MR. TOM GJELTENThanks for joining us. I'm Tom Gjelten on NPR sitting in for Diane Rehm. Diane is on vacation. The United States has fought on land, at sea, and in the air, but America's new security challenges are in cyberspace. We've entered an era of digital war and espionage. That's the view of my guest, Joel Brenner. His new book "America the Vulnerable" outlines all the threats we face in the cyber domain, and he knows his subject firsthand.

MR. TOM GJELTENHe followed cyber threats at the NSA, the National Security Agency, where he was inspector general after 9/11. Then he became the U.S. government's chief of counterintelligence. He's now a private attorney specializing in cyber issues, and he has much to say about what needs to happen if we are to be protected from cyber intrusions. Joel Brenner joins us in the studio. Good morning, sir.

MR. JOEL BRENNERGood morning, Tom.

GJELTENAnd our listeners are welcome to join this conversation. Your comments, questions are always an important part of this program. You can call us on 800-433-8850, or send us your e-mail at drshow@wamu.org, or join us on Facebook or Twitter. So Joel Brenner, you've spent this last decade in the inner sanctums of the intelligence world dealing first-hand with America's adversaries and their agents, and the book you have just written is titled "America the Vulnerable." Is this idea that America is in danger -- is that the idea that you really took away from your work in the intelligence business?

BRENNERWell, it's one of the ideas I took away from my work in the intelligence business, and I wrote this book because having sat through many, many meetings in which colleagues of mine who were really on the front line and dealing technically with these threats, which is not what I did, would wring their hands and say, the public just doesn't understand the kinds of attacks that are being directed not only at the government, but at private corporations which are having their intellectual property looted.

BRENNERSo I thought to myself, having left the government, maybe it's time somebody really explained it. And so to show to the public what we really see when we're on the inside.

GJELTENAnd how has this happened? How is it that all of a sudden we're dealing with these threats and people just don't understand where they're coming from, why they're coming and why they're so serious.

BRENNERWell, remember how suddenly our channels, means, and methods of communication have changed. Until 1992, it was against the law the use the Internet for commercial purposes. I mean, that's startling to realize that. That's less than 20 years ago. And as late of say 2000, a decade ago, the commercial uses of the Internet were pretty trivial.

GJELTENMm-hmm.

BRENNERSo this is -- in a very short period of time, we've taken a network that was originally designed for a small group of researchers in trusted circles in universities and in federal research institutes, to communicate and collaborate. And we've taken that network which was designed to be used by a small group of people, which was not built with security in mind, and we've turned it into the backbone of all of our commerce, all of our finance, and virtually now all of our operations from air traffic control to manufacturing. Things are connected to that Internet. It's porous and it's insecure.

GJELTENDid that not occur to our leaders as we were making this transformation, as our military was becoming dependent on electronic communication, as our financial system was become dependent on that, not to mention all the industries that depend on it?

BRENNERWell, I -- the answer is, um, to some people. In the financial world where security is extraordinarily important, the level of security is higher than it is almost anywhere else except, oddly enough, people might like to know in the gaming business where it's also very good. But for the most part, the answer is no.

BRENNERPeople saw short-term quite significant efficiencies in some cases from linking everything to everything else, and, of course, the more interconnected one is, as a -- it's an axiom that the more interconnected you are, the more vulnerable, the less robust you are. And so people are just beginning to come to grips with these vulnerabilities, if they are.

GJELTENBut, uh, our adversaries and our rivals saw that vulnerability very early, right?

BRENNERWell, I think so. After the first Gulf War, our adversaries and potential adversaries really went to school on how we did it.

GJELTENYou talk about China in particular. I know a lot -- I've noticed a lot of people in U.S. government don't like to name countries, but throughout your book, you talk pretty plainly about China being determined to take advantage of us in this area.

BRENNERWell, the Chinese saw what we did to Saddam's army, first of all, in the first Gulf War, and everybody took it for granted that we had superior air power. But to have destroyed many divisions of Chinese armor in a hundred hours with hardly any casualties while the other side suffered thousands and thousands of casualties, made the Chinese sit up straight and pay attention.

BRENNERBut whereas I think American military thinkers chiefly saw unlimited superiority on into the future that nobody would ever challenge us again. The Chinese saw that we did these amazing things because our military was interconnected in real time, and could bring together intelligence from far flung points of the earth and put it in the battle field commanders face immediately.

BRENNERThis allowed -- this apparently let the fog of war completely dissipate. The Chinese saw it differently. They said, oh, well, we can't deal with the Americans one on one militarily, but they're command and control operates through the Internet now, to a significant degree, and that command and control is vulnerable to disruption. So they began to see a way to reimpose the fog of war, at least in theory.

GJELTENOkay. That is war fighting. Meanwhile the Chinese are also looking at our economic strength, our industrial base, our weapons design, and they are really pioneering a new form of espionage you write, electronic espionage. Talk about what the Chinese are doing in that regard.

BRENNERYeah. The Chinese saw that we not only had this extraordinary military capacity, but they asked themselves, who else but the Americans could spend $60 billion halfway around the world to carry out a military campaign like that. And they realized, having seen that, and having seen the collapse of the Soviet Union, that unless you could compete economically with the United States, you couldn't compete with them in any way.

BRENNERAnd that I think has lead to them deciding to target systematically, not just American, but western technology often having nothing at all to do with defense, because they want to level the economic playing field, and I want to add something else here because I don't want to -- although I do speak candidly about the Chinese, I think more candidly about most subjects than most people do.

GJELTENYou're right.

BRENNERTurning this into a China-bashing exercise is not my agenda at all, and I don't think we're at war with China. I think, as I try to make the case in the book, that we're in a difficult and frankly unstable period that I call between war and peace. It's a gray area. And that means that there are adversaries that we cooperate with who also attack us in certain ways, or who confront us in ways who have different interests in some areas than others. This is not a cold war where you can draw a clear line between allies and friends. It's much more complex geopolitical geometry now.

GJELTENRight. But one of the things that I think is very interesting that you write about China is that if you look at the speed with which China has developed economically and industrially, and compare it to how the United States developed, I mean, we depended on ingenuity, we depended on entrepreneurship, we, you know, there are companies like Google, Microsoft, IBM, in the private sector that really developed new technology, whereas China, a state-run economy, does not have that entrepreneurial culture and so what you say is that they actually look to stealing that technology, stealing those ideas from the west in order to develop. Is that too strong a statement?

BRENNERNo. I'm afraid it's not too strong a statement. The Chinese are systematically targeting our technology. They would like to become not just copiers, which is how they perceive the Japanese, they also want to become an entrepreneurial culture. To do that in their own highly controlled political environment remains to be seen whether they can pull it off. And in any event, in the meanwhile, they want the technology that makes us powerful.

BRENNERAnd this is an issue not only for American companies that stand to lose what makes them valuable, it's also an issue for American jobs. You know, when somebody steals your car, you know when you go out there in the morning it's gone.

GJELTENRight.

BRENNERWhen they steal your technology, you may not know it. You may then, three or five or ten years later you're looking at your market share and wondering why it never developed because you had this wonderful technology, and then you see somebody else overseas who's hiring and opening factories while you're laying off workers and closing factories. That's what this means in the long term for the United States. It's not an immediate blowing up of something. It's a slow bleeding out and hollowing out of the technological advantage that makes us powerful.

GJELTENJoel Brenner, here's what you write -- technologies that cost millions or billions to develop are being stolen and re-entering the country as finished products developed by foreign entrepreneurs. In effect, we're buying back our own technology. Joel Brenner is the author of "America the Vulnerable: Inside the New Threat Matrix of Digital Espionage Crime and Warfare." You can join the conversation by calling us at 1-800-433-8850, or send us your e-mail at drshow@wamu.org, or join us on Facebook or Twitter. Coming up, more on digital warfare and the future cyber battlefield.

GJELTENWelcome back. I'm Tom Gjelten sitting in for Diane Rehm. And my guest today is Joel Brenner. He's former inspector general at the National Security Agency and chief of counter intelligence in the office of the director of national intelligence. And on the basis of his intelligence experience he has written a book "America the Vulnerable: Inside the New Threat Matrix of Digital Espionage Crime and Warfare." Please join us -- please join our conversation by calling us on 800-433-8850 or send us your e-mail at drshow@wamu.org. Join us also on Facebook or Twitter.

GJELTENJoel, as chief of counter intelligence you had to deal with this wave of electronic espionage. Tell us some stories from that period. I know a lot of what you did was classified but there have to be some stories, some anecdotes that you can share with us about what you saw out there.

BRENNERWell, I can talk about what's in the public domain. Of course there's a great deal that I know that I can't talk about. But we saw, for example, in the Chinese attack on Google in late '08 -- it came out in early '09, there was a systematic, really a -- and very sophisticated attempt successfully to penetrate Google and to extract from Google at least some of the source code that makes that company the powerhouse that it is. Also through Google it turns out that there were not several dozen, but probably thousands of companies that were also attacked, most of which have not wanted to acknowledge that fact.

BRENNERSo we've seen the Chinese attempting to really go after the crowned jewels of American industry. The Google attack was a watershed. Another watershed even more recently after I left the government was the attack on RSA, which is the encryption company. Stealing an encryption key or the algorithms that make those keys work isn't like stealing information. It's like stealing the way into the information in lots of different places. This has made an awful lot of people wake up to what their vulnerabilities are.

GJELTENAnd how does the U.S. government confront this? I mean, tell us the story of the Chinese executive. I think he was working for Microsoft in Washington, whose mother was in a hospital back in China. What pressures was he put under? And as you in the U.S. government found out about this espionage effort, how did the U.S. government respond? How do you go after this stuff?

BRENNERI can't talk about that case with particularity. And I don't want to link it to Microsoft because I think that's, so far as I know, not right.

GJELTENOkay.

BRENNERThere was a case I talk about in the book that came to me through one of our operatives who -- there was a Chinese ethnic employee of an American firm that had valuable technology. And he was asked to spy for the Chinese. He declined. He said no, no. You know, I'm American now and I'm loyal to my company. Sometime later they came back to him and said, you know, your mother's real sick in a hospital in a provincial town. And there's a long waiting list to get the kind of treatment she needs. Do you want to reconsider our offer?

BRENNERI mean, that's the kind of pressure that one sees police states bring to bear on people it wants to flip, it wants to turn. So we have seen that kind of tactic. Yes, we have.

GJELTENAnd how does the U.S. government go after what -- I mean, counter intelligence means countering the efforts of foreign governments to penetrate us. How do you go about doing that?

BRENNERWell, that's a complicated question. One of the ways that you do it is you try to penetrate the intelligence agencies that's trying to penetrate you. Another way you do it is to try to monitor information that goes out over electronic channels to see who's doing what on an information system.

BRENNERYou know, in an intelligence agency, for example, anybody who works there really gives up his privacy. You know that you're being monitored all the time. That's not the way the general -- it generally works in American society or should. But that's one way you do it and you take defensive measures when you're inside an agency.

BRENNERIn companies one of the things we are seeing is that companies are beginning to limit access to information. It used to be that only in government did you find information being classified, access to it being regulated according to the level of trust that a particular employee enjoyed. There were exceptions in a merger and acquisition shop, for example. Quarterly results were always closely held.

BRENNERBut now we're seeing what's called role-based access to information in corporate America. And we're going to see much more of that. You know, after -- people would say to me sometimes after the Bradley Manning business...

GJELTENHe's the alleged -- he's the army private who allegedly stole a lot of classified information and gave it to WikiLeaks.

BRENNERExactly. And people would say, gee why was it or how could the army be so stupid as to give some private in CENTCOM in Central Asia access to diplomatic cables having nothing whatsoever to do with his job. And my response to that was, yes that was foolish but tell me, why does the guy in your mailroom have access to everything that's on your system? And you'd watch people's faces go white because almost always that was the case.

BRENNERAnd it's exactly the same thing. People need access -- if there're corporate secretes to be kept, if there's information which if lost would significantly devalue your company, you have to treat it differently. McGeorge Bundy used to say in the Kennedy Administration that you can't treat toothbrushes the way you treat diamonds. And that if you do you'll lose fewer toothbrushes but more diamonds. We've done the opposite now. We're treating our corporate diamonds like toothbrushes.

GJELTENBut a lot of people say there's over-classification in the U.S. government and I don't think you would disagree with that. But you say there are cases as well to where there is -- more secrecy is needed, is what you're saying.

BRENNERYes. I think -- you got to keep more than one important idea in your head at the same time to really be wise about this. We over-classify a great deal. I've seen many examples of that. Occasionally we under-classify, or at least under-protect certain kinds of information, particularly valuable publically financed research that's on the verge of being weaponized for example. And our adversaries have become quite shrewd about this. Much of what they target is not classified. It's information that they see on a path to being classified before it gets classified. We're not doing such a good job of protecting that.

GJELTENAnd that's particularly in the defense industrial base is what you -- where actually the Pentagon will solicit bids from companies to produce different components that then would be put together to produce some kind of secret system.

BRENNERYeah.

GJELTENYeah. You know, Joel, at the beginning you were talking about how dependent so much of our industrial systems are on electronic communication. We have a note here from a Twitter follower who calls himself or herself prattlesnake who wonders, "How secure are our power plants?" Very big question, "Is our power grid at risk of cyber attack, or for that matter, nuclear plants?"

BRENNERI'm grateful for that question. Let me address the power plants first because I think that, more than the nuclear plants, are a real vulnerability for us now. The power plants are like all large industrial operations. They're controlled by what are called industrial control systems sometimes referred to as SCADA systems which are a species of industrial control system.

BRENNERThose systems were designed to be isolated, physically and electronically. Our power grid owners and operators have been in search of short term, short run marginal efficiencies, hooking up those ICS, those control systems to the public internet. It's happening rather quickly, it's widespread and it's extraordinarily dangerous.

GJELTENJoel, here's something that you wrote in your book. The guys in the computer closet now control everything you do. And this particularly applies to people who are running industrial facilities. If an intruder can break into the right server he can remotely shut down production, send your foods to the wrong destination and unlock your doors. You talk in your book about how our idea of security in the past involved guns, gates and guards. And all of a sudden that's almost irrelevant, isn't it?

BRENNERIt's almost irrelevant. Physical security has also become electronic because, you know, you can unlock the doors and the gates electronically now, not just physically. And so...

GJELTENAnd you can get inside electronically in order to do that.

BRENNERThat's right. And it doesn't matter where they get in. You see, typically security in the power industries has focused on the largest generation facilities. And so if you could -- the thought was that if you took down some little one what difference does it make. You could get the power from somewhere else. It wouldn't affect the grid in any significant way. But if you can get into the main system through some trivial facility then you can do the same damage that you could do if you got in through the main facility. If you get in anywhere you're in everywhere. And that's what's made this tenancy so really, really risky.

GJELTENThis is getting in, not to steal something, but getting in actually used the word damage, getting in to actually damage something.

BRENNERIf you can penetrate an electronic system to steal information from it you can penetrate it to shut it down.

GJELTENWell, you know, the best -- I mean, this is not just theoretical, is it, because we had the example just last year. We found out about a computer worm called Stuxnet that was introduced apparently into the Iranian nuclear plant at Natanz and actually succeeded in dismantling some of the centrifuges there. Tell us about Stuxnet and how you reacted when you first saw about it.

BRENNERWell Stuxnet -- and I don't know who did it. I mean, one -- there are lots of guesses about who did it but it was...

GJELTENWe'll get back to that.

BRENNERYeah, it's a -- it was a way of introducing a malware, bad software into the Iranian centrifuges that created, you know...

GJELTEN...enriched uranium.

BRENNER...enriched uranium and made those centrifuges go haywire. As a result they spun out of control and many of them were destroyed and became useless. And this had a significant impact on -- and slowed down the Iranian effort to develop a nuclear weapon, which there's no doubt in my mind they were trying to do.

BRENNERThe -- that -- but it was a particularly complex operation because their centrifuges were what was sometimes called air gapped. That meant that...

GJELTEN...they weren't connected to the internet.

BRENNER...they weren't connected to the internet the way we're connecting our grid. And so in order to do that operation the -- somebody very cleverly put the malware on a thumb drive, which was then carried from an accessible network into the supposedly inaccessible network. And those moveable medias really make a mockery of air gaps. Now, if you can do that...

GJELTENI'm Tom Gjelten. You're listening to "The Diane Rehm Show."

BRENNER...if you can do that in a system that's supposedly air gapped you can do it a lot easier in a system that's connected to the internet.

GJELTENIs Stuxnet then sort of the future face of war in a sense?

BRENNERYou know, I think the notion of sort of standalone cyber war is overhyped. I think that on the other hand there's no question in my mind that there is no future conflict that will not -- no future armed conflict that will not have significant cyber operations as part of it.

BRENNERAnd those operations, if for example you imagined -- not that the whole country's going to be made dark., I think that's science fiction -- but that a region might be taken down. San Diego, for example, which happened apparently by accident just last month. If it can happen by accident it can happen on purpose. It's the main United States Navy port on the Pacific. If that were done in -- at a time when there were serious naval operations going on there, that would have significant consequence.

GJELTENWell, Joel, we know that the United States has been very alarmed about the prospect of Iran developing a nuclear weapon. We also know that there have been covert efforts in the past on the part of the United States to sabotage that program. Here's what you write in your book about Stuxnet. You say, it would have been consistent with U.S. policy but not with previous U.S. methods which avoided computer operations likely to damage others besides its intended targets. But you do say this would've been consistent with U.S. policy. That's quite a statement itself.

BRENNERWell, that's as much as I'm going to say. The -- obviously it was United States' policy to try to slow down Iranian development of nuclear weapons and a good policy that is. The -- when -- you can imagine that anybody making decisions when looking at the relative difficulty, harm and so on of doing a kinetic bombing operation. I mean, that would've been a real -- would've had extraordinary collateral consequences. This one much less.

GJELTENListeners, if you want to join this conversation you can call us on 1-800-433-8850 or send us an e-mail at drshow@wamu.org. Or you can join us on Facebook or Twitter. I'm going to go now to Richard who's calling us from Sugarland, Texas. Good morning, Richard.

RICHARDYes, good morning.

GJELTENAnd what's your question for Joel Brenner this morning?

RICHARDI would just like to make a comment, is that the theft of American technologies is not just in the IT arena. My company owns some of the leading technologies in water and we have watched foreign companies come in, steal our trade secrets, violate the patents and then lie to federal judges to try to steal everything else we have. There is a concerted effort outside of the U.S. to take whatever we have of value, and not just in the IT arena. I'd like to see what he has to say.

GJELTENJoel.

BRENNERWell, tell me something, Richard. I was talking about IT as being a means of penetrating and a means of theft. Not that the theft was just directed at IT assets. Are you talking about theft from your company of non-IT secrets, or that were done in a way that didn't have to do with the -- your IT systems.

GJELTENWhat's being stolen, Richard?

RICHARDYeah, in essence they bought our suppliers and then took everything what was known therein and then abused and abused, yes.

BRENNERWell, that's not a -- I know that that goes on. That's not a new problem. I mean, that's -- the theft of technology is very old. People have been doing it for a long time, hundreds of years.

GJELTENWell, in fact, we -- you said earlier you don’t' want to gang up on China, even though China is very prominently talked about in your book. But as far as economic espionage, industrial espionage even close allies have been stealing technology and commercial secrets from the United States for a long time. You talk about France being involved in some of this kind of activity in the past.

BRENNERWell, you know, the United -- some of our adversaries don't believe it, but we do not -- our intelligence agencies do not engage in economic espionage for the benefit of American companies. Some people think they should, but we don't. And this is not the way it's done in China. Russia is real. France and a large number of much less capable countries, but we don't.

GJELTENComing up more conversation with Joel Brenner, your calls and questions. We'll be right back.

MR. TOM GJELTONWelcome back, I'm Tom Gjelton, sitting in for Diane Rehm today. And my guest is Joel Brenner, a former inspector general at the NSA, National Security Agency, and chief of counter intelligence. He's written a new book "America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime and Warfare."

MR. TOM GJELTONYou can join us by calling 1-800-433-8850 or send us an e-mail at drshow@wamu.org or join us on Facebook or Twitter. Speaking of e-mail, we got an e-mail, just now, from Shawn and this is what he writes, Joel. "I work for an energy company and was in China conducting critical negotiations on a project.

MR. TOM GJELTONThe night before I was working in my hotel room finalizing the negotiation plan and strategy, the next day during the meeting, the Chinese client seemed to know every point I was making, even before I mentioned it. In essence, they were following my negotiating plan step by step. There's no way they could've obtained this information from anyone else. They had to have hacked into my e-mail to obtain this kind of detail." Surprising story?

BRENNERNo, not at all. And I'm glad to hear someone else saying it besides me. I've heard this story more than a few times. And I can only say this, if you have negotiations with an important Chinese company and you are in China, you must assume that your electronic media are penetrated. In more extreme cases, your hotel room may get tossed. But e-mail is like, in that circumstance, is like shouting out the window.

BRENNERYou cannot regard it as a private communication. I think, frankly, that would be the same thing, if you were in other countries too and, certainly, including Russia, if you were negotiating with a Russian national company. But this is not unusual, in fact, it's the expectation, if you're going to China.

GJELTONGreg is calling us from Severna Park. Greg, welcome to the Diane Rehm show, you're on the air.

GREGGood morning gentlemen, fantastic topic.

GJELTONThank you.

GREGI just had a quick...

BRENNERGood morning.

GREG...quick question and comment. I realize that we owe the government of China over a trillion dollars and that a lot of the way we treat them is probably over some sort of fear over what we would do if they ever tried to call the loan but I just don’t understand why we treat the Chinese government with such kid gloves. I mean, this is maybe going on a little broader but we certainly know they undervalue their currency in order to gain an economic edge.

GREGAnd yet nobody -- oh, you're going over there. You can't talk about that. And greatest example, I think, in recent media, is that not only do they steal our ideas and come up with copyright devices and things of that but I read on the internet that there's actually entire Apple stores that are opened in China now and in such a tightly controlled state, there is no physical, credible way to say that the Chinese government doesn't know that these stores are opening and that they've completely stolen all the technology from Apple, in doing it. And yet the government...

GJELTONYou're not talking about Apple opening a store in China, you're talking about...

BRENNERNo, no. He's talking about people opening a knock-off, look-a-like of an Apple store and selling lots of other things including, I think, Apple pirated stuff.

GJELTONRight.

BRENNERBut let me back it...

GJELTONWhat about that first point he mentioned that -- now, this is something that you've also written about.

BRENNERYeah.

GJELTONYou -- you know, everybody in the U.S. government knows what's going on and...

BRENNERRight.

GJELTON...many of you have brought this to the attention of policy makers and yet...

BRENNERWell, I think they -- the problem is more complex then they make it out, Greg. We have -- we are truly in a symbiotic relationship with the Chinese, right now. If either of our economies collapsed, the damage to the other would be extraordinary. And it is that fact, rather than timidity, that is -- that conditions our policy response to them. They are, economically speaking, a huge power.

BRENNERI don't think it's right, by the way, to say that when our people go over there, they can't talk about the currency issue. Timothy Geithner talks about it all the time when he goes over there. And I do agree with you, that I think that's a really bedrock, fundamental issue that's -- that we have to deal with, with China now. It affects our imports and exports and theirs.

BRENNERBut also, it's not the case really that China is controlled in the way the Soviet Union was controlled, say, before it collapsed during 1950. The -- it is a much more decent -- power is much more decentralized in China then your remarks would suggest. And, I think, that the -- there are other examples then that Apple store, as well, but that one, when it came to light, I think, got the attention pretty quickly, of the enforcement authorities over there. So I don't think that you can conclude that the authorities were in cahoots on that one. I don’t agree with that.

GJELTONOkay. Phil has written us an e-mail on the same line of thinking saying, "We've heard from a number of political sources that countries that are economically dependent on each other are much less likely to wage war on each other. If China becomes much more industrialized by stealing our technologies, in the long run, is it in our interest for our government to maybe look the other way to allow a certain amount of industrial espionage?"

BRENNERNo, I don't think so. I think it's in the United States interest and it is our national policy to encourage the growth of China, to encourage its political liberalization and to see it assume a responsible role in world governance institutions, international institutions. The -- as I say in my book, the prospect of real hostilities, war, between the United States and China would be a world disaster of extraordinary proportions.

BRENNERAnd as this -- as the world flattens out and as China becomes, yet, more powerful, it will take -- it will begin to take different positions in regard to intellectual property, for example. When it has more to steal, it'll -- it won't want it stolen. But, no, I don’t think you can say to any American company that it's in its interest to have its technology stolen, no.

GJELTONWell, Joe, we're not going to have time to get into your chapter, June 2017, but one of the chapters in your book, you actually lay out a whole scenario on what a war with China would look like, how it would start and how it might develop. And one of the points that you make, at the end of that, is that the United States and China both, sort of, back off at the last minute to avoid precisely that kind of confrontation.

BRENNERI would say it a little differently...

GJELTONOkay, sorry.

BRENNER…if we got a minute.

GJELTONYeah. Less than a minute...

BRENNERYeah.

GJELTON...but that's all right.

BRENNERWhat I talk about is a scenario which does not result in open hostilities but results in a significant loss of strategic advantage to the United States, after which everybody thinks we've done a wonderful thing and doesn't really understand what's happened in the South China Sea. And I want to -- and one other thing, one of the points I make in my book is that these issues with corporate and national secrets are the same fundamental problem that people have with their individual privacy.

BRENNERThey all -- privacy and secrecy all rise or fall together. In that, you cannot have unlimited amounts of transparency, which is what we're deal with, and unlimited amounts of privacy and we're losing both.

GJELTONOne of the things that Americans need to keep in mind, as they consider these issues, because of course, privacy is very important to them. Let's go now to Mary Ellen who's calling us from Seattle, Wa. Mary Ellen, welcome to the Diane Rehm show.

MARY ELLENThank you so much.

GJELTONYour question?

ELLENYes, hi. My question is, I've been penetration testing and configuration testing the internal systems integration part of the network now for the last three years with companies like IBM, Oracle and such. And we found over 90 percent of these system integration software's to not be harden administratively. And your book is so timely because what you're talking about is the interconnectivity between not only the military but also between the .com's. So what do you see happening in the industry and in the government to address these key critical infrastructure vulnerabilities today?

BRENNERMary...

GJELTONJoe, you actually make a big point of distinguishing between the defenses on the government side and the defenses on the corporate private side.

BRENNERYeah, I talk a good deal about this in my book. And go into a much more depth than I could possibly do here. But, Mary Ellen, I'm really grateful for your point about penetration testing. What Mary Ellen is saying is that, as one who does this kind of testing, is that if you go into, even -- the networks are even quite large U.S. companies, they are penetrated. And subject to the same kinds of, indeed, corporate big bot-nets which are networks of zombie machines that are used to spread Malware and criminal software.

BRENNERThe -- I think, that companies that expect the government to solve this problem for them are whistling Dixie. It's not going to happen. The government -- there are things the government can do in terms of exercising its huge purchasing power of mandating the disconnection of the grid, of control systems from the internet and of encouraging research in ways that would benefit -- lift all boats, but companies have to do this.

BRENNERAnd one of the things I see as I advise companies now in my private practice, is that many of them think their problems are technological but they're not. Failing to implement available technology is not a technological problem, it's a management problem. If you don't know who's on your network and you don't know what hardware and software are on your network, and you let all kinds of unauthorized and often suspect hardware and software connect to your network and you don't know what traffic's going through your network, you don't control your own network.

BRENNERAnd that's the sort of thing Mary Ellen, I think, is describing. And those aren't technological problems, they are managerial problems. Now, solving those won't keep out a determined, capable foreign intelligence agency but they would greatly reduce the amount of penetrations and they'd greatly reduce the risk, also, that American corporate networks could be used as the launching pad of attacks during hostilities on us because attacks on us during a period of real hostilities would often be launched from within the United States.

GJELTONAnother issue, Joel, is that attacks on critical infrastructure, that is in the private sector, and of course, what, 80, 85 percent of our critical infrastructure is privately owned right now? The United States government doesn't even necessarily know about those attacks as they occur, is that right?

BRENNERYeah. The -- people talk about the bad information sharing between the government and the corporate sector but there's also very poor information sharing within the public sector. I mean, within the -- excuse me, within the private sector and even within, particular, economic sectors. And we don’t do a good job of that right now. Everybody's, sort of, looking after his own network and nobody wants to admit their -- the kinds of penetrations Mary Ellen is talking about.

BRENNERBecause if they do and they think they have a material penetration, then they've got a, if they're a public company, have a disclosure obligation to the SEC which could affect their stock price.

GJELTONYou think that should change?

BRENNERNo, I think, Mary Schapiro, at the SEC, is trying to get much tougher on the -- that, I applaud that.

GJELTONI'm Tom Gjelton, you're listening to the Diane Rehm show. If you'd like to join us, call 1-800-433-8850 or send us an e-mail to drshow@wamu.org. You know, Joel, something that caught my attention in that scenario that you wrote in your book about the way that a cyber war could develop, you have the President of the United States asking the Secretary of Homeland Security is the U.S. power grid being attacked right now?

GJELTONAnd he cannot answer the question. Is that really the situation right now, that if the United States power grid were attacked, the private power grid, department of homeland security, wouldn’t even be -- would've even know it?

BRENNERLet me put it this way, I think, that's entirely possible. If you could imagine a series of attacks being rolled out slowly across different economic sectors, we don't have the equivalent of a watch floor, a corp. -- an American watch floor looking at what's happening in important networks across the economy. We don’t have that capability.

BRENNERThe way, for example, if you were trying to get into the networks of an intelligence agency or the Pentagon, there is a watch floor. There are people looking at that traffic but there's nobody who can look at what's happening in a particular power company and correlate that with what's happening in another power company, let alone with, also, what might be happening in the Pentagon or somewhere, it doesn't exist.

GJELTONJohn is calling from Austin, Texas with a question for you. John, go ahead, you're on the Diane Rehm show.

JOHNOh, great, thanks so much. Yeah, I'm very concerned that we're already, actually, in the middle of a cyber war. And I'm referencing here the packing into a wide -- a web security firm in the Netherlands, DigiNotar, a month or two ago that resulted in the theft of hundreds of bogus security certificates that could be used on websites around the world. It's pretty clear that this has -- that this was directly connected to the government of Iran.

BRENNERIran.

JOHNAnd -- yeah, that hundreds of thousands of internet users in that country have been spied on by the hackers who stole these certificates and that these hackers also fabricated certificates for websites belonging to Israel's intelligence service mossad, the CIA, Britain's Intelligence Service MI-6, etcetera, etcetera, AOL, Microsoft, Fox-IT and this is a happening thing. So what can be done on the international level to respond, to what seems to me, to be very clearly an open act of war?

GJELTONLet's put that question -- thanks John, let's put that question to Joel.

BRENNERA very good question it is. I want to address two things though. First, the fact that we're in a war. I don't think we're in a war. I think we are being attacked. War in American law and culture has some very, very clear meanings in which the President has enormous powers. And when you declare war, John, you have to declare war against somebody. No American President is going to declare I'm in a war and not act like he's in a war.

BRENNERNot just with cyber tools, but with -- also kinds of other, more traditional, military means. And you got to declare it against somebody in particular. Which brings me to my second point, I mean, tie off that first one. We are in a period in which there are significant cyber hostilities. I don't think we're in a war. I think -- and we need to be able to talk about this in a way that takes these attacks with -- and treats them with the gravity they deserve without ratcheting up, like we have our hair on fire, talk about "We're in a war," we're not in a war.

BRENNERThe second thing is, at -- talk about attribution. You say this pretty clearly, Iran, that did the DigiNotar episode. Probably, it was Iran but if one wanted to do that kind of hack and make it look like it was Iran, that also would've been possible. I think it probably was but it's hard to know.

GJELTONThat attribution problem is something that really complicates this whole cyber security field unlike other forms of warfare. With missile strikes, you know pretty much instantly where it's coming from. We don’t know that in the cyber field. Joel Brenner has been my guest today. His new book is "America the Vulnerable" Inside the New Threat Matrix of Digital Espionage, Crime and Warfare." Thanks so much for coming in Joel.

BRENNERPleasure.

GJELTONI'm Tom Gjelton, sitting in for Diane Rehm. Thanks for listening.

ANNOUNCER"The Diane Rehm Show" is produced by Sandra Pinkard, Nancy Robertson, Susan Nabors, Denise Couture, Monique Nazareth, Lisa Dunn and Nikki Jecks. The engineer is Andrew Chadwick, A.C. Valdez answers the phones. Visit drshow.org for audio archives, transcripts, podcasts and CD sales. Call 202-885-1200 for more information. Our e-mail address is drshow@wamu.org. And we're on Facebook and Twitter. This program comes to you from American University in Washington. This is NPR.