The author of the bestselling book "The Plantagenets" picks up the story of the English crown where his last book left off. It describes how the longest-reigning British royal family tore itself apart and was replaced by the Tudors.
In recent weeks, some large U.S. financial institutions were hit by ‘denial of service’ attacks on their websites. Two months ago, the Saudi Arabian state oil company ARAMCO and RasGas of Qatar were attacked by a computer “wiper” virus called “shamoon.” Crucial system files were replaced with an image of a burning U.S. flag. Real data on more than thirty thousand computers was overwritten with “garbage data,” rendering them useless. American intelligence officials increasingly suspect Iran was behind these attacks. Last week, Defense Secretary Leon Panetta called this a pre-nine-eleven moment for cyberdefense. James Lewis of the Center for Strategic and International Studies, Thom Shanker of the New York Times and Greg Nojeim of the Center for Democracy and Technology join Diane for a discussion of the growing threat of cyberwarfare.
- Greg Nojeim senior counsel and director of Project on Freedom, Security & Technology, Center for Democracy and Technology
- James Lewis director and senior fellow, Technology and Public Policy Program at the Center for Strategic and International Studies.
- Thom Shanker Pentagon correspondent for The New York Times and co-author of "Counterstrike: The Untold Story of America's Secret Campaign Against Al Qaeda."
MS. DIANE REHMThanks for joining us. I'm Diane Rehm. U.S. financial institutions and Middle Eastern oil companies have recently been hit by cyber attacks suspected of originating in Iran. In a speech last week, Defense Secretary Leon Panetta said foreign cyber-actors are probing America's critical infrastructure networks.
MS. DIANE REHMHere to discuss the growing threats on the Internet and the Pentagon's role in defending the nation in cyberspace: James Lewis of the Center for Strategic and International Studies, Thom Shanker of The New York Times, and Greg Nojeim from the Center for Democracy and Technology. Throughout the hour, we'll welcome your contributions. Call us on 800-433-8850. Send us your email to firstname.lastname@example.org. Follow us on Facebook or Twitter. Good morning, everybody. Thanks for being here.
MR. JAMES LEWISGood morning, Diane.
MR. THOM SHANKERGood morning.
MR. GREG NOJEIMGood morning.
REHMThom Shanker, I'll start with you. How real is the threat as Secretary of Defense Leon Panetta outlined it?
SHANKERThat's exactly right. There's been a lot of debate inside the government, Diane, about how much to talk about cyber, both offense and defense. And the decision was made to send the defense secretary out last Thursday night to deliver, really, a landmark address warning that this nation faces a cyber Pearl Harbor.
SHANKERAnd he warned of something really on the scale of 9/11 where cyber attackers could take down critical infrastructure like power plants, hydroelectric. They could take down a transit system causing all kinds of problems. Now, of course, this was a warning. And they are trying to pass legislation that's now holed up in the Senate to increase the requirements for business to improve their cyber security.
SHANKERBut the challenge for the Pentagon is that 80 to 90 percent of the cyber defense capabilities reside within the Defense Department. But 80 to 90 percent of the targets, Diane, are in the private sector. So how do you get the Pentagon to a point where it can assist here in the homeland despite concerns about privacy, the Posse Comitatus rules that prohibit Department of Defense operating in the homeland? So these are the questions that they're wrestling with.
REHMHow much material was declassified to -- for Secretary of Defense Panetta to release this information?
SHANKERThat's a great question. There were a couple of very tantalizing new tidbits, some specifics about the attacks against the oil companies in the Persian Gulf. Secretary Panetta didn't say so. But as our colleague Jim Lewis here wrote so eloquently in an online essay, he laid out the dots, and it was up to others to connect them. So Secretary Panetta is certainly the first to go out there in this very aggressive way, warning of the risks to the United States from state actors, from patriots, from criminal groups. One group he didn't talk about was terrorists, but we can discuss that later, of course.
REHMThom Shanker of The New York Times. Jim Lewis, what is the Shamoon virus, and what did it do?
LEWISOne of the things that was interesting in the secretary's remarks was that he called attention to something that didn't get a lot of public notice. But two of the big oil companies in the Gulf, Aramco and a company called RasGas, were both hit by a relatively sophisticated tool that erased data, that scrambled data. And in Aramco's case, we know it was 30,000 computers.
LEWISSo for any business to lose all the data on 30,000 computers, this isn't the sophisticated kind of attacks that you could do, but it was sophisticated enough that people were surprised. And it did do some damage. It did do some disruption. So that's what it was.
REHMAnd what do we know or suspect about Iran's involvement in all of this?
LEWISPeople suspect that Shamoon came from Iran. And there must be credible evidence for the secretary to say something as provocative as he did. I think it's fair to say that we know that these attacks came from Iran. We don't know who within Iran was responsible. But, you know, this is a country that spent a huge amount of effort to trying to figure out how to monitor its Internet to control it for domestic political purposes. And the idea that, you know, something could slip by them without their notice is hard to believe.
LEWISSo the Iranian government was either waiting or supportive. We don't know. Most likely, it was some proxies, some hacker group set up by the state. But at this point, we don't have the data released.
REHMJim Lewis of the Center for Strategic and International Studies. Greg Nojeim, there are some who believe that, in fact, the U.S. may itself have opened the door to this kind of Internet hacking, this kind of virus upsetting all kinds of computer data by virtue of the use of the Stuxnet. Can you comment on that?
NOJEIMYes. So Stuxnet was a virus that went after very specific control systems for the centrifuges in Iran. And it's been widely reported that the U.S. and Israel were behind Stuxnet. So -- and I read this one article -- I think it was from The Atlantic -- about people in glass houses. Well, we're in a glass house. Maybe we threw a stone. We are more dependent on computers and the Internet than a lot of other societies are.
NOJEIMI think what it all means is that we're in a new era. We're going to need to beef up our defenses. And we're going to need new rules to decide what is an attack that warrants a response and how do we bolster our own defenses while preserving privacy and civil liberties. These are very difficult.
REHMAll good questions. Greg Nojeim, he is with the Center for Democracy and Technology and director of its project on freedom security and technology. Thom Shanker, what about that? Did the U.S. sort of open the door with Stuxnet in conjunction with Israel to this whole effort at cyber warfare?
SHANKERI think it's a very fair argument, and I think it's interesting to note that, you know, a shadow war of attack and counter-attack is clearly under way today, Diane. We are at the threshold of a new era of warfare. In many ways, cyber today is where the atomic race was in the 1950s. We're creating new weapons of vast power, but the rules and regulations haven't caught up with the technology. The thinking on deterrence and improper response have not caught up with the technology, so I think we are at a very important but very vulnerable period in American history.
REHMAnd, Jim, there are an awful lot of people wondering whether if all this did originate in Iran, whether it's in response to the sanctions that the U.S. and other countries are now placing on Iran.
LEWISThat's what's generally believed, is that this wasn't triggered by Stuxnet. These kind of offensive operations have been going on for more than a decade. And the fact that they're just becoming public is interesting, but this isn't a new chapter in warfare. If it was a new chapter, it was a new chapter in the Clinton administration. And when the information that is made public is available, it looks like the Iranians are trying to show, you're not the only ones who can monkey with financial systems. We have a new tool, and we can do it as well. So...
REHMBut we're not just talking about financial systems. We're talking about chemical systems, electricity and water plants, guide transportation networks. Greg.
NOJEIMThe stakes are very high. The stakes are very high. We are dependent on the Internet and on computers for things that we take for granted. We take for granted that when you flip on the light switch, the lights will go on. Now, there's a threat to the lights going on, and nobody knows exactly where that threat's coming from. We don't know exactly how to deal with it. We do know that we've developed our own capabilities to threaten other countries in the same way that we feel threatened now. So I think we need some rules for the road before we get much further down the highway.
REHMThom Shanker, do we know of specific instances where intruders have gained access to these water systems or these transportation networks or electricity systems?
SHANKERThere have been a lot of probes, Diane. I mean, there are tens of thousands of probes every day. But the only cases that look like they actually got into a system -- there was a case in Russia not long ago. But here in the U.S., cyber hackers have not yet been able to shut down critical infrastructure.
REHMShut down. But?
SHANKERThey get inside systems all the time, but it's mostly to steal intellectual property. It's for profit. And that's why, even though Iran is suspected of being the actor in these recent attacks, actually, the more sophisticated threat comes from Russia and China. Again, whether it's state sponsored, whether it's criminal, whether it's patriot, most of the cyber intrusions are all about stealing ideas and technology for profit.
REHMHow much of that is the U.S. doing?
SHANKEROne would assume that our nation is involved in a lot of cyber probes as well all around the world. I want to make one point. It's interesting about -- Jim talked about now far back cyber goes. It's kind of a neat historic footnote that before the invasion of Iraq in 2003, the Bush administration had a program to shut down Saddam Hussein's financial networks. So before the invasion, they were going to prevent him from transferring money, paying his troops, buying arms.
SHANKERBut the decision was made not to go ahead with that for fear of the cascading effect in financial systems across the Middle East to Europe and elsewhere. But on Stuxnet, as been cited here, a decision was apparently made that the threat of Iran's nuclear program was sufficient to go ahead with a very powerful cyber offensive.
LEWISWhat was the question again? I'm sorry.
REHMWell, whether in fact the U.S. has not been involved in a good deal of this.
LEWISOh, sure. One thing that's hard to persuade people of is that the U.S. doesn't do economic espionage. We don't steal IP for companies.
REHMJim Lewis, he is director and senior fellow of the technology and public policy program at the Center for Strategic and International Studies. I look forward to hearing your questions and comments.
REHMAnd as we talk about cybersecurity and the warning from Secretary of Defense Leon Panetta last week that we could be on the verge of another kind of Pearl Harbor attack, here's an email from Nick, who is a licensed amateur radio operator, who says, "You should consider the fact that amateur radio communications are totally invulnerable to cyber attacks. This is because the communications are manually operated." Jim.
LEWISIt's a good point, and one of the things to bear in mind is that big industrial countries are very resilient. It's hard to bring them down with a single attack. It's hard to do something that produces an immediate victory.
LEWISThe problem, as I think both Greg and Tom have pointed out, is that, not only in the U.S. but now everywhere in the world, your bank, your gas station, your supermarket, your airline reservation, your credit card, everything depends on computers and the Internet. So we could continue to operate, sure, using things like amateur radio. But there would be critical services that could be knocked out.
REHMWhat was the impact and what was the import of Secretary Panetta's making a speech before a business group?
SHANKERWell, I think he was upping the ante. He was saying, we're worried about this. We need to act. Maybe one purpose was to shake loose the cybersecurity legislation that's pending in the Senate, that's been held up.
REHMTell me about that legislation, Thom Shanker.
SHANKERYeah, it's championed by Sen. Lieberman among others, and it would've required the nation's large businesses to improve their cyber defenses, and there would've been government oversight and actually penalties. And it's interesting that Mr. Lieberman's longtime battle buddy, Mr. McCain, was the one who opposed it. The next version was quite watered down, Diane. It made all of these cyber defenses voluntary only.
SHANKERBut, even so, the business community mounted a campaign to say it would impose onerous expenses on them. And so the legislation has not moved forward at all.
REHMAnd do you expect it to do so in light of his comments?
SHANKERWell, I think Secretary Panetta, who, you know, obviously has been in Congress, worked in the White House. He's both the national security leader, but he has a smart ear for politics. So I think his speech was completely accurate. He didn't make up anything. But I think a second agenda was not only to be like Paul Revere, riding through the countryside saying, the electrons are coming. The electrons are coming, but it was also to get people aware that this legislation is one of the Obama administration's priorities.
REHMWhy would the Department of Defense have priority in cybersecurity, Jim?
LEWISThe things that we're talking about doing in secretary's speech are things that only the Department of Defense could do. It requires the ability to engage in -- you could call cyber espionage, and only NSA can do that. And it requires the ability launch attacks. And while DOD isn't the only place that can launch attacks, it is the primary place. So this was an effort to take the capabilities we've assembled in cyber command and turn them to a defensive purpose.
REHMAll right. We've got a caller waiting in Catonsville, Md. Let's go to Isa. (sp?) Good morning. You're on the air.
ISAYes. Good morning. I wanted to first say that the context or the timing of Panetta's speech was kind of a carrot to the Republicans that like to build up fear and fear-mongering so they would win the elections. They didn't have bin Laden to make them another video, so they did this with Panetta. They --- the issue of viruses is almost -- it's a -- these are war crimes. You're creating another or attempted to create another Chernobyl in Iran.
ISAAnd that would've killed millions of people had they not, you know, taken control of Stuxnet, and Flame was supposed to do the same in another treatment plant -- in another processing plant. So these are crimes against humanity that you're attempting to do, and you're watering them down by saying you threw a stone. These are war crimes.
LEWISWell, the Republicans were the ones who stood in the way of the legislation. The Republicans through a strange blend of ideology and business interests were the ones who prevented us from getting legislation passed. So, you know, if I was going to point the -- you can have criticism on all sides. Everybody's worried about DHS. But I wouldn't say the Republicans showed tremendous leadership.
LEWISStuxnet is interesting to me, and I was talking to some Chinese colleagues and they said, we knew it was you. I said, how come? And they said, because whoever wrote Stuxnet must have had a million lawyers in the room. Stuxnet was carefully designed to avoid collateral damage. It would not have created a Chernobyl. It was actually a pretty good kind of attack if you're worried about avoiding war crimes.
NOJEIMI want to go back to something that Jim said earlier about the role of the state when it comes to counterattacks in cyber. You know, one of the issues in the legislation was, to what extent can a company that is seeing an attack on its network that's affecting its users, to what extent can it block and to what extent can it take countermeasures against the attack? The ordinal draft of -- an original draft of this legislation would've given companies a lot of authority to just block any communication that they thought might be a bad communication.
NOJEIMAnd it ran up against principles of Net neutrality, now being litigated. That's an FCC rule making right now. But one of the big issues that we still haven't resolved, to my mind, is, to what extent can a company block communications? To what extent can it monitor looking for bad stuff and then block it?
SHANKERThese are -- the central questions that Greg just laid are ones that the Pentagon is facing as well. Cyber defenses are fairly sophisticated, but the Pentagon is now arguing -- just like the Maginot Line, this great defense in Europe, couldn't block the Germans when they developed the maneuver warfare. So defense in cyberspace is not sufficient either, and Panetta's very interestingly redefined defense as something moving forward from our shores, moving forward.
SHANKERHe said that in defense of our cyber systems, we may have to attack the source of a pending attack. So he's really not talking about offense literally, but redefining defense in a preventive way. And again, the laws of war have not kept up with that.
REHMHere's an email from Tom, who says he has two main questions: "Assuming the Internet security is only as robust as its weakest link, how is it that the U.S. government, which has a major stake in preventing cyber intrusion into its vital networks, is not making the best security tools freely available to all Internet users? Why is anti-virus, anti-malware software treated as just another commodity like pork bellies, where the peasants can get a free version and those with financial means can enjoy heightened security?" Jim.
LEWISWell, the peasants can actually do pretty well. I use a lot of the free stuff. You have to think about it a little bit. You have to combine it. It's a good question, though. The German government, for example, now makes tools available for free to its citizens. And they buy them, of course, from the big vendors -- Symantec, McAfee -- and make them available to German citizens. And that might be something we want to look at, is how do you get this out? I would say, though, you know, a consumer-level defense is not going to keep you safe. Nice for consumers, useful, but it's not enough.
REHMSo you're saying there really aren't any 100 percent protections for consumers?
LEWISThe thing that protects consumers is they're really not that interesting a target, right? And so if you're talking about protecting yourself from the Chinese or the Russians or maybe the Iranians, there's nothing most consumers can do.
REHMBut back on the home front, what's the likelihood that maybe the Department of Defense would begin to monitor personal email, communications among U.S. citizens, Greg?
NOJEIMSo that was one of the things that we were most concerned about as the legislation started to progress. Now, you're not going to get monitoring through the front door. I don't think that's in the cards right now, where the government looks through all the communications that are coming into or leaving the United States.
NOJEIMYou might get monitoring through the backdoor, where the companies that serve us as Internet service providers, they provide the backbone for the Internet communications. They -- if they liberally share the information that they receive, then -- and they share it with the government -- then do we have the same monitoring through the backdoor?
NOJEIMWhat we have tried to do with this legislation to prevent that kind of thing is to make it so that the first share -- I call it the first share -- from the communication service provider to the government has to go to a civilian agency. And the first share has to be carefully defined so that all we're sharing is the information that really needs to be shared and not unrelated personally identifiable information.
REHMHere's the second part of Tom's email. He says, "Cyberwar is different from other forms of war in one very important way: The weapon is given to the enemy in a form from which they can learn from it and possibly re-engineer it to use against its enemies. Does the U.S. ensure that prior to deployment of such a weapon, its systems are protected from such a threat?" Tom Shanker.
SHANKERWell, that's absolutely a fair point. Once you put a virus inside the computer network of an adversary or anyone, if they're clever enough they can come back and re-engineer it. And there are such defenses put in place, but a lot of the stuff is already out there. And, again, most of the cyber attacks under way today, so far, thank goodness, are commercial -- again, theft of intellectual property and all that.
SHANKERAnd you can go on any number of websites -- I wouldn't recommend it -- and you can download the sort of malware and phishing software and all that. So the genie is already out of the bottle, Diane.
REHMSo how are current corporations, how are they protecting themselves now, Jim?
LEWISOne of the problems is that some corporations do a good job, others do not, and we don't really have a good idea of who's doing what. I've talked to some major oil companies, for example, and they have fabulous defenses in place. And I said to them, this is amazing. Why did you do this? And, of course, the answer was they had been hacked. They had lost a lot of valuable exploratory data. People usually learn after the fact, and that appears to be the path we're on as a nation. We'll have to be hit over the head to do something.
REHMJim Lewis is director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies. Tom Shanker is with The New York Times. He covers the Pentagon, the military and national security. Greg Nojeim is with the Center for Democracy & Technology. And you're listening to "The Diane Rehm Show." We're going to go back to the phones, 800-433-8850, to Cleveland, Ohio. Good morning, Jim. You're on the air.
JIM...taking the call. I want to remind everyone that this is not a new issue. Hacking has been going on for a very long time, and people are now just getting, you know, the idea that it's a brand-new threat. And it's really not. The other issue is that I think that a lot of businesses are being attacked because they're using outdated software, outdated operating systems.
JIMA lot of businesses refuse to update their operating systems because it's expensive, and they put it off and put it off, so that makes them even more vulnerable the older the software and the older the operating systems. I'd like a comment on that. And, also, what do your guests think is the issue with cloud computing? Is it something that makes us more vulnerable or less vulnerable?
REHMAll right. Jim.
LEWISIt's a good point. This has been going on for a long time. The stakes have gotten a little higher. When this started, of course, you could use Cap'n Crunch whistle, plastic whistle out of the breakfast cereal, to hack, and that's kind of phreaking, it was called. That's gone. Too bad. I kind of miss it. You know, there are some simple measures that you can use to reduce threat, and NSA has helped develop them, working with NIST, basic things, exactly as the caller pointed out.
LEWISIf you're still using Windows 98, there's no way you can be safe. But a lot of companies are doing that. Finally, on cloud, the answer is it depends. If your service provider pays a lot of attention to security, you're going to be better off. If they don't, you're going to be worse off. And so a lot of it, with cloud, is having to look closely at your contract, but, you know, in general, keep your software updated, do these basic things, and you'll be safer.
REHMAnd, of course, on -- that's on the personal level. But, Tom Shanker, what actions, what cyber actions would constitute an act of war?
SHANKERDiane, that's such a terrific question. The defense secretary, in his speech on Thursday, said that the Defense Department is now drawing up REs, rules of engagement, to define exactly that. There was a background briefing for reporters covering cyber. In the speech afterwards, we asked senior defense officials, Diane, your exact question. And, of course, they're not going to tell us 'cause they want to keep an adversary waiting or sort of wondering that it would be a cyber attack on the level that one could say this is proportional to a good old-fashioned kinetic attack. And then that would then draw in...
SHANKERWell, you know, a missile attack, you know, tanks rolling across the border. The level of destruction, the potential loss of life would have to be something sort of like the Supreme Court and pornography: I can't define it, but I know it when I see it.
REHMBut give me a potential example. Are we talking about taking out, for example, the electric grid across the country?
SHANKERNot even across the country, Diane. I think that if the power were taken down across a major metropolitan area -- affecting hospitals, emergency rooms, traffic lights, subways, if subways were stuck underground -- something of that level would probably approach the still-secret levels in which the Defense Department's defenses and offense would be drawn in rather than leaving it, as current law has, up to the Department of Homeland Security, the FBI and others.
REHMGreg Nojeim, how would you respond to that?
NOJEIMI don't know that I have a good trigger about what action is actionable in terms of a counterattack. I do have a question, though. Often we don't know who the source of the attack was. We don't know if it was a state. We don't know if it was an uncontrolled local actor. We don't know if it was a local actor acting with the connivance of the state. In that world where you just don't know, do you pull the trigger?
REHMAnd that's a question that our guests will continue to explore after a short break. Greg Nojeim is with the Center for Democracy &Technology. Short break and right back.
REHMAnd just before the break, you, Greg Nojeim, posed the question of, how do we know where that attack is coming from and what, if any, the response should be. Thom Shanker, you said Defense Secretary Panetta talked about that after the briefing.
SHANKERThat's exactly right, Diane. Greg's point is, in military terms, called attribution. If the Soviet's during the height of the Cold War were to have launched a missile to U.S., that vapor trail would've been a return address. We would've known for sure who was attacking us. That's much more difficult in cyber. These poisonous zeroes and ones are traveling at network speed. They're traveling across neutral territory. They may be housed in servers or computers that have been taken over.
SHANKERSo traditionally, it's been very difficult to identify the source of attack. Secretary Panetta in his speech on Thursday very interestingly didn't give the details but said the Department of Defense, the National Security Agency and CYBERCOM have made dramatic strides in perfecting tools of attribution that he said would give the government greater confidence in identifying the source of attack. Whether we believe them or not, up to the experts.
NOJEIMI don't have any material inside information about what it is that we can and can't do in terms of attribution. I do know that it has been an issue that has made it so that the administration is less prone to respond to an attack with an attack. And, you know, if we do know attribution to a high degree of certainty, I think that takes away a lot of uncertainty and that it could be a game changer.
REHMHere's an email from John, who says, "It would've been appropriate to have some IT professionals who've expressed grave concerns about the legislation in question. Apparently, government agencies would be empowered to shut down a website by administrative order without any judicial involvement, and it's unclear how a wrongly accused Web-based business would seek recourse.
REHM"There are concerns that once the government has that power, its exercise won't be limited to national security issues but will extend to copyright violations, and the power to decide what constitute such will be in the hands of those commercial interest with lots of money and lots of copyrights." Greg.
NOJEIMThis is the countermeasures issue that I was talking about earlier. So there are these command and control website, if you will, for botnets. And a botnet is an automated attack on another website. And so the companies that provide communication services, they can often tell that this is a botnet command and control place and we need to close it down. And a lot of them do that.
NOJEIMThere are cases, though, where there have been other activities, like seizing a domain name, where the government has done that or it's been done civilly through a court procedure where there's been collateral damage, where people who had nothing to do with anything wrong, their websites then became inaccessible to other people. So we have to sort this out. I think there is a legitimate problem. There's a legitimate role for companies to play in cybersecurity.
NOJEIMA lot of them -- remember, a lot of these companies, if they weren't doing cybersecurity today, the AT&Ts, the Verizons of the world, we'd be really bad off. They do it a lot. They do it well. And one of the questions that the legislation raised early on was whether the government should be telling them how to do it better when the government's own record in protecting its own networks was not so great.
SHANKERWell, these are absolutely valid points, and that's why, again, we talk about the technology advances have not kept up either with the intellectual analysis and certainly not with the laws, and that's what's happening in Congress right now.
REHMJim, you're shaking your head.
LEWISThese are invalid points. This is lobbying. The companies do a terrible job. If they did such a swell job, we wouldn't see them getting whacked all the time, including AT&T. The government, particularly in DOD, has really improved its performance, and the legislation is being mischaracterized here. It was not -- you're thinking of SOPA, which was the Protect Mickey Mouse Act, right?
LEWISThe cybersecurity legislation would've required critical infrastructure to meet minimum security standards, and even that was too much for the business community.
REHMAll right. To Rochester, N.Y. Good morning, Mike.
MIKEHi. Good morning. What a wonderful program. Thank you for having us.
MIKENow, a little bit ago, one of your panelists mentioned that in Germany, the German phone company that, I believe, runs the Internet servers there is providing anti-virus software to its clients. What a great idea. They're getting the best that you can get and making certain it's installed in their client's computer. That's wonderful. And we're thinking maybe we should do that here.
LEWISYeah, it's a good point. Lots of countries are moving in this direction. It doesn't fix the whole problem. It doesn't deal with the high-end threats of the kind we've been talking about. But the German Ministry of Interior, which is more like our Justice Department, decided they needed to do something, they had worked with the service providers, and they provide the tools.
REHMTo Scott in Chapel Hill, N.C., hi there. You're on the air. Scott, are you there? I guess not. Let's go to Reno, Nev. Ryan, good morning.
RYANHey, how are you doing?
REHMI'm good. Thanks.
RYANGood. Just wondering, to what extent -- if the government is to help out corporations and our nation as a whole with cybersecurity, to what extent do we have to give up some privacy there? Because you look at in 2003 after the NSA implemented encryption and decryption devices right at the heart of the Internet, you look at cases like that where we're trying to do a good thing, but, in turn, we may be giving up some significant privacy there.
SHANKERThat's a very valid concern. Obviously, The New York Times was at the forefront of reporting about warrantless wiretaps and other very, very worrisome intrusions on our personal privacy. At the same time, this country has traditionally allowed the government to do things for which we surrender autonomy. The government builds highways. The government sets the speed limit.
SHANKERYou travel overseas. You expect your airlines to be -- to follow minimum safety rules set by international standards. When you come back, you know, almost like looking at emails, the customs agents open your suitcases if they want to, looking for contraband. So there -- it's a very, very important question. We have to get the balance right. But to say that we don't surrender our freedoms consciously every day in exchange for government services just doesn't -- isn't correct.
NOJEIMThere's -- it's almost threading a needle here. We've got -- look, what has to happen is there needs to be some more information sharing among companies and between companies and the government. If I see something on my network -- it might be a threat to you on your network -- wouldn't it be great if I could share it? That's the issue here. So a lot of the civil liberties problems come up in the information sharing regime.
NOJEIMSo what did the legislation do on that? Originally, the legislation gave the government the authority to go in and take the data -- mandatory access to the Department of Homeland Security. That one didn't -- that idea didn't go very far. Now, we've got the legislations moved to the point where there's going to be -- there would be a new exception to the privacy laws, actually it's a new exception to all laws, to permit the flow of information from the companies to the government.
NOJEIMAnd so most of the advocacy on the privacy side has been to kind of control that flow, to make it so that only the information that needs to flow does flow to the government, take out the irrelevant personally identifiable information and then put use restrictions on it when it does go to the government.
REHMBut Secretary Panetta said there is no substitute for comprehensive legislation, but we need to move as far as we can in the meantime. We have no choice because the threat we face is already here. The president has a constitutional responsibility to defend the country. Is an executive order in the works, Thom Shanker?
SHANKERExecutive order is under discussion, hasn't been finalized yet. The Pentagon's ROEs are being written. They're not done yet. Diane, this is very much a work in progress.
REHMThom Shanker of The New York Times, and you're listening to "The Diane Rehm Show." And let's take a call from Sandra in Easton, Conn. Good morning to you.
REHMGo right ahead, please.
SANDRAI keep wondering why no one ever mentions Estonia. They went under a pretty bad attack from, I think, Russia. They had computerized just about everything, you know, government.
LEWISGood point. And Estonia was, in some ways, the first public notice of the use of the Internet as a tool of coercion. It was indeed the Russians. They did put immense political pressure on the Estonians. Some of the issues we've talked about came up in that attack. Was the thing that happened to Estonia an act of war? The Western governments, NATO decided it was not, but if it had continued for a longer period or if it in broader in scope, it would have been an act of war. And Estonia is, in some ways, the grand-daddy of all of the cyber conflicts we're talking about.
REHMInteresting. And why did Estonia become sort of the center of it all?
LEWISThey had been a part of the Soviet Union. And when the Soviet Union broke up, they thought it might be a good idea to move a large and rather unattractive statue of a Russian soldier that was in the center of town to the suburbs. And the Russians wanted to put a little pressure on the Estonians. They weren't happy, so they launched these denial-of-service attacks using proxies, using cyber criminals -- very sophisticated organizational approach.
LEWISIt was an effort to press the Estonians, and they did feel very nervous. If the Russians are going to do a cyber attack first, how do we know they won't send the tanks next?
SHANKERAnd act two of the same drama that Jim was discussing was before the Russian war with Georgia, another former Soviet republic. A couple of summers ago, all of the Georgian government computer networks were taken down, again, by a distributed denial-of-service attack. The people believed it was Russia. What the Georgians had to do, they had to off network their government services. I think it was to Ukraine who helped them out during the entire woe.
REHMInteresting. Julius from Shepherdstown, W.Va., asks, "Why can't the military provide private businesses with the protection against cyber attacks for a fee? It would be a way for the private sector to financially support the military." Jim Lewis.
LEWISThere are so many attacks that there just aren't enough of them. And I've had people -- senior people at NSA tell me they just can't be the fire department. It's -- there's just too much going on. So we need to think of layer defense. At the high end, the military can intervene against threats. At the low end, we can help consumers with these downloadable tools.
LEWISAnd in the middle -- and this is where we need the legislation or an executive order -- you need to hold at least critical infrastructure accountable to some minimal security standard. It's a big problem and the military is only part of the solution.
NOJEIMOne other thing that the military and the NSA could do that hasn't done enough off yet is to share the classified attack signatures that it has. Now, the NSA will see things on its network and see things in military networks, develop a signature for them. And if it could share those or if it would share those more liberally, companies would be able to do a better job in defending their own networks. Right now, there are hold-ups to that, including that there aren't enough cleared people at the companies to receive that classified information.
REHMAll right. And last caller in Port Orange, Fla. Hi there, Lance. You're on the air.
LANCEHi. I just first want to say, you know, thank you for having me. This is really an amazing show. I wanted to, you know, just share with you that, you know, there already are companies in the U.S. that provide, you know, anti-virus and different tools for their users. You know, I'm not going to mention who they are, but I had something happen on my computer. I called up tech support on my ISP, and they pointed me to their website. And I downloaded a free version of McAfee. And it was very helpful. In fact, it came with a scripting tool that protected me against minimal, you know, website scripts.
REHMBut isn't that the issue that you don't know how far that protection can actually go? Here's an example from another email. "Please ask if the records of a person's personal financial holdings could be destroyed in a cyber attack? In other words, should I keep paper copies of my financial statements?" Jim Lewis.
LEWISYeah, you should keep paper copies. We're at the point where it is possible to cause a lot of disruption. And on the first question you had, there's opponents, cyber criminals, you know, pretty amateurish, you can block them. But when you're talking about the Iranian Revolutionary Guard or the People's Liberation Army, only DOD can do things. And maybe they won't be able to block the attack that's coming in. Yeah, keep back-ups.
REHMAnd here's the final question from Twitter. "Are we moving toward a world where Internet safety is just as or more important than real world, physical world safety?" What's your response, Thom?
SHANKERWell, in less than 140 characters, yes.
REHMAnd to you, Greg?
NOJEIMI think the two are so interrelated now.
REHMReally? And you, Jim?
LEWISOne thing to bear in mind is that since 1998, there's been a set of negotiations underway among the leading powers in the world on how to make the Internet safer. And one of the problems with these negotiations is there's not a lot of public discussion, but this has become a central issue for international security, and maybe we'll make some progress.
REHMJim Lewis, Thom Shanker, Greg Nojeim, thank you all so much.
LEWISAlways an honor, Diane. Thank you.
REHMAnd thanks for listening, all. I'm Diane Rehm.
ANNOUNCER"The Diane Rehm Show" is produced by Sandra Pinkard, Nancy Robertson, Denise Couture, Susan Nabors, Rebecca Kaufman, Lisa Dunn and Megan Merritt. The engineer is Toby Schreiner. Natalie Yuravlivker answers the phones. Visit drshow.org for audio archives, transcripts, podcasts and CD sales. Call 202-885-1200 for more information. Our email address is email@example.com, and we're on Facebook and Twitter. This program is a production of WAMU 88.5 from American University in Washington, D.C. This is NPR.
Most Recent Shows
A new study says bike traffic deaths have spiked after years of decline. As cities adapt to growing numbers of cyclists, some say traffic laws should be more strictly enforced. A look at the debate over sharing the road with bikes.
For our October Readers’ Review: a novella that became an instant classic when it was written nearly two centuries ago. It is the ghostly tale of a lanky loner and a headless horseman. Some even call it the first American horror story. Join Diane and her guests for a discussion of “The Legend of Sleepy Hollow” by Washington Irving.
Campaign spending has reached new heights in some state judicial elections. Please join us to talk about the growing need to raise and spend money in judicial elections and how this spending may affect judicial integrity and public confidence.