For our November Readers' Review: “Dinner at the Homesick Restaurant” by Anne Tyler. As we prepare for holiday gatherings, join Diane and her guests to discuss this master work from the author who has made an art of exploring family love and dysfunction.
Until very recently, cyber espionage was only a concern of intelligence agencies and the military. But a new report warns U.S. infrastructure and businesses are broadly under attack in cyberspace. Experts say the biggest offender is China, whose cyber spies threaten competitiveness and national security. Recent targets include Google, Lockheed Martin and The New York Times. While Congress weighs legislative options, President Barack Obama plans to issue an executive order on cyber security tomorrow. But critics say new laws raise privacy concerns. Diane and guests discuss what to do about the growing threat of cyber-espionage.
- Richard Bejtlich chief security officer, Mandiant
- Ellen Nakashima national security reporter, The Washington Post
- Michael Leiter senior counselor at Palantir Technologies and former director of the National Counterterrorism Center
- Mischel Kwon president of Mischel Kwon Associates, a security consulting firm, and former director of the United States Computer Emergency Readiness Team (US-CERT)
MS. DIANE REHMThanks for joining us. I'm Diane Rehm. A new intelligence estimate says the risk of cyberespionage is growing and now threatens U.S. competitiveness. Damage from cyberattacks cost U.S. companies billions of dollars in lost intellectual property each year. And the tax on critical infrastructure, like oil and gas, raise national security concerns.
MS. DIANE REHMJoining me in the studio to talk about the growing problem of cyberespionage: Mischel Kwon of Mischel Kwon Associates, Michael Leiter of Palantir Technologies and Ellen Nakashima of The Washington Post. Please feel free to join us, 800-433-8850. Send an email to email@example.com. Follow us on Facebook or Twitter. Good morning to all of you.
MR. MICHAEL LEITERGood morning, Diane.
MS. MISCHEL KWONGood morning.
MS. ELLEN NAKASHIMAGood morning.
REHMAnd, Ellen Nakashima, if I could start with you, tell us what's new in this intelligence assessment on cyberattacks.
NAKASHIMAYes, Diane. Well, first, this is the first time the intelligence community has done an intelligence estimate focused exclusively on cyber economic espionage on targets of commercial and business interests. And while the conclusion that China is the most aggressive actor in this area, it may not be surprising to many of us.
NAKASHIMAThe report makes clear that China is, far and away, the most aggressive, you know, by maybe in orders of magnitude, greater than the next closest competitor Russia, and then far down below that, say, France and Israel. And the report also makes clear that it is a wide variety of sectors that are targeted from...
NAKASHIMAThe finance to oil and gas, renewable energy, clearly information technology, all areas that China is seeking to increase its own strength and competitiveness in the world economy.
REHMAnd, of course, President Obama is expected to make an announcement tomorrow on new protective efforts against cyberhacking. What kinds of things is he going to announce?
NAKASHIMAYes. He's going to announce an executive order on cybersecurity that will call for the creation of new voluntary standards or best practices that critical industries, critical sectors, such as aviation and transportation, can and should take to make their systems more secure against cyber penetrations. These standards will be created with the executive branch agencies that regulate them in a sort of voluntary process lead by a commerce department agency. And the hope is eventually that they will be promulgated through rules in these executive agencies.
REHMEllen Nakashima of The Washington Post. She's national security reporter there. Michael Leiter, how do you react to Ellen's writings and her assessment of what's happening here?
LEITERI think Ellen's reporting is, first of all, right on the mark. It's quite clear the people who watch cybersecurity that economic espionage through cyberattacks and cyber penetrations has been an enormously increasing problem over the past three to five years. And if you go back to the Bush administration, the early Obama administration, they prioritized this.
LEITERAnd this national intelligence estimate, which is a statement by all 17 elements of the intelligence community and of the senior most level of intelligence analysis that the intelligence community produces, helps highlight, now, of course, this is classified document, but this sort of document highlights to the White House, highlights to the Congress exactly what those threats are, the scale where they're coming from and helps push both the president and the Congress to action as they've been talking about over the past several years.
REHMYou know, when you talk about the past several years, it seems to me that the whole notion of industrial espionage has been around for decades, but now heightened by cyberspying?
LEITERI think you're exactly right. This is not entirely new. We've always known espionage, an espionage used to focus on getting secrets from government. And then post-World War II, as the industrial complex grew, it moved into trying to penetrate defense contractors who made tanks and planes. And what we've seen over the past five to 10 years is an explosion of economic espionage. And what cyber allows to happen is vastly larger amounts of information to be stolen with it be much more difficult for us to attribute who's responsible for that.
LEITERAnd with that ability to steal vast amounts of information, the Chinese in particular have used this as a national economic policy to penetrate, as Ellen noted, not just defense industries but oil and gas energy, manufacturing, health care, agriculture and all the supporting elements around that, the law firms, the information service providers and, as we've also seen, journalists -- The New York Times, The Washington Post, The Wall Street Journal. So it has become a scale, over the past several years, which really thwarts anything we've seen in history.
REHMMichael Leiter, he's former director of the National Counterterrorism Center. Turning to you, Mischel Kwon, you don't see the issue as quite as large as you've heard.
KWONI don't know if it's not quite as large. I think it's more it's not quite as new. I think this has been going on for quite a long time. We had -- we started taking moves on this in 1998, so this has been a long time process, I think, of identifying it and knowing what it is. Whether or not we can quantify if this has grown or not, I think, is still out for judgment, and I don't know if it really matters.
KWONThe long and the short of it is we have identified it as a large problem. And I see it as a large problem not necessarily with the focus that started on government. I think there may not be a place that is more focused than the other. I don't think we know that yet. I think as we moved out lives, if we -- as we've moved our businesses, our data, our processes, our money to the Internet and to IT systems so has crime and espionage and all of the other things that we used to deal with on a physical basis, you know...
REHMSo what are you saying, that we simply are dealing with a situation that's always existed but now we have to find new tools to deal with it?
KWONWell, it's always existed. The methods have changed from physical to IT. And we've -- we not only have to find ways of figuring out how to deal with it but how to identify it. I think that has been the problem, and I think that's what we're getting better at, and that's what seems to be new. So not just -- we have to identify it, and that sometimes is difficult. But we also then need to put forth the effort to remediate the problems.
KWONI think we've moved our lives, our systems, our businesses, our money to the IT systems, and we use them as a priority, but we often don't take care of them the way we should which leaves us vulnerable to these kinds of attacks. So it's more than defense. It's also taking care of the systems that we have so that they're not vulnerable.
REHMThis is certainly the first time I've ever heard of The New York Times or The Wall Street Journal having been broken into. Isn't that new, and isn't that even more grave when a country, apparently China, is trying to get information or to hack into systems because they don't like what The New York Times has published?
KWONI actually don't think it's new. I think it's new that they've identified it. I also think it's new that they're saying something about it. It's really hard to get entities to talk about the fact that they've been hacked. And so if we have the problem of difficult to identify, don't want to talk about it, that makes the remediation part of it even harder.
REHMSo what about the fact that The New York Times has indeed talked about this, Ellen?
NAKASHIMAWell, I think that in one hand, it was a very interesting and good piece of journalism to actually explore the way in which the hack occurred and to show how China was very much interested in explore -- in looking at the reporting of major news organizations who are doing investigative pieces that are hard hitting and often critical of the regime. It shows that this is not just theoretical, but it is happening. I think this has really begun to be an issue in the last several years.
NAKASHIMAWe reported that our own systems had been compromised several years ago. We did not discover it until, I think, 2011. But my understanding is China is interested in media organizations and what they're reporting to understand who their sources are, who they're talking to, what they might be about to report, what they're interested in, all sorts of intelligence that help them understand where, you know, points of criticism may be.
REHMLet me understand what you've just said. The Washington Post experienced hacking in 2010. It took until 2011 to discover it. Is that what you -- I just want to be clear.
NAKASHIMAYeah. Well, we've reported that The Post discovered some of the -- discovered instances of being compromised I think in 2011, but it looked like the actual penetration had happened earlier.
REHMEllen Nakashima of The Washington Post. Short break. We'll be right back.
REHMAnd as we talk about growing concerns regarding cybersecurity, joining us now from his office in Alexandria, Va., Richard Bejtlich of Mandiant. That's a cybersecurity firm. Richard, remind us of what happened to The New York Times back in the fall.
MR. RICHARD BEJTLICHThanks, Diane. The New York Times was publishing a story on Wen Jiabao's family finances. And they had interacted with the Chinese government and learned that there would be -- in the Chinese words, consequences if they proceeded with publishing their piece. So Oct. 24 of last year, they asked their Internet service provider if they had seen anything odd in terms of network traffic coming to and from The New York Times as a company. The ISP said yes. They had seen something odd, and that started an internal investigation at The Times.
MR. RICHARD BEJTLICHThey spent about a week to 10 days trying to determine exactly what was going on, which computers were affected. And then they decided by Nov. 7, they needed to call in some professional computer security assistance, and that's when they contacted Mandiant. We conducted an investigation. We found that The Times had been compromised since Sept. 13, and that the intruders had been targeting information relating to two of the reporters who have been working on the Wen Jiabao family story.
REHMTell me how you figured out what the Chinese were doing.
BEJTLICHWell, the way a company like Mandiant works is we sent consultants. We have a special software that works on both computers and the network that contains all of the intelligence for the investigations we have done for the past nine years. And we check out every computer in the company, looking for signs that there are threat actors present.
BEJTLICHAnd in the course of that investigation, we found that there were intruders on the network. They had accessed 53 individual Times computers, and they were specifically looking for information related to the Wen family story. So using this, we were able to match that type of activity to a group that we internally refer to as APT-12, which is a group that operates out of China.
REHMNow, we have an email here from Sarah: "Could you please comment on the fact that the reason that many cyberattacks come out of China is because many cyberhackers run their IPs through China so that they cannot be traced?" Can you answer that, Richard?
BEJTLICHI'd be happy to. That's a valid concern. And the way to think about this is if you simply arrive on the scene of a cyberattack and you've never done the work before, you only have the evidence at hand. It can be easy to be fooled by what the adversary is doing. And, in fact, in the case of The Times, we saw them routing their activity out of universities in Arizona and other locations.
BEJTLICHIn other words, we weren't seeing traffic going directly back to China. It's only by virtue of the infrastructure we have around the world and by virtue of helping our customers that we can see in places that get beyond what's happening just from that company out to their -- what we call their first hot points.
BEJTLICHSo, sure, if you were just looking at this and say, oh, I see traffic going to Florida, I see it going to Arizona, there is no over tie to the Chinese. But when you take it that next level, when you take a look at what they're doing, how they're doing it, you match up against the other intelligence work we've done, that's where you can figure out the attribution problem.
REHMSo how sophisticated was the attack on The New York Times?
BEJTLICHWell, APT-12, when you rank them against the other groups that we tracked, they are fairly sophisticated. They're not as sophisticated as some of the other groups that we tracked. Buy they're not at the bottom end either. We found in the course of doing our intrusion response that just about any company can fall prey to this. It doesn't mean every company has. But if you face an intruder who decides they're coming for a certain piece of information or a certain individual, they can find a way. And that's where the P comes from in APT. It stands for persistent.
REHMAnd what about phishing, P-H-I-S-H-I-N-G, and why it's such a favorite tactic of Chinese cyber spies?
BEJTLICHNow, phishing is actually, probably, the most effective means to get into an organization that you've targeted. It's a means by which you send an email either with an embedded link or, perhaps, some malicious attachment that you're trying to entice the recipient to open up that message. And if you think about it, an organization like a media company, they're especially susceptible to this because they deal with sources. They're trying to get information from the outside world.
BEJTLICHSo if someone sends them an email with some sort of a scoop or something that they'd be interested in, they're likely to open it up. But when they open up that email, malicious software will run on the user's computer, and it will allow an intruder, possibly thousands of miles away, to interact with that computer as if he was sitting right in front of it.
REHMNow, explain the difference between what happens when a country or an organization tries to go phishing, and the difference between that and spam that all of us tend to receive and sometimes are tricked into opening because it's from someone we know.
BEJTLICHNow, spam and phishing are variations on the same theme. When someone sends spam, they're trying to get you to buy some type of product. And they hope that by volume, by sending out millions of messages, it will get a few people to buy that product. Generally on those messages, there's a link. It's a link to someone's online store where you can buy whatever product they're trying to sell. And so from that perspective, it's very similar to phishing.
BEJTLICHThe difference with phishing is that when you click on that link or perhaps you open that attachment, the intruder is trying to take over your computer. They're not selling you anything. They're not trying to have you interact with them in a quasi-legitimate way. They're trying to get control of your computer so that they can then take documents from the computer, turn on the camera, listen to the microphone, more importantly, though, pivot from that computer to access other systems in your company to accomplish whatever their ultimate mission is.
REHMYou talked about your work with The New York Times. The Wall Street Journal was also attacked. And the question becomes, how long does it take a company like yours to figure out what's going on, where it's coming from and how serious it is?
BEJTLICHWell, a company like Mandiant, who's been doing this work for many years, when we have a substantial consulting force in addition to the other tools that we bring to bear, the software we make available, amount of services, we can get to the root of the problem fairly quickly. In some cases, we're limited by the amount of information that may be left around, you know, the amount of forensic evidence that may be left inside an organization.
BEJTLICHBut once we deploy our software and we have it backed by the intelligence of all the hundreds -- I mean, hundreds and hundreds of investigations we do of the same type that no one ever hears about, we can get to the root of the problem fairly quickly. The delay comes from what you do about it. Most organizations have a tough time with their information technology.
BEJTLICHIt's not easy to make these changes. Otherwise, that's why many companies would have tried to make those changes over the years. So, really, the next challenge becomes, well, how do you deal with the problem now that you found the intruder?
REHMSo you heard Mischel Kwon say earlier that this kind of cyber spying has been around for a while. Perhaps, the problem has gotten bigger. But just how bad do you think this problem of cyberattacking is for U.S. businesses?
BEJTLICHSo I've been involved with this problem for the last 15 years, starting as a captain in the Air Force in San Antonio, Texas. And the difference back then was when I was wearing the uniform, I would see the Chinese and the Russians and other nations attacking Air Force computers and government computers and that was just expected. That's what nations do to each other. The difference is that beginning in early 2000, the Chinese, in particular, expanded their activity way beyond what we would consider normal for the West.
BEJTLICHThey started with the clear defense contractors. They went to the national labs. They then expanded into private industry, to the part we're at now where if you're doing business in China, if you're in advanced manufacturing, clean energy, autos, there's a whole suite of technologies that the Chinese are targeting.
BEJTLICHThey have thousands of people devoted to this cyber espionage case. So, yes, espionage has been with us for all time. There are some great stories and books and movies about that. The difference is that you have state-sponsored and state-affiliated actors targeting private companies who, for the most part, aren't equipped the resources to handle that sort of problem.
REHMAnd that is the voice of Richard Bejtlich of Mandiant. That's a cybersecurity firm. Richard, I hope you can stay on with us for the rest of the program.
BEJTLICHI will. Thank you for the opportunity.
REHMGood. Mischel Kwon, you've just heard what Richard had to say. How do you react to what happened at The Times, what happened at The Wall Street Journal and his clear concerns that these kinds of attacks are growing?
KWONWell, I do think that it's a problem. I just am more on the camp of thinking that we're just now identifying something that has been going on for a long time. I don't think it was a progression. I think it was more of a more comprehensive attack across sectors. It's just my personal opinion. I do think that a lot of it has to do with the fact that it's difficult to manage IT systems. It's difficult to get priority unless you can show that there have been attacks, and attacks are hard to identify, and it takes money, takes money to identify.
KWONAnd time. It does take some time. But really, our focus should be on looking at how we remediate this problem. Our focus needs to be on how do we properly fund our systems and manage and control our systems so that those vulnerabilities are less and less. We will always have zero days, and we will always have more sophisticated attacks than the tools that we produce.
KWONIt will always be a foot race to try and stay ahead of our adversaries. But with that in mind, we need to ensure that we take care of our systems, monitor our systems and keep the hygiene of our systems to the best level so that there's less of a chance of the attacks.
REHMAnd the question becomes, then, are we able to stay one step ahead of those who would like to infiltrate the system, Ellen Nakashima?
NAKASHIMAI think one of the key issues here is to what degree is this a problem for the private sector alone and to a degree is the government -- does the government play a role here, and how much of a partnership should the two have?
NAKASHIMAWhat we're seeing is, as Mike pointed out from the sort of toward the end of the Bush administration and certainly through this Obama administration, a growing recognition that this, especially the cyber economic espionage problem, is a problem that is significant, cannot be addressed by one sector alone, really needs to be a collaboration and, importantly, something the entire government gets behind, not just the military or the intelligence agencies. And...
REHMAnd you're listening to "The Diane Rehm Show." Michael Leiter, do you expect the government to get involved here?
LEITERDiane, the government already is involved, especially with the defense sector. There's been a program over the past several years to provide classified, sensitive types of signatures to defense contractors from the Defense Department, the National Security Agency to give them a better ability to defend against these Chinese attacks.
LEITERWe also have to recognize that this just -- this isn't just about China. This isn't just about penetrating and stealing vast amounts of economic wealth. It also is moving into the more destructive realm, and it really doesn't take very much to go from being able to steal information to destroying information or disrupt people's networks.
REHMHave we had situations where that's occurred?
LEITERWe have. The two most significant over the past 18 months or so, first beginning in September of last year, going to December, several major U.S. financial institutions, an area of the economy which is actually better protected the most, experienced very extensive and increasingly sophisticated distributed denial-of-service attacks. So their websites were not accessible because they were being attacked by numerous computers from around the globe.
LEITERThey were ultimately tracked back to Iran. Even more destructively, the largest oil company in the world, Saudi Aramco, and the second-largest natural gas company in the world, RasGas in Qatar, experienced very destructive attacks -- based in Iran, we believe -- where, in the case of Aramco, 30,000 computers were actually wiped clean by a cyberattack, again emanating from Iran, which had been in Aramco computers for an extended period.
LEITERSo the point here is that if you can steal things, it really doesn't take much to also flip the switch and make that same code able to destroy very important networks. And in the world of critical infrastructure -- oil, gas, water, financial services, transportation -- this is a place where, I think, the U.S. government and private sector has to work even more closely together.
REHMRichard Bejtlich, would you agree?
BEJTLICHYeah. I think there is a certain amount of collaboration that will be helpful. One of the issues we have identified is that the typical model for sharing involve people sending pieces of paper to each other or the equivalent in email. And what we've tried to promote is some type of a standard, some type of a technical exchange method so that if you have intelligence, you want to share it with someone else, you can do so.
BEJTLICHWe have this thing called open IOC that we've shared with the community, and the idea behind that is if you put this intelligence into a format that can be digested not just by people, but by machines, you can get faster response when an attack happens, and others can learn from you and sort of take out that delay that the intruder takes advantage of.
REHMI think that that's the question that races to such a large extent in my own mind -- that is, how long does it take to find out that an attack has occurred, Richard?
BEJTLICHSo Mandiant's own studies, doing our incident response work, have shown that the median time from the event's first starting to the involvement of someone who can help -- so you could call that the detection or, I should say, the event-to-the-detection time -- was 416 days. In other words, well over a year, one of these advanced intruders has been inside a company to the point where someone decides to find it and do something about it.
BEJTLICHNow that's a horrible number, but believe it or not, it's down from two to three years just a few years prior. So -- and the other terrible stat around this is that 94 percent of the attacks that we worked with in the previous year were reported by a third party such as the FBI or Air Force OSI or another intel or law enforcement organization. Only 6 percent were found by the victim companies themselves. So these intruders are stealthy. They find a way to accomplish their mission and then stay within the organization so they can gather more data over time.
REHMRichard Bejtlich of Mandiant. That's a cybersecurity firm. When we come back, we'll open the phones and take your calls.
REHMAnd welcome back. In this hour, we're talking about cybersecurity, the kinds of threats that have already been encountered certainly at The New York Times, The Wall Street Journal, several financial institutions. Here in the studio: Mischel Kwon, president of Mischel Kwon Associates, that's a security consulting firm, Michael Leiter, senior counselor at Palantir Technologies, former director of the National Counterterrorism Center, Ellen Nakashima, national security reporter of The Washington Post.
REHMAnd joining us by phone from Alexandria, Va., Richard Bejtlich, chief security officer at Mandiant. That also is a cybersecurity consulting firm. Let's open the phones now and go first to Charlottesville, Va. Good morning, Chris. You're on the air.
CHRISGood morning. So listening to this discussion, there are two words: China and the Internet, which I think caused people to lose a bit of perspective in Washington. From the perspective of the technology community, which I'm part of, I just want to -- I just want to give a bit of a warning. So I understand that cybersecurity is an issue, it's been an issue for a long time.
CHRISAnd there are things that government can do to help deal with this. So, for example, work with companies to help them improve their network architecture to make their networks safer and also when intrusions do occur, keep the damage to a minimum. That's great, and I hope the government will do that, hopefully.
CHRISOn the other hand, if this is a way for the government to start monkeying with the central architecture of the Internet, the openness of the Internet, to start seizing domains or network architecture without due process like they try to do with the Stop Online Piracy Act, I think a big segment of the technology community is going to get very angry at that.
CHRISAnd it'll be stopped like the SOPA and PIPA were stopped a little bit over a year ago. So, you know, I understand that this is a problem, but I do tend to think that whenever the Internet and China is involved, Washington tends to overreact and to react on the side of censorship.
REHMAll right, sir. Thanks for your call. That gets us, Michael Leiter, to the kind of legislation being considered on the Hill.
LEITERYou know, Diane, I would actually agree with the caller. I consider myself as having one foot in Washington and one foot in Silicon Valley. I work for a Palo Alto-based technology company. I think the caller is right. The government has an important role here. And the legislation on the Hill that will be proposed by the House Intelligence Committee Chairman Mike Rogers and both Republican and Democratic co-sponsorship provides voluntary information sharing and provides liability protection for those companies that do provide that information to the government.
LEITERThere are still some concerns for technology and civil libertarians, in particular, how that information can be used, if it could be used for national security issues beyond cybersecurity. I think, again, government has a role here, there has to be a partnership, but government, in my view, can't get in the business of regulating very, very defined standards because technology will move much faster than the government bureaucracy ever can.
REHMEllen Nakashima, you've written about this, the cyber intelligence sharing and protection act.
NAKASHIMAMm hmm, that's CISPA, the bill that Mike was referring to, that Chairman Rogers and Ranking Member Ruppersberger are reintroducing again. It actually passed the full House last year, so it's, you know, very likely to pass again this year. And maybe some form of information sharing can get out of the Congress this year because it seems that people, generally between the government and industry, agree there needs to be better information sharing.
NAKASHIMAThe key is can -- how can we do it in a way that respects privacy and civil liberties as well as gets the right information into the right hands and is not abused. I also just wanted to point out that apart from legislation and better protection of the networks, there is also an increasing effort within the government to look at other means and levers to shape responsible behavior globally such as using diplomacy, working on norms, getting to make perhaps even sanctions or trade sanctions and -- with countries that may not be behaving in a way that the government thinks is appropriate.
REHMRichard Bejtlich, do you want to talk about CISPA and your view?
BEJTLICHCertainly. I do share concerns about privacy. I think it's very important that any legislations proposed is specifically tailored so that people who use the Internet don't feel like it gives an ISP or a company a way or a vehicle to consider them a threat. We have to keep the focus on the real threats, the people who are stealing information. And I'd like to echo Ellen's point as well that there are many tools that our government could bring to bear against countries that are conducting these sorts of activities.
BEJTLICHWhile it's difficult in the private sector to get access to information that really ties certain activities back to the countries of origin, the government knows what's happening. And using a whole government approach, you could signal to countries that are conducting these activities that that behavior is just not acceptable.
KWONWell, I think if we're looking at solving the problem, I'm not quite sure this bill particularly does a whole lot. It spends a lot of time talking about what it won't do. There will be no tasking. There will be no authority change. There'll be no -- the government will still have the right to classify things. There's -- it actually says very little except you all share which, you know, I think everyone is trying to do.
KWONI think there are other ways to encourage sharing that might even step outside of the government, looking at the IT-ISAC, the MS-ISAC, the ISAC model of companies coming together and sharing with each other and the government sharing with those entities. You know, I think there are, as Richard said, ways to develop more of a metadata-level sharing of technical information that is then unable to be have personally identifiable information included in it.
KWONLooking at some real sound solutions that are a little bit away from legislation, I think there are a lot of things that we need legislation for in the cyber realm especially in looking at how we prosecute cyber in those areas. I think to actually put a bill in place to dictate sharing, I think, is a little bit outside of the scope of what we really need to be doing right now.
LEITERDiane, having spent 20 years in the U.S. government, my single biggest concern is the speed with which government can operate, and technology is going to work at speed of technology. Silicon Valley is going to invent, technology is going to move forward with an incredibly rapid pace, and the inter-agency process, that is Washington, is far, far slower.
LEITERAnd we really do need a concerted effort to develop technological expertise within the U.S. government that is severely lacking. We need to increase collaboration and clarify roles and responsibilities within the U.S. government in a way that has not yet been clarified, and then we need to move this process. So we have sharing, but then we are not slowing down what the private sector can do to increase defenses across the board.
REHMAll right. Let's take a caller in Pittsburg, Pa. Good morning, John.
REHMGo right ahead, sir.
JOHNWell, you left so much. From an observer's standpoint, I thought from what you guys describe, this problem is at least as important as the financial market problem. And we have -- and, you know, we have laws that govern. And since this is an international problem, we should have -- get together the countries and codify some laws so that, you know, everybody needs to behave in a certain way, and that does mean that the U.S. also need to behave in a certain way, like going through a Stuxnet or something like that, which I've read of, into the other side.
REHMWhat about that, Richard Bejtlich? It would seem that the U.S. has done its own share of cyberespionage.
BEJTLICHThat's true. I think the difference is that the U.S. and the very small number of countries -- U.K., Canada, New Zealand, Australia -- we can find our activities to traditional targets of espionage, military, government, law enforcement, that sort of thing, whereas many of the countries take a much wider approach. I do think there should be some sort of norms developed among responsible countries. For example, you don't target another country's hospitals. You don't target their electrical grid. These sorts of things that all of us could agree should be off limits.
BEJTLICHThe problem is, as we saw with WTU negotiations just a few months ago, the world seems to be divided into two definite blocks, this sort of a Western block that promotes freedom and human rights, and then you've got another block which sees security as a method of controlling information, suppressing dissidence and that sort of thing. So we are having trouble just sort of coming up with what does it mean to secure the Internet between these two different blocks. Taking it the next step to govern behavior, I think, will be very difficult.
REHMAll right. To Houston, Texas. Good morning, Mark.
MARKHi, Diane. I love your show.
MARKListen, I'm a small businessman. I'm a photographer. I also run some websites, and I have a business class firewall that I spend money and I put in. And I've noticed that there have been some login attempts, usually when my business is closed because I have this device I get email alerts that this is trying to happen. And I've traced the IP addresses on several occasions, and they're coming out of China. And, you know, I use, you know, a good quality device.
MARKI'm concerned that most businesses don't bother spending this kind of money to go ahead and protect themselves and rely on just the router that the phone company or whatever gives them, which I think can be easily bypassed. And I thought when Panetta spoke about the U.S. being under cyberattack, I thought that was credible. And I thought if they're trying to get into a small businessman like me and do something with my servers, surely what he's talking about with the, you know, the U.S. and defense, et cetera, being under attack is very credible. And I'll go offline.
REHMNow, the kind of cyberprotection that you have, Mark, is that available to everyone?
MARKYeah, yeah. I have something that's called the SonicWALL. But you have to buy it, and it's expensive. There is subscription services on there that keep the system up to date and, you know, has threat monitors -- or the threats change, you get downloads with, you know, information on what the system is looking for.
MARKAnd it alerts me when something happens. And there's a log that I can go through and see what's going on, and the device cut off the attacks. So, I mean, I feel fairly secure. And the sites that I run up, if I was to lose a server, I would just scratch it, reload it and put the sites back up again. I'm not worried.
KWONWell, this is a big issue, particularly with small businesses because the costs of monitoring and securing actually only goes down as you get bigger, so it's very expensive for a small business. And relying primarily just on a firewall just really isn't going to be enough. So there may be other issues that he's dealing with that he just doesn't know about.
KWONA lot of small businesses are moving to services that provide security on top of their, you know, either a Web service or a cloud service to provide a more secure environment for their IT services, and that is available today. But a small business trying to manage their own security in-house with -- it's a very difficult process.
REHMAnd you're listening to "The Diane Rehm Show." Michael Leiter.
LEITERWell, if there is a silver lining here, Diane, about all these attacks is that public awareness really has increased exponentially over the past several years. A recent poll showed that 85 percent of corporate executives were concerned with a cyberattack, and that actually was beyond the number that we're concerned about dropping their income for the company. So people understand this is now a threat, that a small business owner understands a threat is a good thing. We built that awareness.
LEITERNow, the question is whether or not we can have the public policy response and the technical response to actually protect against these threats. And I don't think that the record over the past five years should give us all that much confidence yet. And I think continued focus and pressure on our elected officials on this front is really necessary.
REHMSo what about the president's expected executive order? How much good will that do here?
LEITERThe president will apparently issue an executive order on Wednesday and talk about this in the State of the Union Address. And that will do some things that are very good. But what it can't do is what legislations required for, such as clarifying the legal landscape for companies to share this information on cyberthreats that they experience with the government.
LEITERThe president can't provide liability protection which is critical for Internet service providers and the like to provide that information to the government, and the government can then help them analyze that information and get it back out to other companies. In addition, the president obviously -- it is more difficult for him to set strict regulatory standards which some in Congress want and many in Congress and many in business do not want. So there's still going to be an on-going discussion on Capitol Hill about how strict and how defined these regulations on cyber-standards will be.
REHMAnd, Richard Bejtlich, I'd be interested in your response.
BEJTLICHWell, there is a certain role for standards. However, one of the things that we found is even with the highest standards, dedicated intruder will find a way into the company. So one of the approaches that we recommend is rather than having a vulnerability or standard-centric approach, you have a threat-centric approach. In other words, on a regular basis, minimum annually, you have someone to take a look at your network and tell you, are there Russians there? Are the Chinese there? Are there hacktivists in your network?
BEJTLICHFind the intruders and then do something about it, as opposed to constantly chipping away at a standard because, like we said, if most of these intrusions being found by someone else, even if you're following a standard, you're not going to know that you are hacked. So call in a professional. It's just like getting your health checked once a year or being audited for your finances. You want to make sure that you're safe on an on-going basis. And then if you have a problem, you can deal with it.
REHMMischel Kwon, what do you tell companies to do to protect themselves?
KWONWell, this is going to sound odd, but we say this is a management issue. Yes, it is a technical issue to actually find the intruders and actually make the change on the system. But unless it is supported on the executive level and financially so that you can do the identification of the incident and then the understanding of the vulnerability that allow that incident to happen and then the remediation and then the reporting to say how the remediation was fixed. Unless you're able to do that life cycle of security management, unless you are afforded to do that financially, it doesn't get done.
KWONAnd whether you're fixing the things that are -- you're doing, just wrote vulnerability, fixing every vulnerability or whether you're actually targeting the things that are happening to you, you have to do this in some form of a risks management process. And I think that's what Rich is saying is that you need to look at your networks and look at the risk that you're at and afford that ability to make those changes.
REHMAnd monitor, monitor, monitor. Mischel Kwon, president of Mischel Kwon Associates, Michael Leiter, senior counselor at Palantir Technologies, Ellen Nakashima of The Washington Post, and Richard Bejtlich, chief security officer for Mandiant, a cybersecurity consulting firm. Thank you all so much.
LEITERThank you, Diane.
REHMAnd thanks for listening. I'm Diane Rehm.
Most Recent Shows
The Food and Drug Administration will require movie theaters, chain restaurants and pizza parlors to include calorie counts for food and beverages – including alcohol. Please join us to discuss costs and benefits of the new rules.
Actress, model, and author Brooke Shields on her relationship with her mother and the childhood that made Shields the woman she is today.
After months of tension, a St. Louis County grand jury decides not to indict Ferguson, Missouri police officer Darren Wilson in the shooting of Michael Brown. Diane and her guests discuss reaction to the verdict from civil rights groups, protesters and law enforcement.