Cyber Security

Transcript for: 
Cyber Security

MS. DIANE REHM

10:06:54
Thanks for joining us. I'm Diane Rehm. In a world increasingly reliant on complex software, many say the threat of a devastating cyber attack is growing. The Pentagon is in the process of determining what kinds of cyber sabotage would constitute an act of war.

MS. DIANE REHM

10:07:22
Joining me to talk about cyber threats to both government and private industry: Siobhan Gorman, she is a reporter with The Wall Street Journal, Mischel Kwon, security consultant and former director for the U.S. Computer Emergency Readiness Team, and Stewart Baker, he's an attorney in private practice, former assistant secretary for policy at the Department of Homeland Security.

MS. DIANE REHM

10:07:58
Do join us, 800-433-8850. Send us your email to drshow@wamu.org. Feel free to join us on Facebook or Twitter. Good morning to all of you.

MR. STEWART BAKER

10:08:18
Good morning.

MS. SIOBHAN GORMAN

10:08:19
Good morning.

MS. MISCHEL KWON

10:08:19
Good morning.

REHM

10:08:20
Siobhan, if I could start with you, The Wall Street Journal reported on a scam perpetrated by Gmail users. Tell us about that.

GORMAN

10:08:31
Well, it was perpetrated on Gmail users by...

REHM

10:08:34
Forgive me for saying by.

GORMAN

10:08:36
Oh, certainly. Well, they may have used -- we don't know. They may have used Gmail accounts also to perpetuate the scam. But what we know now is somewhat limited because, mainly, it's what Google announced yesterday, which is that there were hundreds of Gmail accounts that were sort of infiltrated by sort of perpetrators in Jinan province in China, they believe. Things in cyberspace aren't always what they initially seem to be.

GORMAN

10:09:08
But what seems to have happened is there were sort of these trick emails called phishing emails...

REHM

10:09:16
P-H-I-S-H.

GORMAN

10:09:17
P-H-I-S-H-I-N-G, that were sent to hundreds of Gmail users in a rather targeted fashion because it seems that these perpetrators focused on senior U.S. officials, military officials and officials in other Asian governments as well.

REHM

10:09:34
I guess what gets me about these so-called phishing attacks is that what they are asking for is the user's password.

GORMAN

10:09:46
Yes. What they're trying to do is basically get the credentials and information that you use to log into your email account. Other scams focus on getting the kinds of information you use to get into your banking accounts, so...

REHM

10:09:59
But if these are high-level people in government, if they're in private industry, surely they should know better than not to give out such information.

GORMAN

10:10:13
Indeed. But what often happens is -- and we don't know exactly how this particular scam was perpetrated, but they're very sophisticated now and can even, you know, catch off guard some of the most aware users. Oftentimes now, they include emails, or they're -- they use emails that seem very legitimate. They seem to be dealing with an issue that, say, a U.S. government official deals with all the time.

GORMAN

10:10:40
It's -- maybe there's an attachment that looks like it had something to do with the meeting they just attended. And so it's not necessarily like you have to be an idiot to click on one of these things.

REHM

10:10:51
You reported yesterday the Pentagon is in the process of coming up with some ways to deal with the cyber attacks. Tell us what we know so far.

GORMAN

10:11:06
Sure. The Pentagon has been putting together its own strategy for the -- in anticipation that the next generation of warfare -- really, to some degree the current generation of warfare -- is going to increasingly have elements of cyber attacks to them. And the Pentagon is worried that, down the line, there may be a conflict where an adversary wants to launch a cyber attack that would do great harm to the United States, something that would shut down portions of the electric grid or crash subway trains or something really major.

GORMAN

10:11:40
In the event of that, the Pentagon is trying to make sure that it has contingency plans for how to respond. And that's what the strategy is, providing a framework to start thinking through those contingencies.

REHM

10:11:50
Siobhan Gorman, she is Intelligence and Homeland Security correspondent for The Wall Street Journal. And turning to you, Mischel Kwon, what are you seeing in private practice? What are industries doing to try to protect themselves?

KWON

10:12:09
Well, it's a broad story, and it's difficult to say that there's one thing that's being done. I think, most importantly, the awareness that this is a problem has been heightened. With all of the news stories that are going on with all of the larger scale incidents that have been brought to attention, more and more people are realizing that this could happen to anyone. And it is happening to more and more people.

KWON

10:12:38
I think what's important to note is that organizations are beginning to assess the cost of protecting themselves and assessing whether or not doing it internally, doing it for themselves, is even possible. I think, as we go forward, we're going to have to look to alternatives, to in-house IT, the classic everyone has their own data center, and everyone takes care of their own systems.

KWON

10:13:05
We may have to pull together our resources, lower the cost of security, which is quite expensive, both to identify the threat, to identify issues you're having, and then respond to the incidents you're having. That's a very costly process. So looking to pull together, looking towards, possibly, even cloud resources to address IT services in a different way.

REHM

10:13:32
Are you talking about pulling together within industry or you're talking about a joint operation with the federal government?

KWON

10:13:43
Well, I think when you talk about a joint operation, that's always a little bit more difficult. I think what I'm mainly talking about is service, IT service offerings that broaden the scope of cloud services to include security. But I do think that there needs to be a close public-private partnership that allows a sharing of information back and forth, both from government to private sector and private sector to government because these incidents are not happening to just one sector. And then...

REHM

10:14:16
Mischel Kwon, she is president of Mischel Kwon Associates. That's a security consulting firm. She's former director for the U.S. Computer Emergency Readiness Team. Turning to you, Stewart Baker, are we doing enough yet?

BAKER

10:14:36
No, we clearly are not. The lesson of the attacks of the last year is that no one is safe. Big security companies, that should know exactly how to protect their most important assets, have had their most important assets stolen by these sophisticated attacks. It's not about being -- avoiding doing stupid things anymore. There are things you can't avoid that people are using to break into accounts.

BAKER

10:15:02
And so we're going to have to do a lot more, not just individually, but probably as a society, probably in terms of the technological architecture that we're using on the Internet. And if you ask me, what do you think is the solution, I do not think that more security is the solution. We can't build our walls higher and thicker and expect to survive attacks if people can attack us for free.

BAKER

10:15:33
And, right now, it's almost impossible to catch the people who are doing the attacks and to punish them. And as long as that is the case, they will stand off wherever they are -- Jinan province -- and continue to launch ever more sophisticated attacks. We need to find ways to attribute these attacks, to identify the attackers, and then to cause them real pain.

REHM

10:15:55
What do you mean by real pain?

BAKER

10:15:57
Well, ideally, we'd arrest them and throw them in jail if we...

REHM

10:16:02
But if it's someone in another country...

BAKER

10:16:05
Well, in some countries, we can get cooperation from the government. And where we can't get cooperation from the government, then countries that care about this need to isolate those governments and make them pay a diplomatic price for harboring the kinds of people who carry out these attacks.

REHM

10:16:21
So what you're saying is that what we're doing now and the kinds of things being done now are simply not enough...

BAKER

10:16:33
Right.

REHM

10:16:33
...to either discourage the perpetrators or to stop whatever's happening. You've just got to do a lot more.

BAKER

10:16:45
It used to be that the Pentagon said, well, no one's ever compromised our secure secret classified networks. They don't say that anymore because it's not true anymore. Companies like RSA, which are security companies, or HBGary, which are very careful about their security, have been successfully exploited by anonymous attackers.

REHM

10:17:05
What do you say to that, Mischel?

KWON

10:17:07
Well, I think it's a difficult question to answer, only because, as a security professional, we're always going to be in business. We're always going to be protecting our assets. The problem is, is that we're moving more and more of what we do to the Web, to the Internet, to our mobile devices. More of our lives and our businesses are now in computers. And as we do this, crime moves to the Internet.

KWON

10:17:38
As we do this, espionage moves to the Internet. As we do this, more state-sponsored activities move to the Internet. So as we move our lives there, so come the criminals, so come the bad behavior.

REHM

10:17:51
And are you saying, even as we upgrade what we're doing on the Internet, somehow the perpetrators are going to find ways to deal with that?

KWON

10:18:04
That's correct. It's the new attack surface. So we have to become diligent. We have to understand that technology will have to change. We have to be aware of what we do on the computer, what we do on the Internet. We have to be aware of what we store and where we store it. We just have to do this with a much higher level of consciousness than we've done before.

REHM

10:18:27
Mischel Kwon, she's former director for the U.S. Computer Emergency Readiness Team. We'll take a short break. When we come back, we'll talk further about rules of disclosure and take your calls. Stay with us.

REHM

10:20:03
And as we talk about the growing need for more cyber security as the technology itself changes, here in the studio, Stewart Baker. He's an attorney in private practice, former assistant secretary for policy in the Department of Homeland Security. Mischel Kwon, she is former director for the U.S. Computer Emergency Readiness Team. And Siobhan Gorman, she is intelligence and homeland security correspondent for The Wall Street Journal.

REHM

10:20:42
I'd like to understand, Siobhan, what the rules are when a cyber attack occurs, say, within a private company.

GORMAN

10:20:57
Well, the rules are really unclear right now, and that's one of the problems. In theory, publicly traded companies have to report what are known as material incidents to the Securities and Exchange Commission. But what a material cyber attack is is very unclear. And, in fact, Sen. Rockefeller, on Capitol Hill, has been pushing the SEC to make the rules clearer for companies to create more of an incentive for companies to actually come clean when these kinds of things happen.

GORMAN

10:21:28
Generally, there is no incentive for companies to come clean on a major cyber security attack if it doesn't directly affect customer information. If it does, then they have to disclose it. But if it just affects their systems, they don't necessarily have to disclose it. And yet that actually could have a much bigger impact on either, you know, sort of the security of their company or, in the case of defense contractors who are huge targets of this, U.S. national security.

REHM

10:22:00
So what you're suggesting is that any and all violations of cyber security may need to be reported.

GORMAN

10:22:15
Well, right now, they don't need to be reported.

REHM

10:22:18
Right.

GORMAN

10:22:18
But what -- actually, the White House and lawmakers on Capitol Hill are trying to strengthen some of these reporting requirements and make them a little bit clearer so that, at least for major incidents, companies have to report them.

REHM

10:22:31
Mischel.

KWON

10:22:32
Well, I have to say, we have to be really careful the way we talk about this. I'm going to try and get away from the words, come clean, because, we have to remember, the companies are the victims here. They're not the bad guys. The companies are trying their best to defend themselves against the bad guys.

REHM

10:22:51
So why wouldn't they want to divulge that their systems have been hacked into?

KWON

10:22:58
Well, there's a couple of reasons. You have to have a good reason to divulge. Either customer information was lost or it will affect the price of stock in the company. It'll somehow -- the stockholders need to know. There needs to be a reason for disclosing that there's a weakness in the system because you don't want more people to attack the system because there's a weakness. Everything has to be done purposefully, for a reason, not just because it's right to say, hey, this happened to me.

KWON

10:23:31
It's not for voyeurism. It's not so that everyone can look and learn. It's really because there's a purpose. There's a reason that that information needs to get out.

REHM

10:23:42
Is that enough, Stewart Baker?

BAKER

10:23:45
I'm concerned. There are laws that say if you know that personally identifiable information has been compromised, you have to tell everybody whose information has been compromised. But, in many cases, you don't know exactly what was compromised. You know someone was in your system, that he packed up a bunch of data, encrypted it and shipped it out. You don't know what happened.

BAKER

10:24:07
That's a pretty serious breach, and it probably should be disclosed. On the other hand, the Pentagon will tell you they probably get a million attacks a day of some sort, and there's no point disclosing them all 'cause most of them fail. And even the ones that succeed often are not particularly troubling. So disclosure obligation has to be pretty carefully targeted. On the other hand, there was an attack recently on RSA, which makes tokens on which the Pentagon and large parts of Corporate America depend.

BAKER

10:24:43
And, you know, RSA has never told us exactly what the attackers got. I'm guessing that that's because they think it would be bad for their business if people realize just how much compromising of the security tokens occurred in that attack. And they don't have an obligation right now, under law, to discuss that.

REHM

10:25:03
Siobhan, you mentioned the Securities and Exchange Commission where publicly traded companies are concerned. On the other hand, is there, beyond the SEC, a central reporting place when a system, a major system, has been hacked?

BAKER

10:25:26
No, there isn't. The best, most effective rules are the ones the states have adopted individually for personally identifiable information. That leaves out a lot of important stuff, and so it's not a complete solution. But it also means that you're disclosing sort of generally to the world, rather than to a single agency. The administration is proposing legislation that would centralize that at the federal level and probably put DHS in charge of a lot of that, and that's probably a good step.

REHM

10:25:55
What do you think of that, Mischel?

KWON

10:25:58
Well, I think it's a lot more complicated than we can probably figure out here in this hour of discussion. And I'll say there are a lot of different caveats. I'm just going to say that I actually think RSA was extremely responsible in their response. And, yes, publicly, they did not say the same things that they said to their customers. And I think that's probably the responsible thing to do, to disclose to your customers and not necessarily participate in voyeurism.

KWON

10:26:31
I'll continue to stick to that line. But what I will say is that deciding -- I think we've done a good job in talking about how to disclose when PII is involved. But it's more difficult when talking about all the different kinds of information, whether it's intellectual property, whether it's medical records. All the different types of information warrant different handling. And I think to prescriptively make one rule for all information is a dangerous thing in itself.

REHM

10:27:06
And you say Sen. Rockefeller is out there. What are his proposals? Would they be toward a central place of reportage or what?

GORMAN

10:27:20
Well, Sen. Rockefeller, I guess, has been going after this on two fronts. One is legislatively. And he and several other members of Congress have put legislation forward that is very similar to what the White House also put forward a couple of weeks ago now. And that would start to strengthen some of the reporting requirements and probably would place that at the Department of Homeland Security.

GORMAN

10:27:44
And then, separately, he's also asked the Securities and Exchange Commission to sort of make public some guidelines for when companies need to disclose either what they call a material cyber risk to their company, which would be more like cyber vulnerabilities that shareholders maybe need to know about, or a material cyber incident or attack.

GORMAN

10:28:06
And that would be when your company actually, you know, is attacked and significant information is stolen. But it would be up to the Securities and Exchange Commission to start defining that for the companies.

REHM

10:28:19
And, Siobhan, to what extent -- or what have been some of the most serious attacks that have occurred in the last few months?

GORMAN

10:28:31
Oh, in the last few months?

REHM

10:28:32
Mm hmm.

GORMAN

10:28:33
Well, I mean, probably the most significant, I would think, is the attack on RSA, mainly because a major attack on a computer security company that not only has a strong reputation for being very good on security, but actually is very good on security -- I mean, that, I think, sent the message that nobody is immune from these kinds of things. And it was very interesting that RSA decided to be public about it because it's not clear that they absolutely had to be.

GORMAN

10:29:02
And it was -- that was a major step. And what has been interesting, to me, is actually to see the number of companies since then who have also acknowledged that they have been hit. I mean, whether it was this other security firm, HBGary -- that became kind of a public thing, and they couldn't escape necessarily acknowledging it. But also that Lockheed Martin actually acknowledged that they had had their systems breached.

GORMAN

10:29:26
I mean, we actually reported, almost two years ago now, on another breach at Lockheed Martin with the Joint Strike Fighter, the Pentagon Joint Strike Fighter program. And at the time, they would not acknowledge it. It took a year-and-a-half for the government even to acknowledge that that had happened.

GORMAN

10:29:39
So there's been an increasing willingness on the part of companies to start being a little more public about this, which is -- it's an interesting trend. And I think it suggests that, perhaps, there is more of an acknowledgement that it's okay to have gotten breached, especially if you can talk about the measures that you're taking to deal with it.

REHM

10:29:58
What happened with Sony PlayStation?

GORMAN

10:30:03
I -- well, I think Mischel might be able to talk about that a little bit more, but, I mean, essentially, they had a breach, I believe, where, you know, tons and tons of account information was just totally siphoned off.

REHM

10:30:16
Mischel.

KWON

10:30:17
The Sony PlayStation was a little bit more different. It's a little bit more difficult because it also entailed all of their customers, and it entailed an online gaming system. So it's -- it hits closer to home. It hits closer to everybody's...

REHM

10:30:34
Ordinary people, yeah.

KWON

10:30:35
Ordinary people. It's not necessary -- it is a corporate breach, but it also reaches down into people's homes. So, you know, like I said before, all of these take a very interesting and different twist. And so coming up with a prescriptive way to handle it is difficult. Although the Sony breach is dealing with personally identifiable information, and there are a lot of good standards for that type of reporting.

KWON

10:31:01
What makes this even more interesting is this now crosses the international space. So, now, we're not just talking about something that happens in a state, not just something that happens here in the U.S., but this is something that's happening around the world. And that adds even more complexity to it because then where is that reported to? That's not a DHS issue, you know. We have a bigger and broader issue. So this becomes more and more complex.

REHM

10:31:28
And expensive, I would imagine.

BAKER

10:31:31
It's very expensive. It was expensive for Sony because they essentially had to shut down their system and couldn't get revenue, couldn't provide services to users for weeks because they couldn't establish who was supposed to be -- who was entitled to use the credentials that have been stolen.

REHM

10:31:48
So, at this point, as far as anyone is concerned, here in the studio at least, there is virtually no way to protect one's self against this kind of situation, Siobhan?

GORMAN

10:32:07
Well, one interesting thing that, I think, companies and the government are talking about now is not necessarily trying to keep people out of your system entirely but to figure out what are the things in your computer network that really can't be breached, that you really don't want stolen. And how is it that you protect the most important information or elements of your network? And, you know, the rest of it, you'll do the best you can.

GORMAN

10:32:33
But it's not going to be a big deal if someone gets access to that. And I think that starting to segment your network and think about what truly needs to be protected may be a way to start managing some of this.

REHM

10:32:45
What about, though, these advertisements for security systems we hear about all the time? When I hear you say that the security systems themselves are breached, how do you separate out that which can be breached from that which can't, Stewart?

BAKER

10:33:09
Well, I think it is absolutely the case that no individual can expect to protect themselves. You're...

REHM

10:33:15
Completely. Or...

BAKER

10:33:17
Completely, frankly, at all.

REHM

10:33:19
At all.

BAKER

10:33:20
People who want to get access to your computer will send you, sooner or later, an email attachment that you think is safe to open. You'll open it. Your virus systems won't detect the malware, and they will own your computer. They'll be able to record all of your keystrokes, turn on -- they did this to the Dalai Lama. They turned on his network cameras, so they could watch people, listen to people and record their keystrokes.

BAKER

10:33:49
It was the full 1984 package, except that the Dalai Lama had paid for the equipment. That is something that can be done to anybody who wants to get you.

REHM

10:34:01
Stewart Baker, he is former assistant secretary for policy at the Department of Homeland Security. And you're listening to "The Diane Rehm Show." We have many callers waiting. I'll open the phones. First to Roanoke, Va. Good morning, Matthew. You're on the air.

MATTHEW

10:34:25
Yes. Thanks for having me on the show. I just wanted to comment on how, in order to comply with the U.S. government, Google had to create backdoor access. And I just wanted your guest to comment on that. That's how the Chinese were able to gain access and exploit our accounts.

REHM

10:34:45
Siobhan.

GORMAN

10:34:46
Well, that's not necessarily clear at this point. There was some discussion at the time. And he's actually referring to the previous hacking incident at Google from December of 2009, I think. There was some discussion that part of why they got in was because Google had to set up a system to comply with law enforcement requests, but I'm not sure that we ever got to the bottom of that.

BAKER

10:35:12
I agree, and I think that that's focusing on a tiny issue in a sea of insecurity. To say, well, I think that the government's wiretap capabilities are the source of the problem, I think, misstates the issue. We have a security problem. And the government's wiretap capabilities they have required companies to adopt are not really part of that problem.

REHM

10:35:38
All right. To Dallas, Texas. Good morning, Roy.

ROY

10:35:43
Good morning. I wanted to point out the comment from the DHS person is totally wrong. It's actually those backdoors which are exploited to gain access. The Gmail hacks actually used -- the Chinese used the Gmail backdoor that is required by the Patriot Act. The way security works -- you got about 500 people writing security (word?). You've got about a million people out there trying to break in to them.

ROY

10:36:07
The people on the outside want to break in and want to share. Any time they find any little door -- a camel's nose under the tent -- that's what they share. It's those kinds of backdoors that what makes that possible. If you wanted to remove this threat, you need to remove the motivation. HBGary got in trouble because they set up a program to mine Facebook for personally identifiable information.

ROY

10:36:27
It made a lot of the hackers mad. They went after them. PlayStation also did some bad things to their customers. There's better ways you can do this. Being an honest and open organization is the best way to protect your stuff.

REHM

10:36:39
Mischel.

KWON

10:36:41
Well, I'll have to say that it's a really difficult situation.

REHM

10:36:48
All right. That's clear.

KWON

10:36:48
There are a lot of reasons. There are a lot of methods. You know, when you're talking about hacktivism, you're talking about the state-sponsored activity, you're talking about fraud, you're talking about organized crime, you know, why these things happen and what their motivations are, what you do to attract people to do that to you. That's a psychological issue all in itself and a very difficult one to address. And...

REHM

10:37:24
There are an awful lot of people who simply don't like closed doors.

BAKER

10:37:27
If I can add to that, I think that's a council of surrendering to the lynch mob. This was an attack designed to punish people for views they'd expressed, and that's not something you should surrender to.

REHM

10:37:39
All right. Short break. More of your calls when we come back. Stay with us.

REHM

10:40:03
And welcome back. We are talking about computer security, cyber security. Here's a tweet from someone who asks, "Is anyone bothered by the fact that every panel member on cyber security will profit from increased fears about security?" I'm not sure I see profiting, Siobhan.

GORMAN

10:40:32
No. My paycheck stays the same regardless of what the cyber security status is.

REHM

10:40:36
How do you respond to that, Mischel?

KWON

10:40:39
Well, that's like saying that doctors are profiting from being doctors. I mean, someone has to do this work, and, you know, it is my career. It is what I've chosen to do for my life.

REHM

10:40:54
And, Stewart?

BAKER

10:40:55
Yeah, I'm not sure that I'll be better off if people spend more on security. I'll probably be better off defending lawsuits from bad security...

REHM

10:41:04
Yeah, yeah.

BAKER

10:41:04
...than good security. And I do think this is a sort of deflection of the issue. People don't want to think about it, so they say, well, the people who are telling me -- giving me this message are doing it out of self-interest. I don't think that's the case. We really have a serious problem.

REHM

10:41:21
Let me ask you, Mischel, during the break, you were talking about your own company and how you went phishing within your company. Tell me what you did and why.

KWON

10:41:35
So I teach at George Washington University, and I teach the cyber core students. Those are the students that are being trained to work in cyber for the government. And one of the students had a research project where he put together a phishing email, and he phished a big -- a large group of people all training to be cyber professionals, and thinking, you know, a few would take the bite. And every single person, including me, took the bite.

KWON

10:42:10
It just proves that phishing is a difficult thing. The email can look really, really, really real. They'll use names of people that you know, people in your department. It could say something that pertains to needing information in order for you to get your paycheck. It could say that they're updating their address book. I mean, it could be a real -- something very, very real...

REHM

10:42:33
Innocuous.

KWON

10:42:33
...that you would want to know more information about.

REHM

10:42:37
Siobhan.

GORMAN

10:42:38
Well, people also don't realize how much information is openly available on the Internet. I mean, there are PowerPoint presentations from government conferences and things like that that often include all the attendees' names and emails. And what oftentimes these phishing attempts will do is just grab that and then send people emails directly related to the conference. And they know that the people are likely to click on it because they feel that it's relevant to them.

REHM

10:43:08
Tell me about Stuxnet, Siobhan.

GORMAN

10:43:12
Sure. Stuxnet is a computer worm that attacks computerized control systems. And these so-called SCADA control systems are in many different things, whether it's our electric grid or subway systems, things like that. They also happen to run nuclear facilities. And what happened was this worm was launched, and, apparently, about 60 percent of the infections turned out to be in Iran.

GORMAN

10:43:43
And Iran eventually acknowledged that their Natanz nuclear facility had had trouble with their centrifuges, which they then attributed to Stuxnet.

REHM

10:43:53
Is that the end of the story?

GORMAN

10:43:55
Well, no, because nobody knows who perpetrated this. And there is a lot of suspicion and very little proof.

REHM

10:44:03
And where is the suspicion directed?

GORMAN

10:44:07
The suspicion is directed at the Israelis, perhaps with American assistance. And that's a very interesting accusation. Obviously, Iran has made that accusation. But there have been researchers who have looked at the nature of the virus, and some of them say that there are signs that it could have come from Israel.

GORMAN

10:44:27
What would be interesting -- and the reason why I'm a little bit skeptical of U.S. involvement -- is that to only hit -- if your target is Iran, to only hit at 60 percent of the time would actually be a real problem for the U.S. to have been involved in something like that because some of the infections were also in the United States. And they were in Indonesia and other places. And so that's why it will be interesting if we ever figure out who's behind it because, if it was targeted at Iran, it only hit the target 60 percent of the time.

REHM

10:44:58
Well -- but with the guidelines of the Pentagon is developing, could this -- could Stuxnet, if in use, be considered an act of war?

GORMAN

10:45:14
If it were in use against the United States and the U.S. could determine who actually was behind it, I would be surprised if that weren't at least considered, you know, put up for consideration to decide whether or not it was an act of war, at least the use of force against United States.

KWON

10:45:33
Well, I think that's the real question. I think the definition of what the act of war in cyberspaces has not been clearly defined yet. In the physical world, that has been clearly defined. And, I think, that's the issue is, what are those thresholds? And...

REHM

10:45:53
But couldn't Iran consider it an act of war?

BAKER

10:45:57
I think they do. And I wouldn't be surprised if they're plotting revenge. One of the things that is significant about Stuxnet is it's the first state use of malware to sabotage a significant facility in another country. And the Iranians are not technically incompetent. We're running the risk, and Israel is running the risk, and Germany and other countries, that there will be an attack of similar -- of a similar sort against our SCADA system, which include all of our power systems.

REHM

10:46:37
But there was also a report earlier this week that two researchers in their own home were able to replicate Stuxnet. Where does that leave us?

GORMAN

10:46:52
Well, I think that a lot of times -- and I think we've seen this with other types of weapons in the past -- that governments will develop things, and, eventually, you know, people in the private world will find ways to replicate them, especially with something like software. If you can look at it and take it apart, then there's no reason to think that a savvy technology geek couldn't then figure out how to replicate something when kind of given the roadmap, so to speak.

REHM

10:47:21
Here's an email from Derek, and it goes to something you said, Mischel. He says, "I work for one of the world's largest IT hosting companies and frequently deal with cyber security threats. I want to comment on the notion that companies are the victims, not the enemy, when speaking of those targeted with cyber attacks. Unfortunately," -- Derek goes on to say -- "such companies are frequently both. Many companies will not sufficiently prioritize security and will make only minimal effort to address issues."

KWON

10:48:08
Unfortunately, that is the truth. The largest problem, I think, we have is having executives in large companies who run the companies, who aren't computer savvy, who don't clearly understand the threat, not prioritize the risk and not take the appropriate measures for protection...

REHM

10:48:33
What you're saying is it's coming out of ignorance.

KWON

10:48:36
A lot of it comes out of ignorance. A lot of it comes out of an inability to balance that risk, to actually assess it. They'll look at the risk and say, well, this hasn't happened to me yet. And that's a really difficult one to handle. And it handles -- it happens in almost all organizations where security professionals have to justify protections or upgrades or even, you know, all different ways of securing the system because it's hard to articulate what could happen.

KWON

10:49:15
You're always working with a what could happen. I mean, our largest tool right now is to take an incident and say this happened. I guarantee you, once an incident happens, that corporate CSO then has a much larger budget to deal with after the incident.

REHM

10:49:30
All right.

KWON

10:49:30
But we have to able to do -- to deal with the incident before it happens.

REHM

10:49:34
To Orlando, Fla. Good morning, Rob.

ROB

10:49:38
Good morning, Diane. I'm glad that the panel brought up Stuxnet because, although the FCC, PlayStation and Google are important companies to think about in terms of cyber security, the cyber security on the electric power grid in North America is considered of great interest to the function of our society. And the federal government has put together a number of regulatory compliance requirements that require operators and utility owners to enforce certain types of cyber security standards.

ROB

10:50:22
It's largely the opinion of these people and these utilities that the organization NERC, that is responsible for enforcing those standards, is not doing a very good job. This has been a recent discussion on Capitol Hill, and there are a lot of things going on. I'd like to hear from your DHS panel member as to whether he believes NERC is doing a good job and whether FERC is doing a good job as the appointing authority for the ERO.

REHM

10:50:55
All right. Thanks for calling. Stewart.

BAKER

10:50:57
Very broadly, I think that we have a long way to go in that area. One of the things that Stuxnet taught us is that, as bad as IT security is on our Windows machines and our networks, the security for our power grid is much worse. It's never been part of the planning to ensure security. It's about making sure you can turn on the power again. That means they have, for example, default passwords that they never change.

BAKER

10:51:25
Everybody knows them because they want to make sure that hundreds of people have the ability to go into a particular facility and get started. So all of the attention has been on reliability, getting the power back on and not about the possibility of attackers, so we have a very serious problem there. And we also have a terrible regulatory climate in which the states and, to some extent, the power companies have said, we want to be regulated at the local level, the state level. The federal government should butt out.

BAKER

10:51:54
FERC's authority is very limited. NERC's authority is quite limited. And their ability to actually make sure that these cyber security standards, which aren't particularly strong, are actually being implemented is quite limited. At the same time, instead of focusing on that, we have been devoting billions of dollars to what we call the smart grid, which actually expands our cyber vulnerability quite substantially.

BAKER

10:52:21
And very little cyber security has been built into these smart grid initiatives. So we are actually in the process of making ourselves more vulnerable, and we're not solving the regulatory problems that might produce a little bit better security.

REHM

10:52:35
And you're listening to "The Diane Rehm Show." Siobhan, I know you want to add to that.

GORMAN

10:52:42
Well, yes. My understanding is that when NERC, which is sort of a semi-self-policing effort on the part of the electric industry, started to require electric companies to, you know, define -- I think they were -- their cyber -- the cyber components of their organization and then say that those components had to meet new standards, the vast majority of the companies suddenly found that they didn't have any cyber resources that they had to protect against these standards, even though everybody knows that electricity is incredible reliant these days on the Internet. And so they've basically been looking for ways to get around having to deal with these new standards.

REHM

10:53:20
To Grand Rapids, Mich. Good morning, Victoria.

VICTORIA

10:53:27
Good morning, Diane. I would like to ask -- I know this is fiction. TVs and movies hire hackers to go back into the system. Is our government, like, looking for really excellent hackers, paying them big money to come to the other side and find the bad hackers?

REHM

10:53:45
What about that, Mischel?

KWON

10:53:49
Is the government hiring hackers? You know...

REHM

10:53:53
It's got to be hiring people who know how to break into systems in order to make sure that their system isn't broken into.

KWON

10:54:04
Well, and that's a part of learning security. It is learning how to break it. You learn how to fix it. You learn how to defend against people who are breaking into it. That, indeed, is a part of learning how to do this. I think there's probably somewhere in the world where someone who did something bad got hired for having that creativity. That is the way of the past. I'm not so sure that that's a good avenue for employment today.

REHM

10:54:35
Well, here's an email from Jeffrey, who says, "What protections do the anti-virus companies take to ensure that their anti-virus companies don't go home at night and write the very viruses they're paid to stop the next day?" Stewart?

BAKER

10:54:56
I'm skeptical that that happens. I'm more worried that the anti-virus software really doesn't identify many of the products that are out there nowadays.

REHM

10:55:09
And that's exactly the question from Facebook from Tom, who says, "Why is anti-virus, malware detection just another commodity to be bought and sold? Why doesn't the government declare cyber security as a public interest and make free, state-of-the-art, anti-virus, malware detection tools available to every computer? Now, you get a free minimal version that works well and one that works well only if you pay extra."

KWON

10:55:50
Well, I think this opens up a really interesting -- two interesting questions. One, can we create an anti-virus that works well? I think the whole premise of anti-virus is you already have it. You're already infected. So I think we need to look to some new technologies.

REHM

10:56:09
You're saying you've already got viruses...

KWON

10:56:11
That's right.

REHM

10:56:12
...out there to protect against.

KWON

10:56:15
If they know...

REHM

10:56:15
They're not working.

KWON

10:56:16
That's right. If they know about the signature, then the exploit has already happened.

REHM

10:56:20
All right.

KWON

10:56:21
So that, I think, we need to look to some new technologies. The other issue is you get nothing for free. If the government offers something for free, then someone else has to pay for it somewhere. And, you know, that we have to keep thinking about that that nothing's for free, it just doesn't work that way.

REHM

10:56:39
We'll talk to Congressman Ryan about the budget and whether he wants to include something for that in there. Thank you all so much. Mischel Kwon, Siobhan Gorman, Stewart Baker. And please be careful on your computer. Thanks for listening, all. I'm Diane Rehm.

ANNOUNCER

10:57:03
"The Diane Rehm Show" is produced by Sandra Pinkard, Nancy Robertson, Susan Nabors, Denise Couture, Monique Nazareth and Sarah Ashworth. The engineer is Tobey Schreiner. Dorie Anisman answers the phones. Visit drshow.org for audio archives, transcripts, podcasts and CD sales. Call 202-885-1200 for more information. Our email address is drshow@wamu.org. And we're on Facebook and Twitter. This program comes to you from American University in Washington. This is NPR.
Transcripts of WAMU programs are available for personal use. Transcripts are provided "As Is" without warranties of any kind, either express or implied. WAMU does not warrant that the transcript is error-free. For all WAMU programs, the broadcast audio should be considered the authoritative version. Transcripts are owned by WAMU 88.5 FM American University Radio and are protected by laws in both the United States and international law. You may not sell or modify transcripts or reproduce, display, distribute, or otherwise use the transcript, in whole or in part, in any way for any public or commercial purpose without the express written permission of WAMU. All requests for uses beyond personal and noncommercial use should be referred to (202) 885-1200.

Our address has changed!

The Diane Rehm Show is produced by member-supported WAMU 88.5 in Washington DC.