because we can do the same thing to them. A country like north korea, iran, this kind of thing . They dont have anything to hack so, you know, what is the response in kind . I dont know. But things like that can conceivably happen, and the interesting thing about civilian intervention over the past few decades as the military has become more aware of this, they have reduced the number of intersections between their own networks and the outside internet to about eight. It used to be a hundred. Now its about eight. So the nsa can it on those intersections, and they can do that dealey because they have the legally because they have the legal right with the military networks. So they can actually see when somebodys coming over. Its pretty good. Civilians, even civilian government, there are hundreds, there are thousands of these intersections. Theres no way that you can even if the nsa had the legal right to do this, which they dont, theres no way you could or department of Homeland Security which supposedly has, they dont have the statutory power to do this, but theyre really out to lunch on all this stuff. So theres nobody who can do this. So this is what has led to a policy of cyber offense. Quite a long time ago they came up with this computer Network Defense, cnd, Computer Network attack, cna, and then theres something in the middle called Computer Network exploitation, cne. Now, this is a dualedged sword. Cne means you want to get inside the other guys network, roam around, see whats going on. You could say, in fact, this is active defense. Its really the only way i can tell whether theyre planning an attack. I can hack into their networks and see what theyre doing. At the same time, its just one step short of Computer Network attack. You in there youre in there, all you have to do is push a button, and youre attacking. Okay. Were into their stuff this way, theyre into our stuff this way. Its kind of generally accepted that they can do this and that we can do it to them and they can do it to us. To what extent, how much, i dont know. But one reason theyre able to do it is that for years, ever since back to this reagan plan in 83, this directive and then the clinton plan as well, theyve tried to get Critical Infrastructure which is all privately owned to kind of, you know, man up on this and get some security going. Banks have actually done pretty well with this because, you know, what are banks into . Theyre into taking your money and making you feel trusted, you trust that your money wont get lost. So there are actually some very good Information Security departments within banks. And while we hear a lot about hacking into banks, there are thousands of attempts a day on, like, chase manhattan. Not very many get in. But power companies, electrical power grids, you know, dams, things like this, they really still arent paying much attention because, first of all, okay, you given us some advice on what is best practices. Maybe ill spend 10 million getting there, but it seems to me the other guy, the bad guys, will just work some way around that, and id spend another 10 million. And besides, the amount of money it costs to do this preventively isnt that much less the cost of cleaning it afterwards and maybe i can get you, the government, to pay for it anyway. One thing that clark tried to do when he was in the white house was to lay down some mandatory security requirements for Critical Infrastructure. But lobbyists always resisted this. The secretaries of treasury and commerce always resisted it. Because, you know, youre going to impede r d, youre going to make their servers slower, its going to reduce their competitiveness. All of which is true. I mean, you know, these people arent evil, but they have their own selfinterests, and their selfinterest is contrary to what this kind of interest is. And weve observed over the last few years the regulators have actually gotten more interested in this space. Until i realize your book read your book, i appreciated just how far back the tension between the dod and the rest of government, exactly how much, how involved i mean, for example, president obama yeah. President obama just signed something called the Cybersecurity National action plan which if you read the book sounds a lot like about eight or nine other commissions that have been formed or planned over the last 20 years. Hes done a few things interesting in this one that havent been done before, but one thing hes done, its half a good idea. He created something called an Information Security, a chief Information Security officer for the whole federal government. But the thing is, this guy theres no executive order giving him the power. So this guy, its kind of like the director of national as well as. Hes supposed to sit atop all of this, but he doesnt have any authority to hire anybody or fire anybody or set budgets. A real guy like this would have the authority to go to an agency which is just [inaudible] and they have passwords that say, one, two, three, four, five. Okay, im taking you off the internet, and you have a month to fix this. Nobody has the power to do that, you know . You know, one thing that several people told me is that they learned just the executive branch in general, maybe some of you know this, people going to the executive branch and saying, come on, im going to set policy, im going to create policy. Well, about 10 of it is creating policy, and the other 90 is implementing it and then going back time and time and time to make sure its still implemented. And this implementing part is what has, again, except within the defense realm, is what has always been lacking in this. And, again, this is something thats not new. It didnt start with stuxnet. Its something that has been known on a president ial level for more than 30 years. We hope that Michael Daniel and his wife seen here a few weeks ago at the rollout, what michael would tell you is that one reason to set up a commission is to sort of not necessarily create new ideas, but to take ideas that everybody has and build bipartisan interest in them. When it works, it works, you know . This commission that i talked about, that really did have an impact in the early 90s. Sometimes its just a way of sloughing it off. Yeah. And, you know, i think for all of us, were rather hoping but in this case, i mean, this thing is going to land on the doorstep of the next administration. I mean, the commission they fixed the commission. The held of the commission a few the head of the commission a few weeks ago, i dont know if the other commissioners have been chosen. They dont have clearances, they have to be vetted, they have to find a space to work. This could take months. So lets say itll be completed on january 17, 2017, and treated by the next administration the way that everything from the Previous Administration is treated by the next administration which is something to, you know, put your wobbly desk on on to top of. Once the new administration has readjusted the furniture and gotten into office, you arrive with a copy of your book. What lessons should they take from that about how they should go forward . Oh, well what can they learn from the history that youve just written . Right. You know, i dont want write books i dont write books that have explicit policy directives at the end. I wrote one book kind of like that, but, yeah, they would look at that. Well, again, i hope that some of the lesson is taken from the subtitle. There is a long history of this. This has been going on for a very long time, and read the histories as you would case studies and see why this actually led to something and why this didnt lead to anything and try to make it seem more like i think one thing, you do need, i think and just to say ignore the resistance, Something Like this, you need somebody in the executive branch who does have a lot of power to get, you need, you know, they all czar is now one of the most overused words in washington. Hes the energy czar, hes the you need to create a czar. And who has direct access to the president. And the president who at least is kind of interested in this. I mean, the problem is, of course, i mean, i dont know how these people who work in places like the white house, i mean, i wouldnt be able to stay awake, you know, in this kind of dead zone. You have got 20 crises hitting you every day from 30 different subjects. And then somebody comes in and says, you know, we might have a problem with Critical Infrastructure, you know . Its just like [laughter] excuse me, ive got people being kidnapped and killed over here right now. Your 30year plan on the cybersecurity, lets put that its like that scene in all the president s men where the editorial meeting and one of the editors says, man, i think home rule might have a chance this time. I think we ought to put it on the front page. It still looks very theoretical to a lot of people. And it looks something distant, especially and when you have crises building up where something has to be decided tomorrow, you know, it is very difficult to focus your attention on something as complicated as this. And for which there doesnt seem to be an obvious solution. Theres something, okay, well, yeah, lets flip this switch on. If it were that easy, it would have been done a long time ago. But its not. We have a room full of people who are focused on this issue, so now is an opportunity to take some questions. So please, when i call on you, identify yourself, give your affiliation, keep your question short, end it with a question mark. Gentleman in the maroon sweater. Yeah. Ken meyer, world doc. A few months back wall street, United Airlines and wall street journal all came down more or less simultaneously. You think that was coincidental . I mean, i dont know. Some things really are coincidental, you know . But i think the wall street journal, wasnt that the Syrian Electronic Army or Something Like that . Thats what i remember. I mean, the thing is there are now about 20 nations whose military have explicit cyber units. I mean, some are, some are better than others. I dont know how many much cyber the cyber electronic army, you know, is very good at hacking into the New York Times and the wall street journal. I think the New York Times has now hired fireeye to do their security, so maybe its a little harder to get into, you know . So, you know, i dont know, and i dont know if anybody knows, and, you know, another thing about, you know, if somebody launches a Ballistic Missile at you, you can kind of trace the arc. You can see where it came from. Theyre getting much better at tracking cyber, but youre launching a cyber attack, you can hop from one place to another to another, and you can disguise where you came from ultimately. Theyre Getting Better at tracing that. But its still not a 100 thing. Do you want to know the reason why we know that the North Koreans attacked sony . Any yeses . [laughter] well, basically, they werent doing this in realtime, because there was no reason to. We are so infiltrated into the north korean Computer Network that going back into the files, the elite nsa hackers could actually watch on their monitors what the north korean hackers were watching on their hon to haves monitors while they were doing the hack. In that case the fbi said we have extremely high confidence that north korea did this, which is unusually certain language in these things. And do you remember a lot initially, a lot of computer experts said, no, i dont believe it. This looks more like an inside job, can the North Koreans really do this. But, no, they absolutely knew, and thats how. Gentleman right in the back and then gentleman here and then over here. So well gentleman in the back. Hi. My names ethan berger, im with cybersecurity center. And im wondering if you looked at the commodities sector in terms of the stock market, the commodities exchange, because from my perception since just a bunch of numbers on a screen, youre free to mess up the economy of a country [inaudible] and if youre a foreign power, do a lot of damage to a countrys economy. Oh, yeah. I wonder if youve looked at it or if you know people who are. It wasnt the focus of my book but, sure, thats part of it. And, you know, one thing thats interesting, the Intelligence Community knows how to get into every foreign nations Bank Accounts. They know where the must must ms being kept. They have made an explicit exception. Mr. President , we know where mr. Putins bank account is, saddam husseins bank account is, and theres been a decision made by the cabinet that, no, listen, we do not want to go down that road, because it can go the other way. They did mess with the Bank Accounts of milosevics cronies. They can do that sort of thing, but there was an explicit decision because of the backlash. They dont want it happening to us. Now, does that mean somebody could do it to us anyway . I mean, look at opm, you know, office of personnel management. They have everybodys personnel records which were not protected as all. And, you know, that kind of thing, remember, they asked clapper about this. And he said, are we what kind of retaliation are we plotting against china for doing this . Well, you know, this wasnt an attack, it was an intelligence operation, and its similar to certain things that we do sometimes. I dont blame them for getting into this ridiculouslyunprotected network. [laughter] its not like they were attacking anything, theyre just getting information. Its like intelligence but on a grand, grand scale. But in terms of messing with the stock market or voting tabulations or yeah, no. Its all out there and open, and is, you know, we dont know. What if this has been going on for decades, as i keep saying, and there is only now a defense Science Board panel writing a report on cyber deterrence. And one of the things that theyre trying to do is to define what that means. You know, like what are you trying to deter . Is it really the governments responsibility to deter or an attack on a bank . Or two banks or ten banks . Is it just government facilities . How do you define what you know, nuclear deterrence, its pretty clear what deterrence means. Cyber deterrence, so what are you trying to deter, how big an attack, you know . At one point there was robert gates asked at one point when he was secretary of defense, at what point does an attack like this constitute an act of war . And two years later the lawyers in the Defense Department said, well, yes, under certain circumstances this could [laughter] they couldnt define it. Because nobody has. Its not, its not ab issue for lawyers an issue for lawyers in the pentagon to define. There has not been, and, you know, with Nuclear Weapons theres a very, very thick red line between using Nuclear Weapons and not using them. And thats one reason why nobody is using them in the past 630 years, because you 60 years, because you dont know whats going to happen afterwards. There are Cyber Attacks going on thousands of a of times a day. And nobody knows where each individual countrys cyber line of attack is. The first time a president said we are going to retaliate against this attack that just happened was when the North Koreans attacked sony over a movie. I mean, who would have thunk that, right . I mean, there are many opportunities for misunderstanding, miscommunication, things getting out of hand because one persons nuisance turns out to be another persons Grave National threat. And then what happens on day two . I mean, nobody people, i mean, i was interviewing this one guy pretty high up in intelligence. He, i interviewed him a few times before. We sit down, he says whats your thinking about cyber deterrence . I said, you know, i dont know, nobody seems to know. He said, oh, its a shame, im on this panel, i thought you might want to be on it. I thought, oh, my god, their considering asking me. I would never do it because its classified. Theyre so desperate, theyre asking me if im interested in joining this Science Board on cyber deterrence. Its something that they just have not thought through. And part of the reason is that for decades this has been tied up in the nsa which, you know, the joke used to be that nsa stood for no such agency, you know, the most classified. And so even when the bomb went off in 1945, certain things about that were classified. But the general workings and, certainly, the effects were well understood. And from the very beginning, you had civilian strategists thinking about, well, what does it mean . How does this affect war . What does deterrence mean in this context . Can we use these weapons . You had serious people who were not wrapped up in highly classified things with the military thinking about this and actually having influential thoughts. In cyber, until very recently, you have to have like a tssci clearance to know about a lot of things that are even going on. So theres nobody who can think about this who is really in a position to think about it. And, in fact, the title of this book, Dark Territory, ill tell you where the title comes from. Its actually a pretty good story. So when i write my books, i always say, oh, the title will emerge from my notes. Okay . It never does. But this time it did. I was looking over my notes from an interview with robert gates, and he was saying he was talking with a lot of his colleagues, Cyber Attacks all the time, and he was thinking, you know, we need to get together with the other major cyber powers to figure out some rules of the road. Because, you know, what kinds of targets we cant attack. Even the depths, the darkest depths of the cold war, there were some rules. Like americans and russians, they didnt kill each others spies. Something as simple as that. It just didnt happen. Theres nothing like this. And, you know, were wandering in Dark Territory here. And i said, theres the title of my book, Dark Territory. So then i looked it up. I did a Google Search on Dark Territory, what does this mean . I dont want to have some obscenity. [laughter] so it turns out that this is a term of art in the north american railroads to signify a stretch of track that is ungoverned by signals. And im thinking, wow, thats just perfect. Thats a perfect metaphor. So i wrote him an email, and i said, did you know this . He said, oh, yeah, my grandfather worked as a station master on the Santa Fe Railroad for 50 years. We talked Railroad Terminology around the house all the time. So thats where its a perfect description of whats going on except that, you know, the stretch is much bigger, the engineers are unknown, the consequences of a collision are far more cataclysmic than, you know, two trains running into that is the situation were in now. Do i have i have no interest in speaking for the u. S. Government or right, but i think they would tell you that there are beginning to be some elements, established norms in relation to the chinese and theyre talking about, theyre talking about setting up a forum to discuss a process by which they can discuss rules of the road. I mean, its kind of that far out. But now, you know, that was gates said this when you were talking about theres russia, theres israel, theres france, theres china. Now, how do you bring north korea and iran and syria . How do you bring these guys into this cooperative back room, you know, the five family meeting in a back room someplace to discuss how to divvy up the heroin market, you know . How do you do this now . Its a tough one. Theres a document, one of the documents that snowden put out is something called ppd20 which was Cyber Operations policy. And it had certain things that different departments were going to do. And one of them was precisely this, you know, setting rules of the road kind of thing. State department. Then there was a Progress Report like a year later, you know, pending. Progress report for this was pending. Its the hardest thing in the world to do because the other thing is we dont, you know, if youre going to say, okay, lets stay out of each others whatever, you know, electrical power plants, that means youve got to stay out too, and how can this be verified anyway . How do you know that theyre not the one time, the first discovery of a known intrusion into a classified network happened in 2008, it was an operation called buckshot yankee. And they discovered soviet, russian ups and other things ips and other things. And the way they discovered this was they were pretty confident they had the entrance points blocked, you know . And somebody in the nsa said what if somebodys already in there messing around . We ought to go look through the networks and see if anybodys in there. And they discovered somebody in there. So if they hadnt gone looking, maybe hed still be in there. So its a very, you know, were talking about things where youve got zillions of lines of code. There might be malware taking up 150 lines of code. How do you even detect that . How do you detect 150 lines of code within something thats, you know, millions of lines of code . Be its very difficult. Should just say buckshot yankee caused a significant, if nor no other reason that it leads to the establishment of u. S. Cyber command. Well, thats true. What happened was, so on a friday afternoon the guy in charge of this unit called the Information Assurance directorate in the n, a which does the nsa which does the defensive stuff, he comes to the director, general alexander, general, we have a problem. Heres the thing. Within five minutes they come up with a conceptual solution. Within 24 hours they have devised a solution, tested it and put it in motion. Within so general gates is watching this from the pentagon where by monday morning people are alerted to this, and theyre going around counting the number of computers that might be infected. And hes saying, this is ridiculous, you know . Here i am, you know . This has been going on, and they dont know what to do. So he did what people had been urging him to do for a while which is he set up something called Cyber Command and put the director of the nsa in charge of Cyber Command as well. And that is when the unit key of offense and defense, what happened. But, you know, the problem with it and, you know, under the premise of offense and defense, same technology, its the same and the only company that knows how to do this ask is the nsa, and everybody else is completely out to lunch on it. But the problem is we now have 7 billion being spent on Cyber Command. They have links with all the combatant commands. Theyre devising war plans. They have action, battle plans, you know, all kinds of attack plans, tens of thousands of people assigned to this. You go to, like, the military academies, wheres your area of growth . Oh, its cyber, cyber. And yet, as i was just saying a bit, a few minutes ago, nobody knows what theyre doing. Theres no concept of deterrence, theres no concept of what happens on the second day of the cyber war. So you have this whole machinery, and its all incredibly classified. This machinery growing up, and youre going way advanced in the Technology Field before even the finished layer of policy and strategy have been really cemented onto the foundations. So thats kind of a dangerous thing. Id love to dig into this, but i the gentleman in the middle, and then i think there was a gentleman over here. You answered my question [inaudible] oh, okay. [laughter] then gentleman in the white shirt. Hi, david spencer, georgetown student and army officer. So what do you propose we do to respond to strategiclevel Cyber Attacks, and that was it. Well, what do you mean by strategiclevel Cyber Attacks . So an actual cyber attack rather than Cyber Espionage on what . So strategically or hypothetically in this situation not, not energy, but another Critical Infrastructure sector, say transportation. Well [laughter] if i knew the answer to that one. Well, you know, one thing thats true about our economy, i mean, its not centralized. So, you know, if you shut down, you know, the subway system in new york, it doesnt really affect much of what goes on in washington or in san francisco, you know . Some countries if you shut down can, like, the transportation in tokyo, you really kind of mess up all of japan. But in electrical power, you know, they are extending, the smart grid, you know, which is, like, stupid grid for cyber purposes. But still, it doesnt take up the entire country. But, i mean, you know, in some ways, you know about data, you know, everything is hooked up to the Computer Networks now. And this is for perfectly rational reasons, you know . Its cheaper, you have more economies of scale, you you dont have to have personnel, you have everything monitored by sensors, and its all makes perfect sense. [inaudible] oh, well, god, i cant even remember what the initials stand for. Its basically that everything is controlled by Computer Networks. You know . You dont, like how did stuxnet work . They didnt shut down the centrifuges, they shut down the they manipulated the control devices that were governing how fast the centrifuge were spinning, okay . So it was the control device way away from same thing. So you can, theres something thats controlling the amount of water going in and out of a dam or the amount of voltage flowing through the electrical line. So you dont deal with the hardware, you deal with the soft [inaudible] in some ways, i mean, you know, its like what willis ware says. Once these networks are set up, its hard to come up with a way to defend them. You know . The trend in economics and commerce is to make them more and more centralized, you know . A company would want to have something going out the entire Southwest Region of the United States controlled by this one set of, you know, when this was done, when this commission that clinton set up, maybe go talk to the industry heads. And theyd say what are you doing about security . The head of some Train Company or pg e. They looked at them, security . What do you mean . They hadnt even thought about this. So you can do things to make these networks more secure, but more secure isnt secure. Maybe, you know, the barn doors been open for years, and the cows have all escaped, and, you know, short of starting all over which nobodys going to do and its hard, and, you know, its like when a company, companies can do this, like, on their company. Like, you know, they will control. And so sometimes theyll go to the government, and theyll say what can you do to help us . And theyll say, well, one thing we could do is to have the fbi, which really means the nsa, just sitting on your network. Do you want us to do that . They think about it for a minute, and they say, well, no, not really. Well, thats, thats what we can offer you. [laughter] however, we can give you some ideas. Some of these things that obama has set up, these informationsharing ideas. Heres some things that we do. Come in for the secretlevel briefing, and heres some tools that you can use and, you know, heres what we do over in the justice department, and heres what yeah. Go off and do that. But, again, you know, that might work for six months. You know, this is a tough one. Its just, this is, this is not a book with a terribly happy ening. Its also the case though that theres been a couple of decades since people started talking about cyber pearl harbors, and we havent seen that devastating attack. Its true. You might argue there is some kind of deterrence, but its not deterrence within cyberspace that well, and, in fact, we have said, the government has said we reserve the right to respond to a cyber attack by noncyber means. There is a certain amount of deterrence. And, you know, russia and china now have more of their stuff hooked up to Computer Networks. The more that this happens, that kind of mutual assured destruction thing rises up. But, again, its the wandering in Dark Territory part. There is no solid red line. And thats where it seems to start to go haywire. So lets start at the front here and work our way back. [inaudible] could you wait for the people who frank ostroff. Question, well, in many areas u. S. Is the technology leader. Everything ive seen suggests government is slow and behind, Technology Leaders. As far as youre aware, has the government done anything to create classified or a clean room or some kind of safe environment for our Technology Leaders to be talking to them about what theyre working on so that the government could be aware and leverage that . There has been that sort of thing in some defense industries. There was something created,dsb, Defense Security base . Anybody here anyway, there are lots of interchanges like this with, you know, Lockheed Martin or luckily, there are only about three big Defense Companies left, so it doesnt require that much. But there are things like that that are available. And, you know, in recent years, again, there are informationsharing systems with even banks. You come in for the brief, and heres what you can do. But, no. And, you know, when dick clark was this cyber guy in the white house, and dick has a certain authoritarian personality, he wanted to control everything. And he wanted to lay down mandatory security requirements. And he wanted to create something called fib net. It was basically an internet for Critical Infrastructure where their internet would be hooked up to Something Like a Government Agency which would be able to tell when they were being hacked, and they could come to the rescue. But, again, government, i mean, private industry didnt want that. And the Commerce Department didnt want it. And the Treasury Department didnt want it. So that idea kind of went by the wayside. Again, its hard, you know . You have to accept the whole package. And most people dont want the whole package which is why the nsa is, you know, by statute prevented from doing certain things in a domestic context unless they have a court order or letter signed by the attorney general. There are some very good people. I would say even ahead of private industry in certain respects in the nsa but, again, they cant really show their stuff with [inaudible] lock hed martin [inaudible] yep. No, theyre slow. Speak into the mic, please. They were saying lockheed is very slow. Yeah. So thats what im thinking that there, you know, the government should make the effort to do what it can to make the fact that Innovative Companies like mine or other companies, we need to make them comfortable about what theyre doing, because it would be a decision advantage for the u. S. Yeah, but, you know, then again, when you have a big corporation, its hard to do that. One of the hackers in my book, this guy named mudge, we went to work for dartmouth for about 18 months, and he created 140 projects, the most expensive of which cost 100,000, which did all kinds of very interesting things in cybersecurity. He was the guy who funded that experiment where the guy hacked into a Jeep Cherokee to show people that, hey, this is vulnerable, youve got to do something about this. But, its got to be very ive always thought like, you know, the obamacare online program, its such a mess because they gave it to an aerospace company. What they should have done is picked, like, the top ten graduates from cal tech and mit, given them a couple hundred thousand dollars apiece and put them in a room and said, okay, heres the task, go work on it. That would have been a much better way to do government i. T. Of any sort. Yeah, youre absolutely right. Its way too bureaucratic, and also it takes, like, you know, a couple of years to get a system going, and theres already been three psychs of up cycles of upgrading the offense, defense, cyber arms race. So, no, its insane. Just this week ash carters been out in Silicon Valley and announced the establishment of a Defense Innovation Advisory Board with the chairman of our board chairing that, eric schmidt. So he, you know, deigned to get involved with it, yeah. And also on wednesday at our conference we have commerce secretary Suzanne Spaulding from dhs, security official specifically trying about Public Private partnerships, and please ask that question then. Yeah, see what they say. Gentleman here. Mark broadsky, retired physicist. Spent a lot of my career at ibm. If i look around in the Defense Department, a very vulnerable place to attack or intercept signals would be the drone program. You would think, you know, somehow those signals are going out over the air someplace and to be summit to fiddling subject to fiddling with. Any stories about that attempted or happening . There have been rumors thats why certain drones attack. The thing about drones, theyre very localized. Its in this one area. But i get there is this signal that goes from the command in nevada or whatever. But even so they would have to have, i mean, hacking certain things, its not actually easy. You know, they would have to have certain things located where they could get boo this signal. Into this signal. And, in fact, there are redundant signals with this, and they change channels fairly frequently. And also how, is it really worth it . I mean, is it worth expending a lot of effort to get into the signal of one drone that is going to attack something . Or maybe its even signaling a drone thats just doing surveillance. Its a lot of effort to go after one thing thats not maybe going to do much to your own interests. But thats for a localized thing. If youre talking about within a network which sends well, for example, ill give you an idea. One of the early cyber war games was something that had just been created at the time called the 609th Information Warfare wing. And they had a little war game where, you know, theyre going to hack into the command and control, and basically, they did some of the things that i was talking about which is they messed with the air traffic orders, a refueling plane was sent over here, they didnt get their water in time. That kind of thing could be done. That stuff is still very vulnerable. The thing about the drones is that it is a very narrow bandwidth, and, again, they change it a lot. Its to one thing, and maybe youve hacked into the signal of this one drone. You know, you dont even know what this drone is doing. Itd just be a pot shot, and then it crashes x what have you crashes, and what have you proved . Maybe it just happened that that drone drones crash, you know . It happens. And its not that big a deal because there isnt a pilot in there. So, you know, and theyre cheap relatively. But, yeah, there were some rumors. There were a couple of things that crashed in iraq, and somebody claimed that we hacked, that they hacked into it, but ive never seen that verified, and i dont even know if its verifiable. So, yeah. Were watching, sort of watching the u. S. Watching there could be that. Like, what is this, what is this drone look at . You could hack into the field. Thats possible. And then you could learn things about what the u. S. Was interested in, the kinds of things theyre watching. Were running short of time, so with were going to group tht few questions, four questions. And im going to be signing books out there. Fine. So im going to take on this side, gentleman in the light jacket and gentleman in the back behind. If we have time, well take them, if not, but fred will be happy to answer your questions when hes signing books. Hello. Martin mctarian, im a graduate student at George Washington cybersecurity. You were going to talk about it early, and you never circled back to it. Why do you think there has not been a cyber terrorist attack of any note . Ah. Well, i think right now they dont have, they dont have ability to do it. I mean, again, its not you dont need to have a manhattan project, you know . You need to have a room full with some pretty adept people at computers and the computers to do it. I dont think isis has that. I dont think alqaeda has that. Now, what they theres reports that theyre been shopping around for freelancers or to do that. But maybe this arent that many freelancers who are willing to work for who can do this who are willing to work for a terrorist organization. And, you know, the Intelligence Community has it eyes on certain blackhat hacker groups that do work for bad guys. You know, like this outfit dark soul which does stuff for the North Koreans who are operating out of singapore and thailand. They know pretty much what these guys are doing. So, yeah. But, again, its not, its not something thats inherently impossible, its just i think that and isis, you know, they have enough money that they actually do get a permanent foothold, thats something that they could get invested in. I think alqaeda it was still a little early in their heyday. So its not out of the question. But i think the conerer generals of force convergence of forces hasnt happened yet. Does have a really dramatic impact [inaudible] yeah. Okay. So last question in the [inaudible] my name is ron robinson. Im interested in your opinion on the struggle between the fbi and apple. How much time . [laughter] talking about, you know, industry being ahead of government. Right, right. Okay. So there are a few things to say. Ive written some columns about this in slate if you want my more elaborate thoughts. I think both sides are being a little bit disingenuous. The public statements of both sides do not really coincide with what theyre up to. Well, apples a little bit. But fbi, i think, really doesnt need the information thats on this phone. I mean, they already have the metadata. Remember all the discussion of metadata . Like, the Business Record of what numbers my phone has dialed and what numbers have dialed my phone. Thats already out there. Thats not in the phone. They could have got that already from verizon or sprint or whoever. Thats out there. In fact, the nsa director said in an interview that there are no foreign numbers in the metadata that theyve seen. So i dont know whats in this phone that they need. If they really wanted, they thought there was something in here that we need right now for National Security purposes, they could have sent a letter to the nsa, the nsa believed it, they could have gone to the attorney general, gotten an order, and they could have hacked into this phone in certain ways that did not require the active cooperation of apple. They can do there are many wayses they can do this. Ways they can do this. Same time, apple so i think, basically, what the fbi is trying to do and i think apple is right about this, they are looking for a new legal precedent that gives them authority to do this sort of thing before encryption gets really, really hard, this new generation of encryption which is going to make it much harder for Law Enforcement and intelligence. Not impossible, but much harder to break into. Apple, however, i when this started happening, i talked with a number of people, kind of whitehat hackers, some ex people in the intelligence agency, and im pretty convinced that theres a way that apple could have cooperated without having to write a whole new operating system which they say they were being forced to do, and it violates their First Amendment rights and their whole commercial image and everything. The fbi could, you know, the way that this works is, as you know, they dont want them to unlock the phone, which apple has done 70 times, by the way. So the principle of we dont want to cooperate with this is a little bit blown to begin with. But they want them to, theres a security feature that if you type in ten pass codes and theyre all wrong, then all the data disappears. What the fbi could do and, in fact, what they offered is, okay, look, you create a program. We dont even have to be in the same room, well have nothing to do with it, just change that so that the data is erased after a thousand tries or ten thousand tries. Then well come in, or even you could come in, because theres commerciallyavailable password sniffer programmings that just, you know programs that just, you know, brute force, like 5,000 passwords a second, you know . Eventually youll get in. But we need to have you take away this layer first. Im told and, again, im not a computer scientist. I dont know. But im told even by people who are very much on apples side in this that there are ways they could make that change without writing a whole new operating system. I think what they are concerned about is once they succumb to this, then that could be the precedent for succumbing to other things or for the chinese saying, hey, that thing that the fbi had you do, we want you to do this with although i think the chinese could do that anyway, right . I dont know why they need the precedent of the fbi. So i think its a peculiar case though for tim cook to make this a big deal. Somebody very much on apples side said i dont know if i wouldnt just quietly cooperate on this one. Because youre talking about the guy is dead, so he has no pryce rights. He privacy rights. He didnt own the phone. San Bernardino County owns the phone. Theyve already given their consent, yeah, you can do whatever you want. And were talking about a guy who shot up a room full of people and had been in touch with isis. So for legal reasons, constitutional reasons, practical reasons and political optics, this doesnt look like a great test case for apple. Some people are a little puzzled. And also, you know, some of the bigger brethren in Silicon Valley are writing amicus briefs, itll be interesting to read those, because theyve not too nuts about this. Look, heres the thing, if you have a contract with the government which apple doesnt, but these other guys do you want to sell an operating system to the government, say the Defense Department. It has to be vetted for security by information director of the nsa. The first Windows Program that went lu this process, the nsa found 1500 points of vulnerability in the program. Now, then they helped them patch it. But not all of them. They left a few open, you know, so they could get into it later. And microsoft knew that, and they were fine with that. A few years ago google, their chrome system, the source code was hacked by the chinese. The nsa helped them repair that problem. So they know theres been this twoway street. And i, you know, when they all got when the snowden stuff came out, oh, my god. I liken it to the scene in casablanca where the captain says, im shocked, shocked theres gambling going on while the cruise director delivers his winnings for the night. So theres a bit of hypocrisy. Tim cook, its partly his commercial brand, but he really does believe in this very strongly. In fact, somebody at nsa told me they often go the companies and say, you know, can we talk about a meeting for issues of mutual interest . Cook has never had one of these meetings. Hes not interested in having these meetings. So among the industry of libertarians, he is, you know, he is aiming for purity. Although again, you know, i forget, in fact, maybe he wasnt chair at the time when apple opened up these other 70 phones. But the way that both sides have elevated this battle to a battle of principle, it could el up having it could end up having, and the other side is lets say they win the court battle. What im worried about is that somebody passes a law and, in fact, senator feinstein has cowritten a law that would just require companies to strip away their encryption if presented with a lawful warrant. Now, thats going a lot farther than what the fbi wants apple to do in this instance. So my worry is that especially in the current climate with terrorism and people worried about elections where their opponent in a primary accuses them of being soft on terrorism that the backlash of this could be really severe. So, again, im not quite sure why he decided to make a big political issue of this as a test case. Again, wednesday we have peter swire, a member of the president s review group on intelligence, communications, technology and postsnowden and michael [inaudible] both featured in freds book coming to debate this very issue, so please come and join us. Fred, final word. What is the one thing that we should take away from your book and the one, the one thing that people should buy this book in order to understand . Its really a lot of fun to read. [laughter] how many cyber books can you say that about . [laughter] ladies and gentlemen, thank you very much for coming. [applause] fred, thank you very much. [applause] [inaudible conversations] this is booktv on cspan2, television for serious readers. Heres our prime time lineup. Starting shortly, from last weekends tucson festival of books, a panel on human rights with teresa duncan, margaret regan, followed by an interview with margaret regan, author of detained and deports. Then at eight, former First Lady Laura Bush discusses the progress of women in afghanistan since 2001. On after words at nine eastern, former Bush Administration official john yoo looks at the growth of president ial power during the obama administration. And at ten, law professor dana matthew reports on racial inequalities within the American Health care system. And we wrap up booktv in prime time at 11 with adam cohen. He looks at the use of eugenic sterilization in america by telling the story of carrie buck, a healthy young woman deemed an imbecile and sterilized in 1927. That all happens next on cspan2s booktv. First, a panel on human rights

© 2025 Vimarsana

comparemela.com © 2020. All Rights Reserved.