World leaders react to a historic shift in U.S. policy toward Cuba. Pakistan buries victims of a school massacre by the Taliban. And U.S. officials say North Korea is behind the hacking of Sony Pictures. A panel of journalists joins Diane for analysis of the week's top international news stories.
Recent revelations about the Stuxnet and Flame computer attacks show the urgency of threats in the digital universe. Two years ago, the Stuxnet worm, which was designed to attack uranium processing centrifuges, was discovered at an Iranian nuclear plant. Last week, The New York Times reported President Barack Obama approved the operation as part of a secret U.S. and Israeli campaign against Iran begun under the Bush administration. And days ago, we learned of Flame, a cyberespionage mission secretly collecting data in Iran for years. Washington Post investigative reporter Robert O’Harrow has written a series on the fundamental nature of cyberspace. He joins Diane and cybersecurity experts to discuss vulnerabilities and strategies for defense.
- James Lewis director and senior fellow, Technology and Public Policy Program at the Center for Strategic and International Studies.
- Charles Miller principal research consultant at Accuvant.
- Mischel Kwon president, Mischel Kwon Associates, a security consulting firm; former director, the United States Computer Emergency Readiness Team (US-CERT).
- Robert O'Harrow investigative reporter, The Washington Post, and author of "No Place To Hide."
MS. DIANE REHMThanks for joining us. I'm Diane Rehm. Flame and Stuxnet are among the latest weapons in what the Pentagon has declared a new domain of warfare cyberspace. It's recently turned to private companies, universities and even gamers for Plan X, an effort to launch attacks and withstand retaliation. A new series in The Washington Post shows any system containing computer code and connected to the Internet is vulnerable.
MS. DIANE REHMJoining me in the studio: Washington Post investigative reporter Robert O'Harrow, Mischel Kwon, former director of the U.S. Computer Emergency Readiness Team, and James Lewis, director of the CSIS Technology and Public Policy Program. I'm sure many of you will want to chime in. Join us by phone at 800-433-8850. Send us your email to firstname.lastname@example.org. Join us on Facebook or send us a tweet. Good morning to all of you.
MR. JAMES LEWISGood morning.
MS. MISCHEL KWONGood morning.
MR. ROBERT O'HARROWHi, Diane.
REHMRobert O'Harrow, when you first began working on this series, I think most of us had never even heard of Stuxnet or Flame. How long have you been working on this series?
O'HARROWWell, I've been working on it for months now while doing other work and exploring it and realized that not only do -- have many people not heard of Stuxnet, they don't even understand the fundamentals of this strange world, this wonderful, strange and, in some cases, threatening world of cyberspace. So at The Post in our project zero day, we decided to take a -- sort of go back to basics.
O'HARROWAnd so the stories really go to fundamentals like code. What is cyberspace? How do hackers make these attacks? And we're hoping that that'll contribute to a public understanding, including in Congress, so that we can all sort of crawl our way to a better understanding, to make good rules, good policies and such.
REHMAnd is that what's needed at this point where already we've learned that the president of the United States had approved the launch of Stuxnet when we were trying to find out about Iranian centrifuges?
O'HARROWWell, Stuxnet, to remind people, was what's known as a worm that was sent into the Internet to find particular targets. And those targets, investigators believe, were uranium centrifuges in Iran. And the idea was that it had -- it was a startlingly sophisticated code that found its way into the computer systems and disrupted the -- what are called industrial control systems in the Iranian uranium processing center while telling the people watching that everything was fine.
O'HARROWIt was -- it's like science fiction in a way. You were referring to a story in The New York Times last week, a terrific piece that -- in which the White House acknowledged that they ordered this attack. And it now becomes, as some people are putting it, a new Rubicon. The U.S. has crossed that Rubicon in publicly acknowledging that the threats we've made, the warnings that we would -- the U.S. would take these measures, in fact, has occurred.
REHMMischel Kwon, as a former director of the Computer Emergency Readiness Team, were you surprised that the president did acknowledge to The New York Times and to David Sanger, the reporter who broke that story, that he had indeed approved Stuxnet and that we now, as Robert has says, had this whole area of investigation open to the public?
KWONWell, I don't know if I'm actually surprised. I don't know if that's a good way to look at it. It definitely moves us to a different place. It moves us from strictly talking about the defense to talking about the offense. It brings us to the reality that we used these systems for all parts of -- not only our lives but also our businesses and our governments and our infrastructures. And it brings that reality to light.
KWONAnd, you know, before, we were always more discussing the fact that we had to be defensive, that people would be attacking us, and we never talked about the other side of the coin. So now we're now talking about that, and we're talking about the whole open field. That leads us to being able to address the policy. It leads us to talking about this from a state department view, from an -- a national level, whereas before, we couldn't have those negotiations and those discussions and those policies talks because it wasn't out in the open. So it changes the game.
REHMAnd, Jim Lewis, it changes the game so much so that we now realize we, the United States, live in a glass house. What we can do to others, others could certainly do to us.
LEWISYeah. We're probably totally unprepared for an attack like this, and there's been relatively little progress in thinking about how the U.S. could defend itself. We've been working on offensive cyber capabilities for more than a decade in the Department of Defense. But the news of that hasn't gotten out, and I think people -- this is where Bob's series is so useful. People just don't realize that behind the scenes, there's this new kind of vulnerability that really puts a lot of things at risk.
REHMRobert, how vulnerable are we at this point? And explain why.
O'HARROWWell, I think the way to think about it is to think about this phrase cyberspace which everybody can say now -- cyber, cyberspace. We all know that. What people don't recognize is the nature of cyberspace. It is the most dynamic man-made thing ever created. We have more than 2 billion people. We have something like 15 -- 12 to 15 billion devices, and all of those things are interacting online in a way that the nation's top scientist told the Pentagon a year-and-a-half ago that -- these are the top scientists in a group called JASON.
O'HARROWThey said that the activity in cyberspace, in many cases, can't even be explained, it's so complex. And in those gaps -- it's all built, by the way, on computer code, which is the simplest thing on Earth in some ways, ones and zeros. And that's like, in a way, a loose analogy. It's like a genetic code, and you order those ones and zeroes to do all these wonderful things. So now we have cyberspace. That includes the iPhone and Droid phones. It includes cars with GPS. It includes the Internet, but the Internet is only a part of it.
O'HARROWJetfighters, satellite systems, Wi-Fi that people take for granted at their coffee shops, it's all connected. And it's all filled with vulnerabilities that clever, determined and, in some cases, malevolent hackers can take advantage of. And once they take advantage of it, they're not just stopping things. They're embedding in systems and waiting for moments to steal information, to shut systems down.
O'HARROWAnd that includes, by the way, what are known as industrial control systems, that include -- or computer control systems that run heating and air conditioning, cameras. It runs access control in buildings. And is the sky falling? No, because the same code has created a miraculous technology revolution. But we have to face up to the particularity of the vulnerabilities which are everywhere.
REHMMischel, explain Flame and Stuxnet and the differences between the two.
KWONWell, on a very elementary level, the difference between the two is one was particularly targeted towards a particular Siemens system. Flame is actually a very complex toolkit. And the toolkit is larger, and it's a little bit more sophisticated in that it downloads a base kit and then can reach back to a command and control server to get more modules so that it become -- can become more complex.
KWONSo, in that way, it has a sophistication about it and the ability to be a very comprehensive toolkit so that lots can be done. Data can be exfiltrated. Screens can be scraped. Microphones can be turned on so that it can listen. It can record activity on a instant messenger-type activity like Skype. So it's a very comprehensive tool that can be used for many different things.
REHMWhereas, Robert, I gather Stuxnet was a worm. And how is that worm different from what Mischel just described?
O'HARROWI found in talking with folks about this that it helps to use analogy, so I think it might help for people to think of this as almost like a robot. It's in a computer, but it goes off. It's sent off by the attackers, makes it way into a system.
REHMYou're talking about Stuxnet? Yeah.
O'HARROWStuxnet or Flame...
O'HARROW...or a lot of these codes.
O'HARROWThe point is it goes and establishes itself inside a computer system, almost just like software program, except the -- it's only the attackers that knows it's there. It cleans up around itself so the people who are looking for it, maybe in the system, can't find it's there. And as Mischel points out, it has all sorts of functionality like a robot, so it can say I want other tools.
O'HARROWI want -- I'm going to send you back screen shots. I'm going to take control over a particular system. So in a qualitative sense, there's really no difference between Flame and Stuxnet. The thing about Flame that was really important is that it's much, much, much more complicated and oriented towards intelligence.
REHMRobert O'Harrow, investigative reporter for The Washington Post's "Zero Day" series and author of "No Place to Hide." We do have links to the series on our website.
REHMAnd welcome back. We're talking about cyberwarfare and the instruments being developed for use in cyberspace. Robert O'Harrow is an investigative reporter for The Washington Post's "Zero Day" series. He's also the author of the book titled "No Place to Hide." Mischel Kwon is president of the security consulting firm that bears her name. She's former director of the U.S. Computer Emergency Readiness Team, US-CERT.
REHMAnd Jim Lewis is director of the Technology and Public Policy Program at the Center for Strategic and International Studies. We have a post on Facebook from Roberta, who says, "What worries me is a simple question. When does a cyber attack on our part or anyone else's become an active war? Is there a line somewhere?" Jim Lewis.
LEWISThis is a new stuff, in a way, and one of the things to remember is there's been discussions about that very question for about five years now among governments. All right? And the issue is really not when does it become an act of war. That's a political decision. The North Koreans steal a boat. Is that an act of war? Well, the answer is no. When does it become the use of force that under international law would justify a military response that would justify a war?
LEWISThat's the real question, and the answer depends on who you are. If you're the Americans and their allies, they say, cyber attack, and they've been saying this for about four years now. It's just like any other weapon. It fits neatly into the existing Rules of Armed Conflict that say there has to be physical damage, destruction, casualties. And if that doesn't occur, it's not the use of force. Russia and China say, no, there's a new dimension, information warfare, and information is a weapon.
LEWISI've asked some of them, does that mean if I dropped The New York Times on you. It's a weapon? And apparently the answer is yes, right? So we've got this split about how existing law applies, but that's the initial question. Is it the use of force? If it's the use of force, then governments get to decide, hey, do I want to declare this an act of war?
REHMBut how significant is it that both the U.S. and Israel -- with Israel that they were behind the Stuxnet attack? How important is that acknowledgement?
LEWISWell, I think it's good to put it in the political context, which is -- the alternative would be to bomb the Iranian facilities, right, and that's a lot riskier. You could have downed pilots. You could have casualties. You could have civilians who are hurt. If you had to choose between a cyber attack and an aerial attack, much less political consequence from the cyber attack.
REHMSo why do you think this information is coming out now?
LEWISWell, it is an election year, right? And in some ways, there is a benefit to being open about this. The first cyber attacks probably occurred in the late 1990s, during the conflict with Serbia, right? And many nations have this capability. What we haven't had is a good, robust discussion among the American public about how we should treat this weapon to what our doctrines are.
LEWISSome of the things that many of us have been saying for a while is, look, we can have an open discussion on nuclear weapons. Why can't we have an open discussion of cyber weapons? And it's been treated as this dark secret. This is where the articles are really great 'cause they throw a light onto something.
REHMExactly. Exactly. So, Robert, having done part of this series, which is now under publication, how vulnerable is the U.S. to a cyber attack?
O'HARROWWell, I think it's important to define what we mean by a cyber attack, and I view it rather broadly. And that means, for example, that when other countries, proxies or hackers, mercenaries, take millions and millions and millions of records, which is happening all the time now, from our universities, research facilities, and so on, I view that as a cyber attack. And the fact is we're remarkably vulnerable to that.
O'HARROWIn some cases, companies don't even know in, some cases forever and, you know, maybe a year, that information's even taken. And this can include plans, research on chemicals, on devices, on jet fighters, what have you. So this is what they refer to as intellectual property path. Not long ago in testimony, Gen. Alexander of Cyber Command used the phrase astounding to describe the amount of information that China has taken from U.S. corporations and the government.
REHMBut surely, Mischel, this must have been part of what you were interested in and actively at work on that is protecting the U.S. from this very kind of vulnerability.
KWONYes. And it's a complicated issue because the government doesn't have control over all of the systems in the United States. The majority of the systems in the United States are owned by private sector companies, including our critical infrastructure. And when we look at the problems that caused these vulnerabilities, a lot of it is not caring for these systems the way we should have, not budgeting the money to care for these systems.
KWONYes. Many of what we're talking about today include the use of what they call a zero day, a new vulnerability that was unknown to the general public without a patch, but they also come with attacks on vulnerabilities -- of known vulnerabilities that have been known for a very long time.
KWONAnd part of the problem that we have in protecting ourselves is being able to keep up with the flaws in the millions of lines of code -- the billions of lines code in these operating systems, in the software -- third party packages and even in custom-written code. So it's very complicated to repair and keep the lifecycle clean on these machines so that they are not vulnerable to the attacks.
O'HARROWI want to emphasize something that Mischel was pointing at, which is we're going to be entering a point in the next several years where there's going to be a debate about how do we treat people who are not making good code, how do we treat people who are behaving inappropriately. It could be individuals, corporations and so on.
O'HARROWAnd when you go down that path, you're suddenly in the realm of public health-type discussions where somebody might have to be quarantined or sanctioned if they don't follow what the country describes as, you know, the right way of behaving. Then you're into a whole array of civil liberties issues. You're into protection of information, privacy issues. These are going to be very, very difficult things to address.
O'HARROWAnd not doing nothing -- doing nothing is not an option, but it opens the possibility of going way too far including, how do you follow a cyber attack or a hacker who is hopping from public to private systems if you can't compare notes and to track that bad guy down? And that raises issues that right now there are limits on what the government could share with corporations and vice versa because of the need to protect the privacy of all the data that's being shared on the Internet.
KWONI'm really glad you brought that topic up because it's not just between public and private. It's also anyone sharing with anyone, private to private, government to government. This is a very complex issue, and it doesn't have to be about privacy because we can exchange data on the metadata level. We can exchange indicators. We can exchange information that will help each other find what's happening.
KWONMost companies, most entities do not even want to admit that something is happening because of the legal ramifications that they then do have of the liability that something might be disclosed, that the private -- personally identifiable information might be released or that there -- that the consequences of that cyber attack may, in some way, be a liability to that company.
KWONSo it's even more complex already in that -- because of the liability situation, companies don't want to talk about it at all -- makes it harder and very expensive to detect that a vulnerability has been exploited.
LEWISHey, this is Washington. Doing nothing is always an option, and, in fact, that's the likely outcome of the debate on cybersecurity in the Congress this year. So we'll remain vulnerable. A couple of points are worth bearing in mind. Other countries may not always do what the U.S. wants, so we could see progress in the rest of the world in how to treat consumers, how to treat private information. Government to government kind of cyber attack, which is the most dangerous, now that could change. But that is amendable to the kind of negotiation over arms and treaties that we're used to.
REHMWhere do you see the biggest threats originating?
LEWISRight now, it's Russia and China, and they have devoted millions of dollars. They have thousands of employees. You know, in this question of espionage, and getting back to the first question of, when does it become an act of war, we engage in espionage, too. So the last thing we want to do is say, hey, you need a forceful response because we would be as guilty as anyone when it comes to this.
O'HARROWI had a really interesting idea that came to me late in my homework, and it's this -- it's related to why do we have so many vulnerabilities. And the thought that I'm working with is this notion of cyber as a bubble.
O'HARROWAnd by that, I mean, for 30 years longer, the government, but, more importantly, the Corporate America has not paid the full cost of doing business, which is developing software, testing it, fuzzing it, not releasing things until they're ready, consumers taking advantage of all the wonderful things that have come with the development of the Internet and cyberspace and the spread of the World Wide Web, but doing it on the cheap.
O'HARROWIn other words, they expect all these things like the housing bubble, right? We get inexpensive housing, inexpensive loans. Everybody sees the looming threat, but it's not going to happen to me. And so now it -- I'm wondering if whether we're in sort of a bubble where we're going to have to sort of pay the piper, so to speak.
KWONWell, I think this comes back to the fundamental need to educate the public on what's happening. Part of the problem as a security professional is getting the executives to pay for the security for their new, fancy, lovely devices that they want immediately and at a low cost. And the reason that's so hard is because it's hard to convince them that, yes, this will happen to them. It is happening to them, that they will lose data, that that loss will affect their bottom line. Until we can get that education across to the general public, we will continue to fight the battle of security because security does cost money.
LEWISSo I have some friends, and we have a debate. When the Internet was first introduced and people began connecting their computers, let's call that a Model T in terms of technology. And the debate is where are we now? And most of us feel that we've made tremendous progress. We're at the model A. This is a new technology. It's very vulnerable. There's things we can do to reduce risk, but it's going to take a long time to get this to be safe.
REHMJim Lewis. He's director of Technology and Public Policy Program at the Center for Strategic and International Studies. And you're listening to "The Diane Rehm Show." We have a number of callers. We'll open the phones now, 800-433-8850. First to Wichita Falls, Texas, and to Kyle. Good morning to you.
KYLEGood morning, Diane Rehm and panel. I'm a Texas Army National Guard soldier and a computer operator. And I have to say in the National Guard, cyberwarfare, cyber attacks are probably one of the least concerns on our minds. We have to deal with other equipment issues before even get our computers even on the network in the first place.
KYLESo as for my vehicle, it's not even on the network. I get discs sent to me with the imagery and mapping stuff. So I'm never even concerned about a cyber attack. But I guess, listening to it now, maybe that's something I should consider more.
LEWISYeah. You are entering a world where you won't be getting it on disc anymore. In fact, you can see now the big competition among the advanced powers is how do I hack into the other guy's weapon systems? How do I reorder the code in those weapon systems so I can make them malfunction? And this is something to look forward to as you continue in your military career.
REHMBut, you know, Robert, you said we're way behind. What's the role of Congress in establishing cybersecurity?
O'HARROWWell, I'm not exactly sure. I view it a little bit differently. I feel that Congress, like the rest of informed citizens, first needs to understand the fundamentals.
O'HARROWWhen you understand the fundamentals, it becomes both more daunting, but at least more grounded. And then I would suspect that Congress has to place the proper weight on security while looking out for all the other interests that are so fundamentally important -- commerce, individual liberties and all of -- and those sorts of things.
REHMBut the Pentagon recently announced a cyber Plan X. What is it, and is that a step in the right direction?
O'HARROWI think it's wise for any institution to reach out to experts. And it just so happens that many of the best of the best innovative thinkers and so on happen to be hackers, white hat hackers. But reaching out to them, looking for innovative ideas, I mean, to really understand this stuff, you can't go to any one science. You need to look -- everything from biology to physics and agriculture, even -- to understand these patterns in order to have the insight into what's happening in cyberspace and then find ways to defend against attacks.
REHMBut the question becomes most of us are not involved in items that might be of interest to someone who wants to hack in. And still you're shaking your head.
O'HARROWWell, people need to realize once you accept a much broader definition of cyberspace, everyone needs to realize that an iPhone or a laptop computer can be used as a jumping-off place. It can be used as a hiding place for a bad guy.
REHMGive me an example of how, you know, ordinary John Doe...
O'HARROWA simple example is something -- very simple -- is something known as a botnet. And people have heard the phrase botnet. It's a -- a botnet is comprised of computers that have been infected by malware. Those computers work together in concert to do the bidding of the botnet operator.
O'HARROWThere can be millions of computers, regular people whose computers are infected, working in concert below their understanding or awareness, in order to do all sorts of things, such as everything from shutting down other computer systems by flooding it with traffic to spying, collective spying, and sending the information back to the operators. That's a simple example.
REHMRobert O'Harrow. His series is appearing in The Washington Post. It's titled "Zero Day." He's also author of the book titled "No Place To Hide." Short break. More of your calls when we come back. Stay with us.
REHMAnd we're back, talking about cybersecurity. Joining us now from St. Louis is Charlie Miller. He's a security consultant who worked as a global network exploitation analyst at the National Security Agency from 2000 to 2005. Robert O'Harrow describes him in The Washington Post as one of the best hackers in the world. Good morning to you, Charlie. Charlie, are you there? Charlie, do we have you? I'm sorry. I guess we have lost him. Let's go back to the phones to Chapel Hill, N.C. Good morning, John Paul. You're on the air.
JOHN PAULGood morning, Diane. The use of Stuxnet is a crime. The reason it's a crime is because it violates the provisions of the non-nuclear -- the Nuclear Non-Proliferation Treaty. The United States is not allowed to try to disrupt the lawful activities of the fellow member of the NPT.
REHMJim, do you want to comment on that?
LEWISWell, a lot of people would say that Iran has done a pretty good job of flouting the law, of not abiding by its own treaty commitments. And they're determined to build a nuclear weapon, putting aside all the other bad stuffs they do in the region, including attacking Americans there, so it's hard for me to get too excited about. Yes, Stuxnet is a crime under international law. But countries do this all the time, and Iran is certainly no more innocent than anyone.
REHMAll right. Here's an email from Gerald, who says, "On the Iranian channel Press TV, an official charged that Flame and Stuxnet could fatally infect the entire Internet with doomsday consequences, planes falling from the sky, et cetera." Is that true, Robert?
O'HARROWIf so, they have insight that we don't have. But Ralph Langner, a researcher from Germany who's done so much to help the understanding of Stuxnet, recently gave a presentation where he said that they actually built in code to limit the after effects. In other words, they'll neutralize the code after a certain amount of time. So it's my understanding that they've given whoever -- I guess the U.S. and Israel specifically thought of that ahead of time.
LEWISThat's a sign maybe that the Americans were involved because do you know any other country that has so many lawyers involved in designing something like this? International law and the respect for avoiding collateral damage was just part of what it's done. The Internet is also very robust. It will be hard to take it down. So that's not one of the things I worry about no matter what the Iran insight.
REHMAll right. I think we now have Charlie Miller. Are you there, sir? Well, I'm afraid we're going to have to let that one go. I want to apologize to our listeners. Let's go to Syracuse, N.Y. Good morning, John.
JOHNHey, how are you doing?
JOHNIf you could comment on, you know, Deep Web and Tor network and how hackers sell their services, you know, through that.
LEWISWhat you see are some technologies that try to make it easier for people to hide their tracks, like Tor. In the long run, though, and the long run is maybe five to 10 years, attribution isn't going to be that big a problem. It's going to be harder and harder to hide. Hackers selling their services, that's something I worry about because what we're seeing is some people with real skills out there.
LEWISThat's one of the good parts of the article. So far, they haven't done too much to sell their services maybe outside of, you know, robbing banks. But when they sell their services to bring down infrastructure, then we're going to have to worry. So that's actually the thing I track the most now is the black market in cyber attack.
REHMBlack market in cyber attack. Wow. To Birmingham, Ala. Good morning, Terry.
TERRYGood morning. I am an IT tech. I've been an owner of a company for 25 years here in Alabama. And I see a lot of the blame for the insecurity of our systems belonging directly, in my opinion, on the shoulders of the operating system developers like Microsoft. They've had longstanding fundamental problems with security, and they have no incentive to fix it. When you install their operating system, you essentially sign away the right to sue them for any reason. So they're pretty bulletproof.
TERRYAs an example, one of their systems uses remote desktop connection, and I see, daily, thousands of attempts to get at client networks. And every single IP address that I check on traces back to China. I think we need to put a lot more pressure on Microsoft and Apple and other operating system developers to make their system more secure and to not -- to change the law so that they can be sued if they mess up our systems for lack of security.
KWONWell, I think that's a really good point, that we need to take more care in the way we develop our systems and take care of our systems, but I think we also have to make sure that we have new technologies on the horizons. We need to look to some new ways of doing this because, obviously, something we're doing is not working.
REHMAnd on that very point, Leigh (sp?) in Allen, Texas says, "If we want to remain on top of cybersecurity, we need to bring our math and science students up to number one instead of the 17 we scored recently." Jim.
LEWISIt's a problem for the U.S. that we're losing our technological edge. Still ahead of other countries, still have the strongest IT community in the world, but, you know, every year, we don't invest in science and math is a year we lose a little bit of that edge. So it is something to watch. This goes beyond cyber to the larger -- how do you educate Americans to know about science and math?
KWONAnd it's more than science and math. It's also the human sciences because a lot of the way systems are attacked today are not just technologically but also insider threat and the human type of attack. But it is important that we continue to bring back our computer science programs that we've lost over the past 10 years and bring back those scholars that are studying in this area.
O'HARROWOn the human factor here, I think it's worth pointing out that there's not a lot individuals can do in the grand scheme of things here, but they can use better passwords and be a little more rigorous about using different passwords. They cannot be foolish and open an email that says you've just won $1 million.
O'HARROWThere are all sorts of techniques called social engineering that hackers use as a short cut, and, unfortunately, it's lead to huge fundamentally important hacks that have stripped some companies' data systems bare of information. And so I think, collectively, one thing that we can do is just come up with better habits. It's not going to be a game changer, but it will help.
REHMTo a caller here in D.C. Good morning, Susana.
SUSANAGood morning, Diane. I -- it's an election year, and a number of states allow absentee voters to cast their ballots over the Internet via email. And other states are starting to deploy Internet voting pilots in live elections. And I'd like to know whether your guests think that putting our elections online via email or through Internet portal systems is a good idea, especially given the small IT security budgets of states and municipalities.
LEWISAnything that gets more people to vote would be good because we need more and more people to go to the polls. But I keep waiting for the day when someone will hack one of these online voting systems, and they could really have some fun. So that day is coming. They're not secured. You're right.
REHMDo you agree with that, Robert?
O'HARROWI don't have the technical background, but if you accept the general premise that anything driven by code is vulnerable to clever, determined hacker, the answer is I have to agree with Jim.
LEWISAnd to Dayton, Ohio. Good morning, Laura.
LAURAHi. I hope you guys are having a good morning. I was wondering if your guests could comment of kind of social activism to hackers like anonymous who'd probably be the most famous, but if you could just comment on that.
O'HARROWI'm really uncomfortable with so-called activists who pose anonymous. I sense a lot of disaffected people who want to make a splash and see if they'd make a splash. But I don't sense any real coherent message, and I worry that some people use -- in fact, I'm sure that some people use that blanket to wrap themselves up in as cover for a just nasty behavior. And the larger concern I have is that, because of certain tools that are available to such people, they can do a lot of damage even if they're not the quality of Charlie Miller in terms of understanding how computer systems work.
REHMHere's an interesting question from John in Dallas, and it's tied to another one. John says, "Doesn't it hurt the U.S. when investigative journalists break stories like this? I remember a few years back it was leaked the U.S. had secretly built companies in Iran in order to sell faulty parts used in their nuclear facility. It's interesting to read about and wonder what -- how we did it, but I would rather not know what we are doing so the enemy does not know either."
O'HARROWThe -- he's probably referring to the story about Stuxnet that a writer named Sanger did for The New York Times. That was clearly, I think anyway, something that was sanctioned by at the top -- highest level of the government. The Post's series "Zero Day" is sort of the opposite. We are trying to explain fundamentals at play so that we can all get on the same page.
LEWISThere is always a trade-off between operational and politics. And in this case, I think the trade-off favors opened this because we need to have a discussion of this, so we need to do more to make ourselves secure. The articles help drive that. Yeah, there's a little bit of loss, right, in terms of capability in Iran. The Iranians kind of already suspected us, so the loss is pretty minimal.
REHMHere is one following up. He says, "I believe we have opened another Pandora's Box as we did with the nuclear bomb and spaceway-based weapons. Nobody seems to have time to question the legality of the actions Mr. Obama has taken unilaterally. I think there are maybe a more cynical reason for making this information public simply to increase the defense budget. We will soon have a department of homeland cyberwarfare, and our privacy will be under further attack." Robert.
O'HARROWI think it's important to note that the Stuxnet offensive was started under President Bush. It isn't a Democrat-Republican thing. It's a tool. They chose to use it. People can debate whether that was the right thing to do. And as for Pandora's Boxes, a Pandora's Box is the gift that comes with any technology revolution. It's just the way it is. And, you know, I think we just need to remember, we need to pay the full cost of doing business.
REHMAnd you're listening to "The Diane Rehm Show." Jim, you wanted to add to that?
LEWISJust very quickly. It was a legal action under the authorities given to the president to do covert actions, totally legal. One thing to bear in mind, this sort of thing has been around for about 30 years. There are 35 countries now developing cyber attack capabilities, so Pandora's Box is open.
LEWISBut there's no way we can close it.
REHMTo Fenton, Mich. Rick, good morning. You're on the air.
RICKGood morning, Diane. Thanks for giving me the opportunity.
RICKI've heard a couple of times since the doomsday scenarios, and my question is, given all of the money and all of the political resources we expend on preventing nuclear materials from getting into the wrong hands, are existing nuclear arsenals, ours and everybody else's, better protected against these kind of attacks than the rest of cyberspace? Or are they just as vulnerable?
KWONOh, that's not a question that I think I have the ability to answer, unfortunately.
LEWISThe short answer is we hope so. A lot of effort to make the weapons more secure. But one of the things that was interesting about Stuxnet is that Iranians used what was called an air gap, thought they were safe. It turns out they were wrong, right? So this is a big concern for every country for all of their weapons had somebody got inside and monkeyed around with the code.
REHMNow, here's something from Eloise. She says, "If your computer is connected to the Internet, you are connected even if your computer is turned off. Therefore, when I was offered the option of being connected wireless, although I have the capability in my home now, I opted to continue to connect via Ethernet. I disconnect from Ethernet when I am not using the computer sometimes when I'm only using Microsoft Word." Does that make a difference?
O'HARROWThat's a lot of moving parts. But I think if you unplug a computer and you don't...
O'HARROW...and you don't have Wi-Fi, which is what she seems to be suggesting when she's not using it, it is -- and it's off, it's not going to be vulnerable to attack unless it's the most sophisticated thing that I don't know about.
REHMSo this is a rolling ball gathering lots of new information as we go. Is that correct? Are we still at almost ground zero in terms of our full knowledge and understanding of what all of this entails? Jim.
LEWISApparently so because most people don't realize -- you know, everyone loves the Internet, and they want to be connected. And they go out, and they buy smartphones. And it took off in a way we didn't really expect when it was commercialized. People thought, oh, few million people, and now it's billions. And we love this technology and adopted it, even though it's insecure, and we're just discovering how vulnerable...
O'HARROWIn our project, we have a video, "Zero Day Project," and there is a senior scientist at MIT who said, in the 1980s, sure, we expected all the computers to be connected, all 10,000 of them. And so...
O'HARROW...it's -- the changes are pretty remarkable.
REHMRobert O'Harrow, you can read his series in The Washington Post. It's titled "Zero Day." There is a connection -- a link to it from our own website. Mischel Kwon, James Lewis, thank you all so much. And thanks for listening, all. I'm Diane Rehm.
Most Recent Shows
A panel of journalists joins Diane for analysis of the week's top national news stories.
Bioengineers are creating human body parts to replace organs and manage life-threatening diseases. How techniques like 3-D printing and stem cell research are driving medical advances and raising ethical questions
Cuba releases American contractor Alan Gross after five years' imprisonment on espionage charges. The U.S. releases several Cubans in exchange. Details on the prisoner swap and the future of U.S.-Cuban relations.