Cybersecurity

Transcript for: 
Cybersecurity

MS. DIANE REHM

10:06:56
Thanks for joining us. I'm Diane Rehm. U.S. financial institutions and Middle Eastern oil companies have recently been hit by cyber attacks suspected of originating in Iran. In a speech last week, Defense Secretary Leon Panetta said foreign cyber-actors are probing America's critical infrastructure networks.

MS. DIANE REHM

10:07:23
Here to discuss the growing threats on the Internet and the Pentagon's role in defending the nation in cyberspace: James Lewis of the Center for Strategic and International Studies, Thom Shanker of The New York Times, and Greg Nojeim from the Center for Democracy and Technology. Throughout the hour, we'll welcome your contributions. Call us on 800-433-8850. Send us your email to drshow@wamu.org. Follow us on Facebook or Twitter. Good morning, everybody. Thanks for being here.

MR. JAMES LEWIS

10:08:05
Good morning, Diane.

MR. THOM SHANKER

10:08:05
Good morning.

MR. GREG NOJEIM

10:08:06
Good morning.

REHM

10:08:07
Thom Shanker, I'll start with you. How real is the threat as Secretary of Defense Leon Panetta outlined it?

SHANKER

10:08:17
That's exactly right. There's been a lot of debate inside the government, Diane, about how much to talk about cyber, both offense and defense. And the decision was made to send the defense secretary out last Thursday night to deliver, really, a landmark address warning that this nation faces a cyber Pearl Harbor.

SHANKER

10:08:34
And he warned of something really on the scale of 9/11 where cyber attackers could take down critical infrastructure like power plants, hydroelectric. They could take down a transit system causing all kinds of problems. Now, of course, this was a warning. And they are trying to pass legislation that's now holed up in the Senate to increase the requirements for business to improve their cyber security.

SHANKER

10:09:01
But the challenge for the Pentagon is that 80 to 90 percent of the cyber defense capabilities reside within the Defense Department. But 80 to 90 percent of the targets, Diane, are in the private sector. So how do you get the Pentagon to a point where it can assist here in the homeland despite concerns about privacy, the Posse Comitatus rules that prohibit Department of Defense operating in the homeland? So these are the questions that they're wrestling with.

REHM

10:09:30
How much material was declassified to -- for Secretary of Defense Panetta to release this information?

SHANKER

10:09:41
That's a great question. There were a couple of very tantalizing new tidbits, some specifics about the attacks against the oil companies in the Persian Gulf. Secretary Panetta didn't say so. But as our colleague Jim Lewis here wrote so eloquently in an online essay, he laid out the dots, and it was up to others to connect them. So Secretary Panetta is certainly the first to go out there in this very aggressive way, warning of the risks to the United States from state actors, from patriots, from criminal groups. One group he didn't talk about was terrorists, but we can discuss that later, of course.

REHM

10:10:14
Thom Shanker of The New York Times. Jim Lewis, what is the Shamoon virus, and what did it do?

LEWIS

10:10:24
One of the things that was interesting in the secretary's remarks was that he called attention to something that didn't get a lot of public notice. But two of the big oil companies in the Gulf, Aramco and a company called RasGas, were both hit by a relatively sophisticated tool that erased data, that scrambled data. And in Aramco's case, we know it was 30,000 computers.

LEWIS

10:10:51
So for any business to lose all the data on 30,000 computers, this isn't the sophisticated kind of attacks that you could do, but it was sophisticated enough that people were surprised. And it did do some damage. It did do some disruption. So that's what it was.

REHM

10:11:07
And what do we know or suspect about Iran's involvement in all of this?

LEWIS

10:11:15
People suspect that Shamoon came from Iran. And there must be credible evidence for the secretary to say something as provocative as he did. I think it's fair to say that we know that these attacks came from Iran. We don't know who within Iran was responsible. But, you know, this is a country that spent a huge amount of effort to trying to figure out how to monitor its Internet to control it for domestic political purposes. And the idea that, you know, something could slip by them without their notice is hard to believe.

LEWIS

10:11:47
So the Iranian government was either waiting or supportive. We don't know. Most likely, it was some proxies, some hacker group set up by the state. But at this point, we don't have the data released.

REHM

10:12:02
Jim Lewis of the Center for Strategic and International Studies. Greg Nojeim, there are some who believe that, in fact, the U.S. may itself have opened the door to this kind of Internet hacking, this kind of virus upsetting all kinds of computer data by virtue of the use of the Stuxnet. Can you comment on that?

NOJEIM

10:12:37
Yes. So Stuxnet was a virus that went after very specific control systems for the centrifuges in Iran. And it's been widely reported that the U.S. and Israel were behind Stuxnet. So -- and I read this one article -- I think it was from The Atlantic -- about people in glass houses. Well, we're in a glass house. Maybe we threw a stone. We are more dependent on computers and the Internet than a lot of other societies are.

NOJEIM

10:13:15
I think what it all means is that we're in a new era. We're going to need to beef up our defenses. And we're going to need new rules to decide what is an attack that warrants a response and how do we bolster our own defenses while preserving privacy and civil liberties. These are very difficult.

REHM

10:13:38
All good questions. Greg Nojeim, he is with the Center for Democracy and Technology and director of its project on freedom security and technology. Thom Shanker, what about that? Did the U.S. sort of open the door with Stuxnet in conjunction with Israel to this whole effort at cyber warfare?

SHANKER

10:14:10
I think it's a very fair argument, and I think it's interesting to note that, you know, a shadow war of attack and counter-attack is clearly under way today, Diane. We are at the threshold of a new era of warfare. In many ways, cyber today is where the atomic race was in the 1950s. We're creating new weapons of vast power, but the rules and regulations haven't caught up with the technology. The thinking on deterrence and improper response have not caught up with the technology, so I think we are at a very important but very vulnerable period in American history.

REHM

10:14:43
And, Jim, there are an awful lot of people wondering whether if all this did originate in Iran, whether it's in response to the sanctions that the U.S. and other countries are now placing on Iran.

LEWIS

10:15:02
That's what's generally believed, is that this wasn't triggered by Stuxnet. These kind of offensive operations have been going on for more than a decade. And the fact that they're just becoming public is interesting, but this isn't a new chapter in warfare. If it was a new chapter, it was a new chapter in the Clinton administration. And when the information that is made public is available, it looks like the Iranians are trying to show, you're not the only ones who can monkey with financial systems. We have a new tool, and we can do it as well. So...

REHM

10:15:35
But we're not just talking about financial systems. We're talking about chemical systems, electricity and water plants, guide transportation networks. Greg.

NOJEIM

10:15:49
The stakes are very high. The stakes are very high. We are dependent on the Internet and on computers for things that we take for granted. We take for granted that when you flip on the light switch, the lights will go on. Now, there's a threat to the lights going on, and nobody knows exactly where that threat's coming from. We don't know exactly how to deal with it. We do know that we've developed our own capabilities to threaten other countries in the same way that we feel threatened now. So I think we need some rules for the road before we get much further down the highway.

REHM

10:16:28
Thom Shanker, do we know of specific instances where intruders have gained access to these water systems or these transportation networks or electricity systems?

SHANKER

10:16:45
There have been a lot of probes, Diane. I mean, there are tens of thousands of probes every day. But the only cases that look like they actually got into a system -- there was a case in Russia not long ago. But here in the U.S., cyber hackers have not yet been able to shut down critical infrastructure.

REHM

10:17:01
Shut down. But?

SHANKER

10:17:03
They get inside systems all the time, but it's mostly to steal intellectual property. It's for profit. And that's why, even though Iran is suspected of being the actor in these recent attacks, actually, the more sophisticated threat comes from Russia and China. Again, whether it's state sponsored, whether it's criminal, whether it's patriot, most of the cyber intrusions are all about stealing ideas and technology for profit.

REHM

10:17:27
How much of that is the U.S. doing?

SHANKER

10:17:33
One would assume that our nation is involved in a lot of cyber probes as well all around the world. I want to make one point. It's interesting about -- Jim talked about now far back cyber goes. It's kind of a neat historic footnote that before the invasion of Iraq in 2003, the Bush administration had a program to shut down Saddam Hussein's financial networks. So before the invasion, they were going to prevent him from transferring money, paying his troops, buying arms.

SHANKER

10:17:58
But the decision was made not to go ahead with that for fear of the cascading effect in financial systems across the Middle East to Europe and elsewhere. But on Stuxnet, as been cited here, a decision was apparently made that the threat of Iran's nuclear program was sufficient to go ahead with a very powerful cyber offensive.

REHM

10:18:16
Jim.

LEWIS

10:18:17
What was the question again? I'm sorry.

REHM

10:18:19
Well, whether in fact the U.S. has not been involved in a good deal of this.

LEWIS

10:18:22
Oh, sure. One thing that's hard to persuade people of is that the U.S. doesn't do economic espionage. We don't steal IP for companies.

REHM

10:18:33
Jim Lewis, he is director and senior fellow of the technology and public policy program at the Center for Strategic and International Studies. I look forward to hearing your questions and comments.

REHM

10:20:04
And as we talk about cybersecurity and the warning from Secretary of Defense Leon Panetta last week that we could be on the verge of another kind of Pearl Harbor attack, here's an email from Nick, who is a licensed amateur radio operator, who says, "You should consider the fact that amateur radio communications are totally invulnerable to cyber attacks. This is because the communications are manually operated." Jim.

LEWIS

10:20:46
It's a good point, and one of the things to bear in mind is that big industrial countries are very resilient. It's hard to bring them down with a single attack. It's hard to do something that produces an immediate victory.

LEWIS

10:20:59
The problem, as I think both Greg and Tom have pointed out, is that, not only in the U.S. but now everywhere in the world, your bank, your gas station, your supermarket, your airline reservation, your credit card, everything depends on computers and the Internet. So we could continue to operate, sure, using things like amateur radio. But there would be critical services that could be knocked out.

REHM

10:21:23
What was the impact and what was the import of Secretary Panetta's making a speech before a business group?

SHANKER

10:21:35
Well, I think he was upping the ante. He was saying, we're worried about this. We need to act. Maybe one purpose was to shake loose the cybersecurity legislation that's pending in the Senate, that's been held up.

REHM

10:21:52
Tell me about that legislation, Thom Shanker.

SHANKER

10:21:55
Yeah, it's championed by Sen. Lieberman among others, and it would've required the nation's large businesses to improve their cyber defenses, and there would've been government oversight and actually penalties. And it's interesting that Mr. Lieberman's longtime battle buddy, Mr. McCain, was the one who opposed it. The next version was quite watered down, Diane. It made all of these cyber defenses voluntary only.

SHANKER

10:22:24
But, even so, the business community mounted a campaign to say it would impose onerous expenses on them. And so the legislation has not moved forward at all.

REHM

10:22:33
And do you expect it to do so in light of his comments?

SHANKER

10:22:38
Well, I think Secretary Panetta, who, you know, obviously has been in Congress, worked in the White House. He's both the national security leader, but he has a smart ear for politics. So I think his speech was completely accurate. He didn't make up anything. But I think a second agenda was not only to be like Paul Revere, riding through the countryside saying, the electrons are coming. The electrons are coming, but it was also to get people aware that this legislation is one of the Obama administration's priorities.

REHM

10:23:05
Why would the Department of Defense have priority in cybersecurity, Jim?

LEWIS

10:23:13
The things that we're talking about doing in secretary's speech are things that only the Department of Defense could do. It requires the ability to engage in -- you could call cyber espionage, and only NSA can do that. And it requires the ability launch attacks. And while DOD isn't the only place that can launch attacks, it is the primary place. So this was an effort to take the capabilities we've assembled in cyber command and turn them to a defensive purpose.

REHM

10:23:43
All right. We've got a caller waiting in Catonsville, Md. Let's go to Isa. (sp?) Good morning. You're on the air.

ISA

10:23:53
Yes. Good morning. I wanted to first say that the context or the timing of Panetta's speech was kind of a carrot to the Republicans that like to build up fear and fear-mongering so they would win the elections. They didn't have bin Laden to make them another video, so they did this with Panetta. They --- the issue of viruses is almost -- it's a -- these are war crimes. You're creating another or attempted to create another Chernobyl in Iran.

ISA

10:24:26
And that would've killed millions of people had they not, you know, taken control of Stuxnet, and Flame was supposed to do the same in another treatment plant -- in another processing plant. So these are crimes against humanity that you're attempting to do, and you're watering them down by saying you threw a stone. These are war crimes.

REHM

10:24:49
Jim.

LEWIS

10:24:50
Well, the Republicans were the ones who stood in the way of the legislation. The Republicans through a strange blend of ideology and business interests were the ones who prevented us from getting legislation passed. So, you know, if I was going to point the -- you can have criticism on all sides. Everybody's worried about DHS. But I wouldn't say the Republicans showed tremendous leadership.

LEWIS

10:25:13
Stuxnet is interesting to me, and I was talking to some Chinese colleagues and they said, we knew it was you. I said, how come? And they said, because whoever wrote Stuxnet must have had a million lawyers in the room. Stuxnet was carefully designed to avoid collateral damage. It would not have created a Chernobyl. It was actually a pretty good kind of attack if you're worried about avoiding war crimes.

REHM

10:25:37
Greg.

NOJEIM

10:25:38
I want to go back to something that Jim said earlier about the role of the state when it comes to counterattacks in cyber. You know, one of the issues in the legislation was, to what extent can a company that is seeing an attack on its network that's affecting its users, to what extent can it block and to what extent can it take countermeasures against the attack? The ordinal draft of -- an original draft of this legislation would've given companies a lot of authority to just block any communication that they thought might be a bad communication.

NOJEIM

10:26:16
And it ran up against principles of Net neutrality, now being litigated. That's an FCC rule making right now. But one of the big issues that we still haven't resolved, to my mind, is, to what extent can a company block communications? To what extent can it monitor looking for bad stuff and then block it?

REHM

10:26:42
Thom.

SHANKER

10:26:43
These are -- the central questions that Greg just laid are ones that the Pentagon is facing as well. Cyber defenses are fairly sophisticated, but the Pentagon is now arguing -- just like the Maginot Line, this great defense in Europe, couldn't block the Germans when they developed the maneuver warfare. So defense in cyberspace is not sufficient either, and Panetta's very interestingly redefined defense as something moving forward from our shores, moving forward.

SHANKER

10:27:09
He said that in defense of our cyber systems, we may have to attack the source of a pending attack. So he's really not talking about offense literally, but redefining defense in a preventive way. And again, the laws of war have not kept up with that.

REHM

10:27:23
Here's an email from Tom, who says he has two main questions: "Assuming the Internet security is only as robust as its weakest link, how is it that the U.S. government, which has a major stake in preventing cyber intrusion into its vital networks, is not making the best security tools freely available to all Internet users? Why is anti-virus, anti-malware software treated as just another commodity like pork bellies, where the peasants can get a free version and those with financial means can enjoy heightened security?" Jim.

LEWIS

10:28:15
Well, the peasants can actually do pretty well. I use a lot of the free stuff. You have to think about it a little bit. You have to combine it. It's a good question, though. The German government, for example, now makes tools available for free to its citizens. And they buy them, of course, from the big vendors -- Symantec, McAfee -- and make them available to German citizens. And that might be something we want to look at, is how do you get this out? I would say, though, you know, a consumer-level defense is not going to keep you safe. Nice for consumers, useful, but it's not enough.

REHM

10:28:51
So you're saying there really aren't any 100 percent protections for consumers?

LEWIS

10:29:00
The thing that protects consumers is they're really not that interesting a target, right? And so if you're talking about protecting yourself from the Chinese or the Russians or maybe the Iranians, there's nothing most consumers can do.

REHM

10:29:12
But back on the home front, what's the likelihood that maybe the Department of Defense would begin to monitor personal email, communications among U.S. citizens, Greg?

NOJEIM

10:29:26
So that was one of the things that we were most concerned about as the legislation started to progress. Now, you're not going to get monitoring through the front door. I don't think that's in the cards right now, where the government looks through all the communications that are coming into or leaving the United States.

NOJEIM

10:29:45
You might get monitoring through the backdoor, where the companies that serve us as Internet service providers, they provide the backbone for the Internet communications. They -- if they liberally share the information that they receive, then -- and they share it with the government -- then do we have the same monitoring through the backdoor?

NOJEIM

10:30:09
What we have tried to do with this legislation to prevent that kind of thing is to make it so that the first share -- I call it the first share -- from the communication service provider to the government has to go to a civilian agency. And the first share has to be carefully defined so that all we're sharing is the information that really needs to be shared and not unrelated personally identifiable information.

REHM

10:30:37
Here's the second part of Tom's email. He says, "Cyberwar is different from other forms of war in one very important way: The weapon is given to the enemy in a form from which they can learn from it and possibly re-engineer it to use against its enemies. Does the U.S. ensure that prior to deployment of such a weapon, its systems are protected from such a threat?" Tom Shanker.

SHANKER

10:31:14
Well, that's absolutely a fair point. Once you put a virus inside the computer network of an adversary or anyone, if they're clever enough they can come back and re-engineer it. And there are such defenses put in place, but a lot of the stuff is already out there. And, again, most of the cyber attacks under way today, so far, thank goodness, are commercial -- again, theft of intellectual property and all that.

SHANKER

10:31:36
And you can go on any number of websites -- I wouldn't recommend it -- and you can download the sort of malware and phishing software and all that. So the genie is already out of the bottle, Diane.

REHM

10:31:47
So how are current corporations, how are they protecting themselves now, Jim?

LEWIS

10:31:56
One of the problems is that some corporations do a good job, others do not, and we don't really have a good idea of who's doing what. I've talked to some major oil companies, for example, and they have fabulous defenses in place. And I said to them, this is amazing. Why did you do this? And, of course, the answer was they had been hacked. They had lost a lot of valuable exploratory data. People usually learn after the fact, and that appears to be the path we're on as a nation. We'll have to be hit over the head to do something.

REHM

10:32:25
Jim Lewis is director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies. Tom Shanker is with The New York Times. He covers the Pentagon, the military and national security. Greg Nojeim is with the Center for Democracy & Technology. And you're listening to "The Diane Rehm Show." We're going to go back to the phones, 800-433-8850, to Cleveland, Ohio. Good morning, Jim. You're on the air.

JIM

10:33:12
...taking the call. I want to remind everyone that this is not a new issue. Hacking has been going on for a very long time, and people are now just getting, you know, the idea that it's a brand-new threat. And it's really not. The other issue is that I think that a lot of businesses are being attacked because they're using outdated software, outdated operating systems.

JIM

10:33:41
A lot of businesses refuse to update their operating systems because it's expensive, and they put it off and put it off, so that makes them even more vulnerable the older the software and the older the operating systems. I'd like a comment on that. And, also, what do your guests think is the issue with cloud computing? Is it something that makes us more vulnerable or less vulnerable?

REHM

10:34:17
All right. Jim.

LEWIS

10:34:19
It's a good point. This has been going on for a long time. The stakes have gotten a little higher. When this started, of course, you could use Cap'n Crunch whistle, plastic whistle out of the breakfast cereal, to hack, and that's kind of phreaking, it was called. That's gone. Too bad. I kind of miss it. You know, there are some simple measures that you can use to reduce threat, and NSA has helped develop them, working with NIST, basic things, exactly as the caller pointed out.

LEWIS

10:34:47
If you're still using Windows 98, there's no way you can be safe. But a lot of companies are doing that. Finally, on cloud, the answer is it depends. If your service provider pays a lot of attention to security, you're going to be better off. If they don't, you're going to be worse off. And so a lot of it, with cloud, is having to look closely at your contract, but, you know, in general, keep your software updated, do these basic things, and you'll be safer.

REHM

10:35:13
And, of course, on -- that's on the personal level. But, Tom Shanker, what actions, what cyber actions would constitute an act of war?

SHANKER

10:35:27
Diane, that's such a terrific question. The defense secretary, in his speech on Thursday, said that the Defense Department is now drawing up REs, rules of engagement, to define exactly that. There was a background briefing for reporters covering cyber. In the speech afterwards, we asked senior defense officials, Diane, your exact question. And, of course, they're not going to tell us 'cause they want to keep an adversary waiting or sort of wondering that it would be a cyber attack on the level that one could say this is proportional to a good old-fashioned kinetic attack. And then that would then draw in...

REHM

10:36:00
Define that.

SHANKER

10:36:01
Well, you know, a missile attack, you know, tanks rolling across the border. The level of destruction, the potential loss of life would have to be something sort of like the Supreme Court and pornography: I can't define it, but I know it when I see it.

REHM

10:36:15
But give me a potential example. Are we talking about taking out, for example, the electric grid across the country?

SHANKER

10:36:23
Not even across the country, Diane. I think that if the power were taken down across a major metropolitan area -- affecting hospitals, emergency rooms, traffic lights, subways, if subways were stuck underground -- something of that level would probably approach the still-secret levels in which the Defense Department's defenses and offense would be drawn in rather than leaving it, as current law has, up to the Department of Homeland Security, the FBI and others.

REHM

10:36:49
Greg Nojeim, how would you respond to that?

NOJEIM

10:36:53
I don't know that I have a good trigger about what action is actionable in terms of a counterattack. I do have a question, though. Often we don't know who the source of the attack was. We don't know if it was a state. We don't know if it was an uncontrolled local actor. We don't know if it was a local actor acting with the connivance of the state. In that world where you just don't know, do you pull the trigger?

REHM

10:37:28
And that's a question that our guests will continue to explore after a short break. Greg Nojeim is with the Center for Democracy &Technology. Short break and right back.

REHM

10:40:03
And just before the break, you, Greg Nojeim, posed the question of, how do we know where that attack is coming from and what, if any, the response should be. Thom Shanker, you said Defense Secretary Panetta talked about that after the briefing.

SHANKER

10:40:29
That's exactly right, Diane. Greg's point is, in military terms, called attribution. If the Soviet's during the height of the Cold War were to have launched a missile to U.S., that vapor trail would've been a return address. We would've known for sure who was attacking us. That's much more difficult in cyber. These poisonous zeroes and ones are traveling at network speed. They're traveling across neutral territory. They may be housed in servers or computers that have been taken over.

SHANKER

10:40:55
So traditionally, it's been very difficult to identify the source of attack. Secretary Panetta in his speech on Thursday very interestingly didn't give the details but said the Department of Defense, the National Security Agency and CYBERCOM have made dramatic strides in perfecting tools of attribution that he said would give the government greater confidence in identifying the source of attack. Whether we believe them or not, up to the experts.

REHM

10:41:20
Greg?

NOJEIM

10:41:22
I don't have any material inside information about what it is that we can and can't do in terms of attribution. I do know that it has been an issue that has made it so that the administration is less prone to respond to an attack with an attack. And, you know, if we do know attribution to a high degree of certainty, I think that takes away a lot of uncertainty and that it could be a game changer.

REHM

10:41:55
Here's an email from John, who says, "It would've been appropriate to have some IT professionals who've expressed grave concerns about the legislation in question. Apparently, government agencies would be empowered to shut down a website by administrative order without any judicial involvement, and it's unclear how a wrongly accused Web-based business would seek recourse.

REHM

10:42:30
"There are concerns that once the government has that power, its exercise won't be limited to national security issues but will extend to copyright violations, and the power to decide what constitute such will be in the hands of those commercial interest with lots of money and lots of copyrights." Greg.

NOJEIM

10:42:56
This is the countermeasures issue that I was talking about earlier. So there are these command and control website, if you will, for botnets. And a botnet is an automated attack on another website. And so the companies that provide communication services, they can often tell that this is a botnet command and control place and we need to close it down. And a lot of them do that.

NOJEIM

10:43:26
There are cases, though, where there have been other activities, like seizing a domain name, where the government has done that or it's been done civilly through a court procedure where there's been collateral damage, where people who had nothing to do with anything wrong, their websites then became inaccessible to other people. So we have to sort this out. I think there is a legitimate problem. There's a legitimate role for companies to play in cybersecurity.

NOJEIM

10:44:03
A lot of them -- remember, a lot of these companies, if they weren't doing cybersecurity today, the AT&Ts, the Verizons of the world, we'd be really bad off. They do it a lot. They do it well. And one of the questions that the legislation raised early on was whether the government should be telling them how to do it better when the government's own record in protecting its own networks was not so great.

REHM

10:44:31
Thom Shanker.

SHANKER

10:44:32
Well, these are absolutely valid points, and that's why, again, we talk about the technology advances have not kept up either with the intellectual analysis and certainly not with the laws, and that's what's happening in Congress right now.

REHM

10:44:44
Jim, you're shaking your head.

LEWIS

10:44:46
These are invalid points. This is lobbying. The companies do a terrible job. If they did such a swell job, we wouldn't see them getting whacked all the time, including AT&T. The government, particularly in DOD, has really improved its performance, and the legislation is being mischaracterized here. It was not -- you're thinking of SOPA, which was the Protect Mickey Mouse Act, right?

LEWIS

10:45:08
The cybersecurity legislation would've required critical infrastructure to meet minimum security standards, and even that was too much for the business community.

REHM

10:45:17
All right. To Rochester, N.Y. Good morning, Mike.

MIKE

10:45:22
Hi. Good morning. What a wonderful program. Thank you for having us.

REHM

10:45:27
Good.

MIKE

10:45:28
Now, a little bit ago, one of your panelists mentioned that in Germany, the German phone company that, I believe, runs the Internet servers there is providing anti-virus software to its clients. What a great idea. They're getting the best that you can get and making certain it's installed in their client's computer. That's wonderful. And we're thinking maybe we should do that here.

REHM

10:45:59
Jim.

LEWIS

10:46:00
Yeah, it's a good point. Lots of countries are moving in this direction. It doesn't fix the whole problem. It doesn't deal with the high-end threats of the kind we've been talking about. But the German Ministry of Interior, which is more like our Justice Department, decided they needed to do something, they had worked with the service providers, and they provide the tools.

REHM

10:46:21
To Scott in Chapel Hill, N.C., hi there. You're on the air. Scott, are you there? I guess not. Let's go to Reno, Nev. Ryan, good morning.

RYAN

10:46:38
Hey, how are you doing?

REHM

10:46:39
I'm good. Thanks.

RYAN

10:46:41
Good. Just wondering, to what extent -- if the government is to help out corporations and our nation as a whole with cybersecurity, to what extent do we have to give up some privacy there? Because you look at in 2003 after the NSA implemented encryption and decryption devices right at the heart of the Internet, you look at cases like that where we're trying to do a good thing, but, in turn, we may be giving up some significant privacy there.

REHM

10:47:15
Tom.

SHANKER

10:47:15
That's a very valid concern. Obviously, The New York Times was at the forefront of reporting about warrantless wiretaps and other very, very worrisome intrusions on our personal privacy. At the same time, this country has traditionally allowed the government to do things for which we surrender autonomy. The government builds highways. The government sets the speed limit.

SHANKER

10:47:34
You travel overseas. You expect your airlines to be -- to follow minimum safety rules set by international standards. When you come back, you know, almost like looking at emails, the customs agents open your suitcases if they want to, looking for contraband. So there -- it's a very, very important question. We have to get the balance right. But to say that we don't surrender our freedoms consciously every day in exchange for government services just doesn't -- isn't correct.

REHM

10:48:01
Greg.

NOJEIM

10:48:02
There's -- it's almost threading a needle here. We've got -- look, what has to happen is there needs to be some more information sharing among companies and between companies and the government. If I see something on my network -- it might be a threat to you on your network -- wouldn't it be great if I could share it? That's the issue here. So a lot of the civil liberties problems come up in the information sharing regime.

NOJEIM

10:48:29
So what did the legislation do on that? Originally, the legislation gave the government the authority to go in and take the data -- mandatory access to the Department of Homeland Security. That one didn't -- that idea didn't go very far. Now, we've got the legislations moved to the point where there's going to be -- there would be a new exception to the privacy laws, actually it's a new exception to all laws, to permit the flow of information from the companies to the government.

NOJEIM

10:49:03
And so most of the advocacy on the privacy side has been to kind of control that flow, to make it so that only the information that needs to flow does flow to the government, take out the irrelevant personally identifiable information and then put use restrictions on it when it does go to the government.

REHM

10:49:21
But Secretary Panetta said there is no substitute for comprehensive legislation, but we need to move as far as we can in the meantime. We have no choice because the threat we face is already here. The president has a constitutional responsibility to defend the country. Is an executive order in the works, Thom Shanker?

SHANKER

10:49:49
Executive order is under discussion, hasn't been finalized yet. The Pentagon's ROEs are being written. They're not done yet. Diane, this is very much a work in progress.

REHM

10:49:57
Thom Shanker of The New York Times, and you're listening to "The Diane Rehm Show." And let's take a call from Sandra in Easton, Conn. Good morning to you.

SANDRA

10:50:13
Good morning.

REHM

10:50:14
Go right ahead, please.

SANDRA

10:50:17
I keep wondering why no one ever mentions Estonia. They went under a pretty bad attack from, I think, Russia. They had computerized just about everything, you know, government.

REHM

10:50:34
Jim Lewis.

LEWIS

10:50:35
Good point. And Estonia was, in some ways, the first public notice of the use of the Internet as a tool of coercion. It was indeed the Russians. They did put immense political pressure on the Estonians. Some of the issues we've talked about came up in that attack. Was the thing that happened to Estonia an act of war? The Western governments, NATO decided it was not, but if it had continued for a longer period or if it in broader in scope, it would have been an act of war. And Estonia is, in some ways, the grand-daddy of all of the cyber conflicts we're talking about.

REHM

10:51:11
Interesting. And why did Estonia become sort of the center of it all?

LEWIS

10:51:19
They had been a part of the Soviet Union. And when the Soviet Union broke up, they thought it might be a good idea to move a large and rather unattractive statue of a Russian soldier that was in the center of town to the suburbs. And the Russians wanted to put a little pressure on the Estonians. They weren't happy, so they launched these denial-of-service attacks using proxies, using cyber criminals -- very sophisticated organizational approach.

LEWIS

10:51:46
It was an effort to press the Estonians, and they did feel very nervous. If the Russians are going to do a cyber attack first, how do we know they won't send the tanks next?

SHANKER

10:51:55
And act two of the same drama that Jim was discussing was before the Russian war with Georgia, another former Soviet republic. A couple of summers ago, all of the Georgian government computer networks were taken down, again, by a distributed denial-of-service attack. The people believed it was Russia. What the Georgians had to do, they had to off network their government services. I think it was to Ukraine who helped them out during the entire woe.

REHM

10:52:17
Interesting. Julius from Shepherdstown, W.Va., asks, "Why can't the military provide private businesses with the protection against cyber attacks for a fee? It would be a way for the private sector to financially support the military." Jim Lewis.

LEWIS

10:52:39
There are so many attacks that there just aren't enough of them. And I've had people -- senior people at NSA tell me they just can't be the fire department. It's -- there's just too much going on. So we need to think of layer defense. At the high end, the military can intervene against threats. At the low end, we can help consumers with these downloadable tools.

LEWIS

10:52:59
And in the middle -- and this is where we need the legislation or an executive order -- you need to hold at least critical infrastructure accountable to some minimal security standard. It's a big problem and the military is only part of the solution.

REHM

10:53:11
Greg.

NOJEIM

10:53:12
One other thing that the military and the NSA could do that hasn't done enough off yet is to share the classified attack signatures that it has. Now, the NSA will see things on its network and see things in military networks, develop a signature for them. And if it could share those or if it would share those more liberally, companies would be able to do a better job in defending their own networks. Right now, there are hold-ups to that, including that there aren't enough cleared people at the companies to receive that classified information.

REHM

10:53:47
All right. And last caller in Port Orange, Fla. Hi there, Lance. You're on the air.

LANCE

10:53:54
Hi. I just first want to say, you know, thank you for having me. This is really an amazing show. I wanted to, you know, just share with you that, you know, there already are companies in the U.S. that provide, you know, anti-virus and different tools for their users. You know, I'm not going to mention who they are, but I had something happen on my computer. I called up tech support on my ISP, and they pointed me to their website. And I downloaded a free version of McAfee. And it was very helpful. In fact, it came with a scripting tool that protected me against minimal, you know, website scripts.

REHM

10:54:41
But isn't that the issue that you don't know how far that protection can actually go? Here's an example from another email. "Please ask if the records of a person's personal financial holdings could be destroyed in a cyber attack? In other words, should I keep paper copies of my financial statements?" Jim Lewis.

LEWIS

10:55:14
Yeah, you should keep paper copies. We're at the point where it is possible to cause a lot of disruption. And on the first question you had, there's opponents, cyber criminals, you know, pretty amateurish, you can block them. But when you're talking about the Iranian Revolutionary Guard or the People's Liberation Army, only DOD can do things. And maybe they won't be able to block the attack that's coming in. Yeah, keep back-ups.

REHM

10:55:41
And here's the final question from Twitter. "Are we moving toward a world where Internet safety is just as or more important than real world, physical world safety?" What's your response, Thom?

SHANKER

10:56:01
Well, in less than 140 characters, yes.

REHM

10:56:05
And to you, Greg?

NOJEIM

10:56:07
I think the two are so interrelated now.

REHM

10:56:11
Really? And you, Jim?

LEWIS

10:56:12
One thing to bear in mind is that since 1998, there's been a set of negotiations underway among the leading powers in the world on how to make the Internet safer. And one of the problems with these negotiations is there's not a lot of public discussion, but this has become a central issue for international security, and maybe we'll make some progress.

REHM

10:56:34
Jim Lewis, Thom Shanker, Greg Nojeim, thank you all so much.

LEWIS

10:56:40
Always an honor, Diane. Thank you.

REHM

10:56:40
Thank you.

NOJEIM

10:56:41
Thank you.

REHM

10:56:41
And thanks for listening, all. I'm Diane Rehm.

ANNOUNCER

10:56:45
"The Diane Rehm Show" is produced by Sandra Pinkard, Nancy Robertson, Denise Couture, Susan Nabors, Rebecca Kaufman, Lisa Dunn and Megan Merritt. The engineer is Toby Schreiner. Natalie Yuravlivker answers the phones. Visit drshow.org for audio archives, transcripts, podcasts and CD sales. Call 202-885-1200 for more information. Our email address is drshow@wamu.org, and we're on Facebook and Twitter. This program is a production of WAMU 88.5 from American University in Washington, D.C. This is NPR.
Transcripts of WAMU programs are available for personal use. Transcripts are provided "As Is" without warranties of any kind, either express or implied. WAMU does not warrant that the transcript is error-free. For all WAMU programs, the broadcast audio should be considered the authoritative version. Transcripts are owned by WAMU 88.5 FM American University Radio and are protected by laws in both the United States and international law. You may not sell or modify transcripts or reproduce, display, distribute, or otherwise use the transcript, in whole or in part, in any way for any public or commercial purpose without the express written permission of WAMU. All requests for uses beyond personal and noncommercial use should be referred to (202) 885-1200.

Our address has changed!

The Diane Rehm Show is produced by member-supported WAMU 88.5 in Washington DC.