For our November Readers' Review: “Dinner at the Homesick Restaurant” by Anne Tyler. As we prepare for holiday gatherings, join Diane and her guests to discuss this master work from the author who has made an art of exploring family love and dysfunction.
The Pentagon is putting together a plan for a U.S. response to cyber sabotage: the report will likely outline the kinds of computer attacks that would be considered acts of war and warrant possible military retaliation. Recent cyber attacks here and abroad highlight what many say is growing vulnerability for both civilian and military infrastructure, but the perpetrators of cyber attacks are often not easily or quickly identified. Join us for a conversation on the challenge of cyber security in the public and private sectors.
- Stewart Baker attorney, Steptoe and Johnson former assistant secretary of policy, Department of Homeland Security
- Mischel Kwon president, Mischel Kwon Associates, a security consulting firm former director, the United States Computer Emergency Readiness Team (US-CERT)
- Siobhan Gorman Intelligence and Homeland Security Correspondent, Wall Street Journal
MS. DIANE REHMThanks for joining us. I'm Diane Rehm. In a world increasingly reliant on complex software, many say the threat of a devastating cyber attack is growing. The Pentagon is in the process of determining what kinds of cyber sabotage would constitute an act of war.
MS. DIANE REHMJoining me to talk about cyber threats to both government and private industry: Siobhan Gorman, she is a reporter with The Wall Street Journal, Mischel Kwon, security consultant and former director for the U.S. Computer Emergency Readiness Team, and Stewart Baker, he's an attorney in private practice, former assistant secretary for policy at the Department of Homeland Security.
MS. DIANE REHMDo join us, 800-433-8850. Send us your email to email@example.com. Feel free to join us on Facebook or Twitter. Good morning to all of you.
MR. STEWART BAKERGood morning.
MS. SIOBHAN GORMANGood morning.
MS. MISCHEL KWONGood morning.
REHMSiobhan, if I could start with you, The Wall Street Journal reported on a scam perpetrated by Gmail users. Tell us about that.
GORMANWell, it was perpetrated on Gmail users by...
REHMForgive me for saying by.
GORMANOh, certainly. Well, they may have used -- we don't know. They may have used Gmail accounts also to perpetuate the scam. But what we know now is somewhat limited because, mainly, it's what Google announced yesterday, which is that there were hundreds of Gmail accounts that were sort of infiltrated by sort of perpetrators in Jinan province in China, they believe. Things in cyberspace aren't always what they initially seem to be.
GORMANBut what seems to have happened is there were sort of these trick emails called phishing emails...
GORMANP-H-I-S-H-I-N-G, that were sent to hundreds of Gmail users in a rather targeted fashion because it seems that these perpetrators focused on senior U.S. officials, military officials and officials in other Asian governments as well.
REHMI guess what gets me about these so-called phishing attacks is that what they are asking for is the user's password.
GORMANYes. What they're trying to do is basically get the credentials and information that you use to log into your email account. Other scams focus on getting the kinds of information you use to get into your banking accounts, so...
REHMBut if these are high-level people in government, if they're in private industry, surely they should know better than not to give out such information.
GORMANIndeed. But what often happens is -- and we don't know exactly how this particular scam was perpetrated, but they're very sophisticated now and can even, you know, catch off guard some of the most aware users. Oftentimes now, they include emails, or they're -- they use emails that seem very legitimate. They seem to be dealing with an issue that, say, a U.S. government official deals with all the time.
GORMANIt's -- maybe there's an attachment that looks like it had something to do with the meeting they just attended. And so it's not necessarily like you have to be an idiot to click on one of these things.
REHMYou reported yesterday the Pentagon is in the process of coming up with some ways to deal with the cyber attacks. Tell us what we know so far.
GORMANSure. The Pentagon has been putting together its own strategy for the -- in anticipation that the next generation of warfare -- really, to some degree the current generation of warfare -- is going to increasingly have elements of cyber attacks to them. And the Pentagon is worried that, down the line, there may be a conflict where an adversary wants to launch a cyber attack that would do great harm to the United States, something that would shut down portions of the electric grid or crash subway trains or something really major.
GORMANIn the event of that, the Pentagon is trying to make sure that it has contingency plans for how to respond. And that's what the strategy is, providing a framework to start thinking through those contingencies.
REHMSiobhan Gorman, she is Intelligence and Homeland Security correspondent for The Wall Street Journal. And turning to you, Mischel Kwon, what are you seeing in private practice? What are industries doing to try to protect themselves?
KWONWell, it's a broad story, and it's difficult to say that there's one thing that's being done. I think, most importantly, the awareness that this is a problem has been heightened. With all of the news stories that are going on with all of the larger scale incidents that have been brought to attention, more and more people are realizing that this could happen to anyone. And it is happening to more and more people.
KWONI think what's important to note is that organizations are beginning to assess the cost of protecting themselves and assessing whether or not doing it internally, doing it for themselves, is even possible. I think, as we go forward, we're going to have to look to alternatives, to in-house IT, the classic everyone has their own data center, and everyone takes care of their own systems.
KWONWe may have to pull together our resources, lower the cost of security, which is quite expensive, both to identify the threat, to identify issues you're having, and then respond to the incidents you're having. That's a very costly process. So looking to pull together, looking towards, possibly, even cloud resources to address IT services in a different way.
REHMAre you talking about pulling together within industry or you're talking about a joint operation with the federal government?
KWONWell, I think when you talk about a joint operation, that's always a little bit more difficult. I think what I'm mainly talking about is service, IT service offerings that broaden the scope of cloud services to include security. But I do think that there needs to be a close public-private partnership that allows a sharing of information back and forth, both from government to private sector and private sector to government because these incidents are not happening to just one sector. And then...
REHMMischel Kwon, she is president of Mischel Kwon Associates. That's a security consulting firm. She's former director for the U.S. Computer Emergency Readiness Team. Turning to you, Stewart Baker, are we doing enough yet?
BAKERNo, we clearly are not. The lesson of the attacks of the last year is that no one is safe. Big security companies, that should know exactly how to protect their most important assets, have had their most important assets stolen by these sophisticated attacks. It's not about being -- avoiding doing stupid things anymore. There are things you can't avoid that people are using to break into accounts.
BAKERAnd so we're going to have to do a lot more, not just individually, but probably as a society, probably in terms of the technological architecture that we're using on the Internet. And if you ask me, what do you think is the solution, I do not think that more security is the solution. We can't build our walls higher and thicker and expect to survive attacks if people can attack us for free.
BAKERAnd, right now, it's almost impossible to catch the people who are doing the attacks and to punish them. And as long as that is the case, they will stand off wherever they are -- Jinan province -- and continue to launch ever more sophisticated attacks. We need to find ways to attribute these attacks, to identify the attackers, and then to cause them real pain.
REHMWhat do you mean by real pain?
BAKERWell, ideally, we'd arrest them and throw them in jail if we...
REHMBut if it's someone in another country...
BAKERWell, in some countries, we can get cooperation from the government. And where we can't get cooperation from the government, then countries that care about this need to isolate those governments and make them pay a diplomatic price for harboring the kinds of people who carry out these attacks.
REHMSo what you're saying is that what we're doing now and the kinds of things being done now are simply not enough...
REHM...to either discourage the perpetrators or to stop whatever's happening. You've just got to do a lot more.
BAKERIt used to be that the Pentagon said, well, no one's ever compromised our secure secret classified networks. They don't say that anymore because it's not true anymore. Companies like RSA, which are security companies, or HBGary, which are very careful about their security, have been successfully exploited by anonymous attackers.
REHMWhat do you say to that, Mischel?
KWONWell, I think it's a difficult question to answer, only because, as a security professional, we're always going to be in business. We're always going to be protecting our assets. The problem is, is that we're moving more and more of what we do to the Web, to the Internet, to our mobile devices. More of our lives and our businesses are now in computers. And as we do this, crime moves to the Internet.
KWONAs we do this, espionage moves to the Internet. As we do this, more state-sponsored activities move to the Internet. So as we move our lives there, so come the criminals, so come the bad behavior.
REHMAnd are you saying, even as we upgrade what we're doing on the Internet, somehow the perpetrators are going to find ways to deal with that?
KWONThat's correct. It's the new attack surface. So we have to become diligent. We have to understand that technology will have to change. We have to be aware of what we do on the computer, what we do on the Internet. We have to be aware of what we store and where we store it. We just have to do this with a much higher level of consciousness than we've done before.
REHMMischel Kwon, she's former director for the U.S. Computer Emergency Readiness Team. We'll take a short break. When we come back, we'll talk further about rules of disclosure and take your calls. Stay with us.
REHMAnd as we talk about the growing need for more cyber security as the technology itself changes, here in the studio, Stewart Baker. He's an attorney in private practice, former assistant secretary for policy in the Department of Homeland Security. Mischel Kwon, she is former director for the U.S. Computer Emergency Readiness Team. And Siobhan Gorman, she is intelligence and homeland security correspondent for The Wall Street Journal.
REHMI'd like to understand, Siobhan, what the rules are when a cyber attack occurs, say, within a private company.
GORMANWell, the rules are really unclear right now, and that's one of the problems. In theory, publicly traded companies have to report what are known as material incidents to the Securities and Exchange Commission. But what a material cyber attack is is very unclear. And, in fact, Sen. Rockefeller, on Capitol Hill, has been pushing the SEC to make the rules clearer for companies to create more of an incentive for companies to actually come clean when these kinds of things happen.
GORMANGenerally, there is no incentive for companies to come clean on a major cyber security attack if it doesn't directly affect customer information. If it does, then they have to disclose it. But if it just affects their systems, they don't necessarily have to disclose it. And yet that actually could have a much bigger impact on either, you know, sort of the security of their company or, in the case of defense contractors who are huge targets of this, U.S. national security.
REHMSo what you're suggesting is that any and all violations of cyber security may need to be reported.
GORMANWell, right now, they don't need to be reported.
GORMANBut what -- actually, the White House and lawmakers on Capitol Hill are trying to strengthen some of these reporting requirements and make them a little bit clearer so that, at least for major incidents, companies have to report them.
KWONWell, I have to say, we have to be really careful the way we talk about this. I'm going to try and get away from the words, come clean, because, we have to remember, the companies are the victims here. They're not the bad guys. The companies are trying their best to defend themselves against the bad guys.
REHMSo why wouldn't they want to divulge that their systems have been hacked into?
KWONWell, there's a couple of reasons. You have to have a good reason to divulge. Either customer information was lost or it will affect the price of stock in the company. It'll somehow -- the stockholders need to know. There needs to be a reason for disclosing that there's a weakness in the system because you don't want more people to attack the system because there's a weakness. Everything has to be done purposefully, for a reason, not just because it's right to say, hey, this happened to me.
KWONIt's not for voyeurism. It's not so that everyone can look and learn. It's really because there's a purpose. There's a reason that that information needs to get out.
REHMIs that enough, Stewart Baker?
BAKERI'm concerned. There are laws that say if you know that personally identifiable information has been compromised, you have to tell everybody whose information has been compromised. But, in many cases, you don't know exactly what was compromised. You know someone was in your system, that he packed up a bunch of data, encrypted it and shipped it out. You don't know what happened.
BAKERThat's a pretty serious breach, and it probably should be disclosed. On the other hand, the Pentagon will tell you they probably get a million attacks a day of some sort, and there's no point disclosing them all 'cause most of them fail. And even the ones that succeed often are not particularly troubling. So disclosure obligation has to be pretty carefully targeted. On the other hand, there was an attack recently on RSA, which makes tokens on which the Pentagon and large parts of Corporate America depend.
BAKERAnd, you know, RSA has never told us exactly what the attackers got. I'm guessing that that's because they think it would be bad for their business if people realize just how much compromising of the security tokens occurred in that attack. And they don't have an obligation right now, under law, to discuss that.
REHMSiobhan, you mentioned the Securities and Exchange Commission where publicly traded companies are concerned. On the other hand, is there, beyond the SEC, a central reporting place when a system, a major system, has been hacked?
BAKERNo, there isn't. The best, most effective rules are the ones the states have adopted individually for personally identifiable information. That leaves out a lot of important stuff, and so it's not a complete solution. But it also means that you're disclosing sort of generally to the world, rather than to a single agency. The administration is proposing legislation that would centralize that at the federal level and probably put DHS in charge of a lot of that, and that's probably a good step.
REHMWhat do you think of that, Mischel?
KWONWell, I think it's a lot more complicated than we can probably figure out here in this hour of discussion. And I'll say there are a lot of different caveats. I'm just going to say that I actually think RSA was extremely responsible in their response. And, yes, publicly, they did not say the same things that they said to their customers. And I think that's probably the responsible thing to do, to disclose to your customers and not necessarily participate in voyeurism.
KWONI'll continue to stick to that line. But what I will say is that deciding -- I think we've done a good job in talking about how to disclose when PII is involved. But it's more difficult when talking about all the different kinds of information, whether it's intellectual property, whether it's medical records. All the different types of information warrant different handling. And I think to prescriptively make one rule for all information is a dangerous thing in itself.
REHMAnd you say Sen. Rockefeller is out there. What are his proposals? Would they be toward a central place of reportage or what?
GORMANWell, Sen. Rockefeller, I guess, has been going after this on two fronts. One is legislatively. And he and several other members of Congress have put legislation forward that is very similar to what the White House also put forward a couple of weeks ago now. And that would start to strengthen some of the reporting requirements and probably would place that at the Department of Homeland Security.
GORMANAnd then, separately, he's also asked the Securities and Exchange Commission to sort of make public some guidelines for when companies need to disclose either what they call a material cyber risk to their company, which would be more like cyber vulnerabilities that shareholders maybe need to know about, or a material cyber incident or attack.
GORMANAnd that would be when your company actually, you know, is attacked and significant information is stolen. But it would be up to the Securities and Exchange Commission to start defining that for the companies.
REHMAnd, Siobhan, to what extent -- or what have been some of the most serious attacks that have occurred in the last few months?
GORMANOh, in the last few months?
GORMANWell, I mean, probably the most significant, I would think, is the attack on RSA, mainly because a major attack on a computer security company that not only has a strong reputation for being very good on security, but actually is very good on security -- I mean, that, I think, sent the message that nobody is immune from these kinds of things. And it was very interesting that RSA decided to be public about it because it's not clear that they absolutely had to be.
GORMANAnd it was -- that was a major step. And what has been interesting, to me, is actually to see the number of companies since then who have also acknowledged that they have been hit. I mean, whether it was this other security firm, HBGary -- that became kind of a public thing, and they couldn't escape necessarily acknowledging it. But also that Lockheed Martin actually acknowledged that they had had their systems breached.
GORMANI mean, we actually reported, almost two years ago now, on another breach at Lockheed Martin with the Joint Strike Fighter, the Pentagon Joint Strike Fighter program. And at the time, they would not acknowledge it. It took a year-and-a-half for the government even to acknowledge that that had happened.
GORMANSo there's been an increasing willingness on the part of companies to start being a little more public about this, which is -- it's an interesting trend. And I think it suggests that, perhaps, there is more of an acknowledgement that it's okay to have gotten breached, especially if you can talk about the measures that you're taking to deal with it.
REHMWhat happened with Sony PlayStation?
GORMANI -- well, I think Mischel might be able to talk about that a little bit more, but, I mean, essentially, they had a breach, I believe, where, you know, tons and tons of account information was just totally siphoned off.
KWONThe Sony PlayStation was a little bit more different. It's a little bit more difficult because it also entailed all of their customers, and it entailed an online gaming system. So it's -- it hits closer to home. It hits closer to everybody's...
REHMOrdinary people, yeah.
KWONOrdinary people. It's not necessary -- it is a corporate breach, but it also reaches down into people's homes. So, you know, like I said before, all of these take a very interesting and different twist. And so coming up with a prescriptive way to handle it is difficult. Although the Sony breach is dealing with personally identifiable information, and there are a lot of good standards for that type of reporting.
KWONWhat makes this even more interesting is this now crosses the international space. So, now, we're not just talking about something that happens in a state, not just something that happens here in the U.S., but this is something that's happening around the world. And that adds even more complexity to it because then where is that reported to? That's not a DHS issue, you know. We have a bigger and broader issue. So this becomes more and more complex.
REHMAnd expensive, I would imagine.
BAKERIt's very expensive. It was expensive for Sony because they essentially had to shut down their system and couldn't get revenue, couldn't provide services to users for weeks because they couldn't establish who was supposed to be -- who was entitled to use the credentials that have been stolen.
REHMSo, at this point, as far as anyone is concerned, here in the studio at least, there is virtually no way to protect one's self against this kind of situation, Siobhan?
GORMANWell, one interesting thing that, I think, companies and the government are talking about now is not necessarily trying to keep people out of your system entirely but to figure out what are the things in your computer network that really can't be breached, that you really don't want stolen. And how is it that you protect the most important information or elements of your network? And, you know, the rest of it, you'll do the best you can.
GORMANBut it's not going to be a big deal if someone gets access to that. And I think that starting to segment your network and think about what truly needs to be protected may be a way to start managing some of this.
REHMWhat about, though, these advertisements for security systems we hear about all the time? When I hear you say that the security systems themselves are breached, how do you separate out that which can be breached from that which can't, Stewart?
BAKERWell, I think it is absolutely the case that no individual can expect to protect themselves. You're...
BAKERCompletely, frankly, at all.
BAKERPeople who want to get access to your computer will send you, sooner or later, an email attachment that you think is safe to open. You'll open it. Your virus systems won't detect the malware, and they will own your computer. They'll be able to record all of your keystrokes, turn on -- they did this to the Dalai Lama. They turned on his network cameras, so they could watch people, listen to people and record their keystrokes.
BAKERIt was the full 1984 package, except that the Dalai Lama had paid for the equipment. That is something that can be done to anybody who wants to get you.
REHMStewart Baker, he is former assistant secretary for policy at the Department of Homeland Security. And you're listening to "The Diane Rehm Show." We have many callers waiting. I'll open the phones. First to Roanoke, Va. Good morning, Matthew. You're on the air.
MATTHEWYes. Thanks for having me on the show. I just wanted to comment on how, in order to comply with the U.S. government, Google had to create backdoor access. And I just wanted your guest to comment on that. That's how the Chinese were able to gain access and exploit our accounts.
GORMANWell, that's not necessarily clear at this point. There was some discussion at the time. And he's actually referring to the previous hacking incident at Google from December of 2009, I think. There was some discussion that part of why they got in was because Google had to set up a system to comply with law enforcement requests, but I'm not sure that we ever got to the bottom of that.
BAKERI agree, and I think that that's focusing on a tiny issue in a sea of insecurity. To say, well, I think that the government's wiretap capabilities are the source of the problem, I think, misstates the issue. We have a security problem. And the government's wiretap capabilities they have required companies to adopt are not really part of that problem.
REHMAll right. To Dallas, Texas. Good morning, Roy.
ROYGood morning. I wanted to point out the comment from the DHS person is totally wrong. It's actually those backdoors which are exploited to gain access. The Gmail hacks actually used -- the Chinese used the Gmail backdoor that is required by the Patriot Act. The way security works -- you got about 500 people writing security (word?). You've got about a million people out there trying to break in to them.
ROYThe people on the outside want to break in and want to share. Any time they find any little door -- a camel's nose under the tent -- that's what they share. It's those kinds of backdoors that what makes that possible. If you wanted to remove this threat, you need to remove the motivation. HBGary got in trouble because they set up a program to mine Facebook for personally identifiable information.
ROYIt made a lot of the hackers mad. They went after them. PlayStation also did some bad things to their customers. There's better ways you can do this. Being an honest and open organization is the best way to protect your stuff.
KWONWell, I'll have to say that it's a really difficult situation.
REHMAll right. That's clear.
KWONThere are a lot of reasons. There are a lot of methods. You know, when you're talking about hacktivism, you're talking about the state-sponsored activity, you're talking about fraud, you're talking about organized crime, you know, why these things happen and what their motivations are, what you do to attract people to do that to you. That's a psychological issue all in itself and a very difficult one to address. And...
REHMThere are an awful lot of people who simply don't like closed doors.
BAKERIf I can add to that, I think that's a council of surrendering to the lynch mob. This was an attack designed to punish people for views they'd expressed, and that's not something you should surrender to.
REHMAll right. Short break. More of your calls when we come back. Stay with us.
REHMAnd welcome back. We are talking about computer security, cyber security. Here's a tweet from someone who asks, "Is anyone bothered by the fact that every panel member on cyber security will profit from increased fears about security?" I'm not sure I see profiting, Siobhan.
GORMANNo. My paycheck stays the same regardless of what the cyber security status is.
REHMHow do you respond to that, Mischel?
KWONWell, that's like saying that doctors are profiting from being doctors. I mean, someone has to do this work, and, you know, it is my career. It is what I've chosen to do for my life.
BAKERYeah, I'm not sure that I'll be better off if people spend more on security. I'll probably be better off defending lawsuits from bad security...
BAKER...than good security. And I do think this is a sort of deflection of the issue. People don't want to think about it, so they say, well, the people who are telling me -- giving me this message are doing it out of self-interest. I don't think that's the case. We really have a serious problem.
REHMLet me ask you, Mischel, during the break, you were talking about your own company and how you went phishing within your company. Tell me what you did and why.
KWONSo I teach at George Washington University, and I teach the cyber core students. Those are the students that are being trained to work in cyber for the government. And one of the students had a research project where he put together a phishing email, and he phished a big -- a large group of people all training to be cyber professionals, and thinking, you know, a few would take the bite. And every single person, including me, took the bite.
KWONIt just proves that phishing is a difficult thing. The email can look really, really, really real. They'll use names of people that you know, people in your department. It could say something that pertains to needing information in order for you to get your paycheck. It could say that they're updating their address book. I mean, it could be a real -- something very, very real...
KWON...that you would want to know more information about.
GORMANWell, people also don't realize how much information is openly available on the Internet. I mean, there are PowerPoint presentations from government conferences and things like that that often include all the attendees' names and emails. And what oftentimes these phishing attempts will do is just grab that and then send people emails directly related to the conference. And they know that the people are likely to click on it because they feel that it's relevant to them.
REHMTell me about Stuxnet, Siobhan.
GORMANSure. Stuxnet is a computer worm that attacks computerized control systems. And these so-called SCADA control systems are in many different things, whether it's our electric grid or subway systems, things like that. They also happen to run nuclear facilities. And what happened was this worm was launched, and, apparently, about 60 percent of the infections turned out to be in Iran.
GORMANAnd Iran eventually acknowledged that their Natanz nuclear facility had had trouble with their centrifuges, which they then attributed to Stuxnet.
REHMIs that the end of the story?
GORMANWell, no, because nobody knows who perpetrated this. And there is a lot of suspicion and very little proof.
REHMAnd where is the suspicion directed?
GORMANThe suspicion is directed at the Israelis, perhaps with American assistance. And that's a very interesting accusation. Obviously, Iran has made that accusation. But there have been researchers who have looked at the nature of the virus, and some of them say that there are signs that it could have come from Israel.
GORMANWhat would be interesting -- and the reason why I'm a little bit skeptical of U.S. involvement -- is that to only hit -- if your target is Iran, to only hit at 60 percent of the time would actually be a real problem for the U.S. to have been involved in something like that because some of the infections were also in the United States. And they were in Indonesia and other places. And so that's why it will be interesting if we ever figure out who's behind it because, if it was targeted at Iran, it only hit the target 60 percent of the time.
REHMWell -- but with the guidelines of the Pentagon is developing, could this -- could Stuxnet, if in use, be considered an act of war?
GORMANIf it were in use against the United States and the U.S. could determine who actually was behind it, I would be surprised if that weren't at least considered, you know, put up for consideration to decide whether or not it was an act of war, at least the use of force against United States.
KWONWell, I think that's the real question. I think the definition of what the act of war in cyberspaces has not been clearly defined yet. In the physical world, that has been clearly defined. And, I think, that's the issue is, what are those thresholds? And...
REHMBut couldn't Iran consider it an act of war?
BAKERI think they do. And I wouldn't be surprised if they're plotting revenge. One of the things that is significant about Stuxnet is it's the first state use of malware to sabotage a significant facility in another country. And the Iranians are not technically incompetent. We're running the risk, and Israel is running the risk, and Germany and other countries, that there will be an attack of similar -- of a similar sort against our SCADA system, which include all of our power systems.
REHMBut there was also a report earlier this week that two researchers in their own home were able to replicate Stuxnet. Where does that leave us?
GORMANWell, I think that a lot of times -- and I think we've seen this with other types of weapons in the past -- that governments will develop things, and, eventually, you know, people in the private world will find ways to replicate them, especially with something like software. If you can look at it and take it apart, then there's no reason to think that a savvy technology geek couldn't then figure out how to replicate something when kind of given the roadmap, so to speak.
REHMHere's an email from Derek, and it goes to something you said, Mischel. He says, "I work for one of the world's largest IT hosting companies and frequently deal with cyber security threats. I want to comment on the notion that companies are the victims, not the enemy, when speaking of those targeted with cyber attacks. Unfortunately," -- Derek goes on to say -- "such companies are frequently both. Many companies will not sufficiently prioritize security and will make only minimal effort to address issues."
KWONUnfortunately, that is the truth. The largest problem, I think, we have is having executives in large companies who run the companies, who aren't computer savvy, who don't clearly understand the threat, not prioritize the risk and not take the appropriate measures for protection...
REHMWhat you're saying is it's coming out of ignorance.
KWONA lot of it comes out of ignorance. A lot of it comes out of an inability to balance that risk, to actually assess it. They'll look at the risk and say, well, this hasn't happened to me yet. And that's a really difficult one to handle. And it handles -- it happens in almost all organizations where security professionals have to justify protections or upgrades or even, you know, all different ways of securing the system because it's hard to articulate what could happen.
KWONYou're always working with a what could happen. I mean, our largest tool right now is to take an incident and say this happened. I guarantee you, once an incident happens, that corporate CSO then has a much larger budget to deal with after the incident.
KWONBut we have to able to do -- to deal with the incident before it happens.
REHMTo Orlando, Fla. Good morning, Rob.
ROBGood morning, Diane. I'm glad that the panel brought up Stuxnet because, although the FCC, PlayStation and Google are important companies to think about in terms of cyber security, the cyber security on the electric power grid in North America is considered of great interest to the function of our society. And the federal government has put together a number of regulatory compliance requirements that require operators and utility owners to enforce certain types of cyber security standards.
ROBIt's largely the opinion of these people and these utilities that the organization NERC, that is responsible for enforcing those standards, is not doing a very good job. This has been a recent discussion on Capitol Hill, and there are a lot of things going on. I'd like to hear from your DHS panel member as to whether he believes NERC is doing a good job and whether FERC is doing a good job as the appointing authority for the ERO.
REHMAll right. Thanks for calling. Stewart.
BAKERVery broadly, I think that we have a long way to go in that area. One of the things that Stuxnet taught us is that, as bad as IT security is on our Windows machines and our networks, the security for our power grid is much worse. It's never been part of the planning to ensure security. It's about making sure you can turn on the power again. That means they have, for example, default passwords that they never change.
BAKEREverybody knows them because they want to make sure that hundreds of people have the ability to go into a particular facility and get started. So all of the attention has been on reliability, getting the power back on and not about the possibility of attackers, so we have a very serious problem there. And we also have a terrible regulatory climate in which the states and, to some extent, the power companies have said, we want to be regulated at the local level, the state level. The federal government should butt out.
BAKERFERC's authority is very limited. NERC's authority is quite limited. And their ability to actually make sure that these cyber security standards, which aren't particularly strong, are actually being implemented is quite limited. At the same time, instead of focusing on that, we have been devoting billions of dollars to what we call the smart grid, which actually expands our cyber vulnerability quite substantially.
BAKERAnd very little cyber security has been built into these smart grid initiatives. So we are actually in the process of making ourselves more vulnerable, and we're not solving the regulatory problems that might produce a little bit better security.
REHMAnd you're listening to "The Diane Rehm Show." Siobhan, I know you want to add to that.
GORMANWell, yes. My understanding is that when NERC, which is sort of a semi-self-policing effort on the part of the electric industry, started to require electric companies to, you know, define -- I think they were -- their cyber -- the cyber components of their organization and then say that those components had to meet new standards, the vast majority of the companies suddenly found that they didn't have any cyber resources that they had to protect against these standards, even though everybody knows that electricity is incredible reliant these days on the Internet. And so they've basically been looking for ways to get around having to deal with these new standards.
REHMTo Grand Rapids, Mich. Good morning, Victoria.
VICTORIAGood morning, Diane. I would like to ask -- I know this is fiction. TVs and movies hire hackers to go back into the system. Is our government, like, looking for really excellent hackers, paying them big money to come to the other side and find the bad hackers?
REHMWhat about that, Mischel?
KWONIs the government hiring hackers? You know...
REHMIt's got to be hiring people who know how to break into systems in order to make sure that their system isn't broken into.
KWONWell, and that's a part of learning security. It is learning how to break it. You learn how to fix it. You learn how to defend against people who are breaking into it. That, indeed, is a part of learning how to do this. I think there's probably somewhere in the world where someone who did something bad got hired for having that creativity. That is the way of the past. I'm not so sure that that's a good avenue for employment today.
REHMWell, here's an email from Jeffrey, who says, "What protections do the anti-virus companies take to ensure that their anti-virus companies don't go home at night and write the very viruses they're paid to stop the next day?" Stewart?
BAKERI'm skeptical that that happens. I'm more worried that the anti-virus software really doesn't identify many of the products that are out there nowadays.
REHMAnd that's exactly the question from Facebook from Tom, who says, "Why is anti-virus, malware detection just another commodity to be bought and sold? Why doesn't the government declare cyber security as a public interest and make free, state-of-the-art, anti-virus, malware detection tools available to every computer? Now, you get a free minimal version that works well and one that works well only if you pay extra."
KWONWell, I think this opens up a really interesting -- two interesting questions. One, can we create an anti-virus that works well? I think the whole premise of anti-virus is you already have it. You're already infected. So I think we need to look to some new technologies.
REHMYou're saying you've already got viruses...
REHM...out there to protect against.
KWONIf they know...
REHMThey're not working.
KWONThat's right. If they know about the signature, then the exploit has already happened.
KWONSo that, I think, we need to look to some new technologies. The other issue is you get nothing for free. If the government offers something for free, then someone else has to pay for it somewhere. And, you know, that we have to keep thinking about that that nothing's for free, it just doesn't work that way.
REHMWe'll talk to Congressman Ryan about the budget and whether he wants to include something for that in there. Thank you all so much. Mischel Kwon, Siobhan Gorman, Stewart Baker. And please be careful on your computer. Thanks for listening, all. I'm Diane Rehm.
ANNOUNCER"The Diane Rehm Show" is produced by Sandra Pinkard, Nancy Robertson, Susan Nabors, Denise Couture, Monique Nazareth and Sarah Ashworth. The engineer is Tobey Schreiner. Dorie Anisman answers the phones. Visit drshow.org for audio archives, transcripts, podcasts and CD sales. Call 202-885-1200 for more information. Our email address is firstname.lastname@example.org. And we're on Facebook and Twitter. This program comes to you from American University in Washington. This is NPR.
Most Recent Shows
The Food and Drug Administration will require movie theaters, chain restaurants and pizza parlors to include calorie counts for food and beverages – including alcohol. Please join us to discuss costs and benefits of the new rules.
Actress, model, and author Brooke Shields on her relationship with her mother and the childhood that made Shields the woman she is today.
After months of tension, a St. Louis County grand jury decides not to indict Ferguson, Missouri police officer Darren Wilson in the shooting of Michael Brown. Diane and her guests discuss reaction to the verdict from civil rights groups, protesters and law enforcement.