MEDIA ID:  IIA CYBER SECURITY

        JIM GLASSMAN: 
(MUSIC) Welcome to Ideas in Action, a television series about ideas and their consequences.  I'm Jim Glassman.  This week, Cyber Security, is the US prepared for a catastrophic cyber attack.  Joining me to explore this topic are Siobhan Gorman.  She's a national intelligence reporter for The Wall Street Journal.  Jeff Moss, a former hacker, he is the founder of the Black Hat and DEF CON cyber security conferences.  He is currently a member of the US Homeland Security Advisory Counsel.  And, Melissa Hathaway, former acting senior director for Cyber Space at the National Security and Homeland Security Councils.  Topic this week, cyber threats to our national and economic security; how vulnerable are we?  This is Ideas in Action.  

ANNOUNCER: 
Funding for Ideas in Action is provided by Investor's Business Daily.  Every stock market cycle is lead by America's never-ending stream of innovated new companies and inventions.  Investor's Business Daily helps investors find these new leaders as they emerge.  More information is available at Investors.com.
PRESIDENT OBAMA:
It's the great irony of our information age.  The very technologies that empower us to create and to build also empower those who would disrupt and destroy.  
JIM GLASSMAN: 
Almost a year after the Obama Administration outlined its cyber security strategy most experts agree that America remains exposed to cyber attack.  Past breaches of national security reveal just how vulnerable we are.  Viruses have been placed in Defense Department computers.  Secret plans for fighter jets were released on the internet.  And the military was even tricked into purchasing hundreds of counterfeit servers.  What can be done to safeguard the US against cyber warfare and how real is the threat?  Siobhan-- what are some of the actual instances of hacking that have occurred and how serious are they? 
SIOBHAN GORMAN: 
Well I think that so far what we've seen are a lot of exploratory hacking efforts, things that were surveiling (SIC) different kinds of systems.  One that-- that was described to me was-- one that had gotten a number of intelligent officials a little bit alarmed which was what appears to be Chinese and Russian surveillance of the electric grid where they also leave behind little pieces of software that would allow them to manipulate or destroy components of the systems in the future.

We've also seen lots and lots of government secrets, military secrets-- the-- the-- the F-35 fighter jet had its designs stolen-- by what had appeared to be Chinese hackers.  So there have definitely been a number of incidents, but so far they-- they seem to largely be espionage or what military folks call preparation of the battlefield, which would mean putting-- items in place that would allowed activities in the future that could be quite damaging. 
JIM GLASSMAN: 
Preparation of the battlefield, I mean, this sounds like leaving behind, I don't know, bombs or even nuclear devices let's say on American soil that can be blown up when it's to the advantage of a-- an antagonist.  I mean, is that what's going on right now? 
MELISSA HATHAWAY: 
I-- I like to think of it as a-- as a presence that sits within our networks.  And-- whether it's organized crime that has put-- the presence in your network or-- a hacker or an agent of another country, their motives are very different in what they're trying to achieve.  Some are trying to just steal money; some are trying to illegally copy your intellectual property.  And some perhaps are laying the ground work for future-- operations if there were in fact a time of war. 
JIM GLASSMAN: 
But it-- it-- 
JEFF MOSS: 
I-- I think it's classic hacker behavior.  I mean, this is since the dawn of time.  If you broke into a network and you spent a lot of time and energy, you wanna make sure you can come back later.  You don't wanna have to repeat that task every single time.  And so hackers got very good at leaving back doors and root kits-- to make sure that they could come back at a later date.  I think this is just other people doing the exact same thing.  
JIM GLASSMAN: 
But your hackers also wanna leave behind something to show that they're there.  Is it kind of like a personal-- 

JEFF MOSS: 
No, no, I think-- I mean, they don't wanna be detected.  Being detected means you get kicked out.  And so they spend a lot of time trying to be very stealthy and not-- not detectable. 
JIM GLASSMAN: 
But it-- it seems to me that the-- the most troubling story that I've read and I know you-- you've-- you've written about this, is the story about, you know, leaving behind-- software that could actually destroy-- the-- the electric grid in parts of the United States.  
SIOBHAN GORMAN: 
Some-- some people call them logic bombs and I mean, I've-- it's-- analogies that have been described to me would be-- you know, like almost planting little, you know, actual bombs say alongside the highway.  But they couldn't, you know, they-- they wouldn't be detonated immediately.  

It would in the-- in the instance of a crisis or some kind of conflict where it was to the advantage of those who had planted those little bombs to actually quote/unquote detonate them.  In the case of the electric grid, it's a little bit tough to judge exactly how much damage it would do because there's so many different intertwined computer systems that control the electric grid that they would definitely have to get key components of it to really take electrical systems down.  But I think that what has alarmed the government people I've talked with about this is that it seems so pervasive that they don't necessarily even know how much damage could be done.  
JIM GLASSMAN: 
Are there simulations going on now so we can figure out what damage would be done to the electric grid under these circumstances? 
MELISSA HATHAWAY: 
I know that the fed-- Federal Energy Regulatory-- Commission is working closely with the North America Electricity Reliability Corporation, FERC is the federal regulators, NERC is the industry-- group that-- meets to the standards to-- ascertain how-- one would ensure the reliability of the grid if any other part of the grid were to go down. 
JIM GLASSMAN: 
Don't-- don't the Chinese, I've heard Jeff, have a kind of a-- a core of, maybe they're volunteers, maybe they're paid, but it's really thousands and thousands of-- of hackers who are either operating on instruction or kind of-- somehow being inspired to do things? 
JEFF MOSS: 
Yeah, it's-- it's like a patriotic hacker movement.  And you see this in Russia as well, and to some extent, the United States.  I think most countries have a core of-- of sort of patriotic hackers.  South Korea versus North Korea or-- but-- it-- it seems to be more formalized in China. 
JIM GLASSMAN: 
So, Siobhan, I mean, it-- it-- it's clear that there's a threat here.  Why-- why was it so difficult for the administration to find a-- a cyber security coordinator? 
SIOBHAN GORMAN: 
Well I think that there was a lot of debate within the administration about exactly what role this person would play.  And there was a lot of-- debate and really battling going on between the National Security Council and the Economic Security Council.  And I think that after awhile it became very difficult to recruit people to a job where they could see that there was gonna be this inherent tension.

And that means that when you take the job you are inheriting sort of these-- these pre-positioned battles.  And it was also not clear, I think, to a lot of people who were considering the job how much authority this person would have from the White House.  Would they really be able to direct federal agencies to do things.  Would they really be able to control the purse strings.  
JIM GLASSMAN: 
Is-- Melissa, you-- you have personal experience along these lines, do-- do you agree with that? 
MELISSA HATHAWAY: 
I-- I think that the position that we recommended in the Cyber Space Policy Review had to report into both councils.  Because many of the initiatives that are being-- 
JIM GLASSMAN: 
You mean Economic and National Security or Homeland Security? 
MELISSA HATHAWAY: 
No, National Economic Council-- and the National Security Council and why is that-- because many of the President's initiatives, Smart Grid-- digitizing the health records and the reform of really-- of our health IT-- the reform of our Air Traffic Control System, Air Traffic Management and moving broadband to every household in America all require a security-- component.  

But those-- all of those initiatives are led out of the National Economic Council.  And without having somebody who's responsible for ensuring the security of those initiatives, we could in fact make the-- the whole nation more vulnerable by only thinking about it as an economic initiative vice a national security initiative. 
JIM GLASSMAN: 
So-- so the threat is really in both areas.  The threat is-- is to the US economy as well as being almost a classic military threat.  Is that right? 
JEFF MOSS: 
Well I mean, this is how our country does business; we do it online now.  And so, any-- any threats to how we do business online is an economic threat. 
JIM GLASSMAN: 
I mean, how-- I-- I just wanna be clear, how bad it could be.  Could you-- could hackers go into the-- are all the-- all the accounts of a large bank and just wipe 'em out completely? 
JEFF MOSS: 
Well-- so-- you'd quickly go down this road of-- of-- a parade of horribles; all the bad things that can happen.  And when you look at who's actually attacking us, you-- you get their motives.  Organized criminals need the network to be up because they need the internet to work; to steal from us.  Nation states need the network to be up to steal secrets and to perform covert operations.  

There's very few groups that need the network to be down.  So when you start talking about cyber war and the network coming down, it's-- it's kind of a-- it's an edge-case, it hasn't happened yet because everybody who's playing on the internet right now needs it to be up to perform their-- their tasks. 
JIM GLASSMAN: 
I-- I wanna get back to this policy question.  I mean-- do-- how-- what-- what could a Cyber Czar actually do to-- protect-- protect all these computers in the United States?  I mean, if individuals are vulnerable to-- to phishing-- and other kinds of-- of-- techniques that can extract their information, what can somebody in Washington do to change that? 
SIOBHAN GORMAN: 
Well what-- what the Fed-- the challenge-- the main challenge the Federal Government is facing is not only is it worried about protecting its own networks, but it's gotta think through this problem of the vast majority of the computer networks out there, many of which the government relies on, many of which we rely on for things like power-- and all kinds of other, you know, critical activities are in the private sector, the government doesn't have direct control over that.  

And so there's been this-- this dance that's been going on now since-- there's been sort of a more serious discussion about cyber security of well what is really that relationship?  And, particularly because in the US Government, the National Security Agency which is an intelligence agency has this greatest amount of expertise in this area.  

But people are-- very cautious and careful about getting an intelligence agency too involved in not only domestic affairs, but, you know, private affairs because that raises all kinds of questions about-- a surveillance society and things like that.  So, how-- how they can work more hand in glove to ensure that the most important systems are-- are as secure as they could possibly can be. 
JIM GLASSMAN: 
I mean, are-- are, Melissa, are there-- is there resistance from these corporations to working hand in glove as Siobhan says.  I mean, seems to me if I were running a big corporation I would-- I'd welcome government help and somehow-- in-- in-- in protecting my computer systems. 

MELISSA HATHAWAY: 
Well I think that there is a careful balance of-- private entities or private and they're about making profit.  And-- and the government is about ensuring essential services and the protection of its citizens.  It's not about ensuring profit.  The private public partnership is probably the most difficult thing to move forward and the government will have to look at different market leavers to incentivize the private sector to build the security into the infrastructures that need to be done for our overall national and economic security. 
JIM GLASSMAN: 
Wh-- what do you mean by market leaver?  Pay them to do things? 
MELISSA HATHAWAY: 
Mar-- market leavers can be anything from a tax incentive to a regulatory environment.  Our telecommunications systems are already regulated.  However our internet service is not regulated. 

JIM GLASSMAN: 
Jeff-- you-- you raise some-- skepticism-- about really how dangerous this threat is, making the point that a lot of-- a lot of the players who could destroy computer systems really want them to be operating.  Is there something else-- operating here which is kind of a mutually assured destruction.  In order words, if the Chinese say do something to the-- the American electric grid-- we could do something to them.  
JEFF MOSS: 
And you could.  But like Melissa pointed out, you've got to know it's them.  And attribution on line is-- is very difficult, especially against a-- a clever adversary.  You know, against maybe-- a low level-- organized crime group, maybe it's easier to ascertain their-- their true location but against a clever nation state, I don't think you'd have a whole lot of luck-- with 100 percent certainty. 

I mean, it's not the same as during the cold war looking across the horizon and seeing a missile rise out of Russia and say, "Ah-ha, that's who's about to--
JIM GLASSMAN: 
But is-- is there a way to put fingerprints on-- on-- you know-- 
JEFF MOSS: 
You can-- 
JIM GLASSMAN: 
--Anoth-- another-- another actor or maybe have some sort of protocol-- 
JEFF MOSS: 
Yes, you can correlate and-- and so it's like-- when I'm talking to people about this I say it's not like you can on CSI you hit a button and you know, "Ah-ha, look they're attacking us."  I think it's gonna be more like traditional detective work.  You'll have packet traces that say it looks like it came from, for example, China. 

You'll have people on the ground that'll say there's activity in the building.  You'll have an informant that'll say, "Yes, you know, Professor so and so went into the building."  And you'll correlate this together and you'll say there's a high degree of certainty that the attack came from, for example, China.  But I-- I get nervous when people say there's a magic button you press and it'll absolutely tell us where the attack came from. 
MELISSA HATHAWAY: 
I-- I agree with Jeff.  And I think that we should-- as countries, you're-- I'm hearing at least more of as supposed to this more of a mutual assured destruction, it's more of a mutually assured survivability.  And how are we going to ensure that our infrastructures can survive a degradation or an attack no matter where it came from and without-- with or without attribution. 
JIM GLASSMAN: 
Siobhan-- you cover in-- intelligence in general beyond this area.  Are we-- do we have an intelligence apparatus that's-- that's looking at, I don't know-- we keep picking on the Chinese, but the Chinese or the Russians or the Iranians to see what-- actually what they're doing-- not just the electronic signals, but what individual actors might be doing? 
SIOBHAN GORMAN: 
Certainly that's part of it and I think that one of the big elements of kind of the post 9/11 intelligence reform was trying to find out how best to combine the resources that we already have in our intelligent services, the National Security Agency is gonna be collecting electronic information, the-- the Central Intelligence Agency is gonna be collecting information from its own human sources. 

And, you know, you have-- you have mapping and you have all kinds of-- of information that's being collected.  And I think that-- certainly with a comprehensive National Cyber Security-- Initiative that has driven a lot of elements of government including the intelligence agencies or perhaps in some cases, especially the intelligence agencies to try to focus on what they call, you know, some of these hard problems. 
JIM GLASSMAN: 
And-- and how does this threat fit in with other national security threats?  I mean, are we spending enough money on cyber security, for example, compared to other kinds of security? 
MELISSA HATHAWAY: 
I think that there-- is not adequate funding in this particular area because the capabilities have not been developed over time.  We've largely ignored the security of our core infrastructure from an electronic perspective and our enterprises.  

And I think that as we're moving forward part of the resourcing strategy is not only building capabilities but its training people.  And it's communicating the problem in a way that people can understand it; both the American people, corporate America and the-- the people who are charged with securing our core-- enterprises.  
JIM GLASSMAN: 
But you talk about capabilities.  I mean, there is a kind of a gold rush going on some people would say among contractors.  I mean, there-- there is a lot of money being spent compared to what was spent before.  I mean, is-- is that an indication that this is a much higher priority? 
MELISSA HATHAWAY: 
Certainly at the end of the Bush Administration-- President Bush and his administration made this a significant priority and-- we-- while we were working that program we received bipartisan support from both chambers of commerce-- congress and they-- funded the initiative-- almost at 85 percent of the request of what the administration put in, which was a significant amount. 

Congress continues to fund-- the requests that were put forward in President Obama's Administration.  However, I-- I think that there's still more funding that needs to be allocating in particular areas-- 
JIM GLASSMAN: 
How-- how much money are we talking about?  How-- how much money is being spent now? 
MELISSA HATHAWAY: 
Well it depends on-- how you think about it.  Just the IT budget alone is $80 billion a year of which a percentage of the $80-- the administration's IT budget is-- has-- set aside for security. 
JIM GLASSMAN: 
Do you know, Siobhan, how much money is being spent by the government on cyber security? 
SIOBHAN GORMAN: 
Well what I was-- the-- the challenge is that it combines-- the-- the budgets of agencies like the Department of Homeland Security with the budgets of agencies like the National Security Agency, which is classified.  But I was told that it was roughly $17 billion that-- that the administration got-- I believe at the end of the Bush Administration.  

And that was over several years, I think it was probably a five year or so period.  And I think that the people who were pressing for that funding at the time were still considering it kind of a down payment.  But that was kind of the initial commitment that the executive branch could get from congress. 
JIM GLASSMAN: 
Do you think-- Jeff this money's being spent wisely? 
JEFF MOSS: 
Well-- let me back up just a little bit.  I think the-- the Google versus China-- incident was the best thing that could happen-- from a public awareness standpoint.  I think we had more-- more discussion in congress about cyber security since that became public.  I think that's really moved the-- 

SIOBHAN GORMAN: 
Not that it's moved any legislation. 
JEFF MOSS: 
No it hasn't, but I think it started the conversation finally.  And-- and-- 
JIM GLASSMAN: 
Well was that about security or was that more about-- privacy for example or-- or-- 
JEFF MOSS: 
Well it's a crystal ball-- 
JIM GLASSMAN: 
--freedom? 
JEFF MOSS: 
--it's about whatever you want it to be about.  It could be about privacy, it could be about-- human rights.  It could be about-- 
JIM GLASSMAN: 
But why is it about security? 
MELISSA HATHAWAY: 
Well because the-- the penetrations that came in because of the-- the zero day-- which is a-- unbeknownst to anybody before the day that-- it was used-- vulnerability within a particular software program was exploited.  And that enabled a back door into a number of different comp-- companies; many of which were targeted very specifically.  And whether it's 30 or it's 100 or a-- a recent number that I heard was 2,100, there were a lot of companies affected.

And-- and at least one company filed in their SEC filing under reportable risks a 10K that-- they had been penetrated as a result of this Google/Aurora incident, they had lost information.  And even-- some of their product line might have been compromised. 
JEFF MOSS: 
Well, and see what it does is it forces people to debate, is it a national security issue?  Was is China versus a US company?  Is it a domestic law enforcement issue?  Is it an intelligence issue?  Is it a military issue?  It-- it really grows into stark relief, like the problems we have in dealing with these issues right now. 
SIOBHAN GORMAN: 
And the interesting thing was that I think the answer to that question was all of the above.  
JEFF MOSS: 
All of the above. 
SIOBHAN GORMAN: 
I mean, you saw the State Department involved.  You saw the National Security Agency involved.  You saw all these government entities involved that Google probably would generally want to keep somewhat at bay.  But because it obviously ended up involving something that wasn't just, you know, hacker against Google, there-- you-- you saw that there was a broader interest-- 
JEFF MOSS: 
Something was different-- 
SIOBHAN GORMAN: 
--that the nation had. 
JIM GLASSMAN: 
But with all of these different interests and with all of these government agencies involved, I mean, does that cast some doubt about whether a Cyber Czar can be affective?  I mean, this is-- 
JEFF MOSS: 
And I think the Cyber Czar can try to untangle this and help set standards in the future, so the next time this happens it's a little bit easier to deal with. 
MELISSA HATHAWAY: 
Right, I think that the-- the Cyber Security Coordinator really that is their job, is to help-- put the best players on the field to handle whatever issue.  And whether it's the FBI with-- from a counter-intelligence and law enforcement perspective or the Department of Homeland Security in helping inform corporate America of what's happening.  

Or the core expertise of the National Security Agency looking at it from an information assurance investigation, that-- that really is the person who's at the White House and the White House is the only place that you have total visibility into what all of the departments and agencies have and can bring to the-- to the table.  
JIM GLASSMAN: 
You know, one of the things that I've learned in my time in government is that none of this works no matter where the person is situated unless the President himself sets a very high priority on something.  Because the President has so many other things to do and it's an indication to the bureaucracy that this is a top priority of mine.  Is this President doing that? 
MELISSA HATHAWAY: 
I think that this President-- as he campaigned with cyber security that it-- it was a top priority.  He-- asked for the cyberspace policy review; that was delivered.  The current White House is working on-- the action plan that was articulated in the cyberspace policy review.  It's-- I think it is one of the priorities, but it's one of many. 
JIM GLASSMAN: 
What would you say to that?  Is it a high-- is it-- is it a high priority?  I mean, is the fact that it's taken-- here we are in a year and a half into the administration and really there's not a lot of activity on this front. 
SIOBHAN GORMAN: 
Right, part of it is just the Washington expectations game because President Obama did include some discussion of this in his campaign.  He even ran an ad that included a component of cyber security, it was a broader national security related campaigned ad.  He-- he commissioned a group during his transition to look at cyber security issues. 

Then he asked Melissa and her team to look at cyber security issues.  And then he gave this much heralded speech last May-- well now a year ago last May-- on, you know, declaring it a-- a critical economic and national security issue.  And then there was this long lull and it's not really that clear-- what the White House is doing on national-- on-- on cyber security at this point.  I mean, there was some discussion in October because that was National Cyber Security Awareness month but it was very general--
JIM GLASSMAN: 
Oh I missed that. 
SIOBHAN GORMAN: 
Yeah (LAUGHING)-- and-- and it-- it wasn't-- it didn't have any specific policies-- sort of as-- as components of it.  And what was interesting was during the-- the Google China discussion most of that seemed to be handled out of the State Department, at least in terms of the public face.  And that-- that may well be appropriate, but it didn't lead to a perception of the White House cyber security-- office really taking hold and dealing with these issues. 
JIM GLASSMAN: 
So what does the cyber community think of all this?  Is-- is there-- is-- is there a certain amount of excitement about the fact that-- this has become a big issue or is it-- 

JEFF MOSS: 
No-- 
JIM GLASSMAN: 
--or do you feel like this lull that Siobhan is talking about is-- is-- is dominating? 
JEFF MOSS: 
I think there's an acknowledgement that you do need somebody; you need a coordinator of some sort.  And-- ideally it would more like a cabinet level position; somebody with some real authority that can do-- it's listened to.  That carries around a little bit of a stick that they can pull out if they have to.  And that hasn't happened yet. 
JIM GLASSMAN: 
So what do we need-- do we need a-- a major cyber attack to-- to effectuate something? 
JEFF MOSS: 
Well, so-- a couple of things.  People seem to learn through pain, right, so maybe we need to suffer some pain until people take this seriously.  And-- and I'm hoping that the Google and-- and related announcements will raise the threshold so that we don't have to suffer major, you know, catastrophic-- electronic Pearl Harbor, I've heard it referred to as.  That would not be a good way to learn, 'cause some of these systems would take a long time to get back up and-- and running.  

But I think what's happening is, at least with this president, it ran a-- a very effective online campaign.  They're very aware of the power of the internet.  And I think you see the staffers in congress, they're very aware now; they're all plugged in.  

And I think what's happening is it's moving its way through government now.  It's, you know, maybe ten years behind.  And it's finally getting to a point now where we see some visible movement and-- and that's exciting because now it's starting to happen. 
JIM GLASSMAN:
If there is such an attack, predict what it would be like. 
SIOBHAN GORMAN: 
If-- if there were an attack that could take down say a third of the electric grid, economists who have worked through this have found that you're probably looking at-- at least a trillion dollars of damage to the economy and that's not even looking at sort of the cascading effects.  And so, I think that's the kind of thing that has people worried because-- an-- an attack that could take out a wide swath of the electric grid has both national security and economic implications and that's what really worries people. 
JIM GLASSMAN: 
And on that note, thank you Siobhan, thank you Jeff and thank you Melissa.  Before we go, I wanna remind viewers that you can watch Ideas in Action whenever and wherever you want.  Just go to our website to watch complete episodes or download podcasts to your MP3 player through the I-tunes Store.  Wherever you watch, be sure to join us next time.  That's it for this episode, for Ideas in Action, I'm Jim Glassman. 
ANNOUNCER:
For more information visit us at ideasinactiontv.com. Funding for Ideas in Action is provided by Investor's Business Daily. Every stock market cycle is led by America's never ending stream of innovative new companies and inventions. Investor's Business Daily helps investors find these new leaders as they emerge. More information is available at investors.com. This program is a production of Grace Creek Media and the George W Bush Institute, which are solely responsible for its content. 
* * *END OF AUDIO* * * 
* * *END OF TRANSCRIPT* * *