Director of National Intelligence James Clapper, left, speaks with Deputy Defense Secretary Robert Work, center, and Adm. Michael Rogers, commander of the U.S. Cyber Command prior to a Senate Armed Services Committee cybersecurity hearing on Sept. 29 on Capitol Hill.

Director of National Intelligence James Clapper, left, speaks with Deputy Defense Secretary Robert Work, center, and Adm. Michael Rogers, commander of the U.S. Cyber Command prior to a Senate Armed Services Committee cybersecurity hearing on Sept. 29 on Capitol Hill.

Cybersecurity is an elusive goal: Breaches such as the theft of more than 4 million sensitive records from the U.S. Office of Personnel Management make news, but countless others go unreported. Security experts warn that many countries around the world are now engaged in a high-stakes digital arms race both to boost protection and to create offensive tools. But unlike the nuclear arms race, cyberweapons are much easier to come by: Cash and computers are the essential prerequisites. We discuss the threat of cyberattacks and what governments and businesses are doing to block them.

Guests

  • Damian Paletta National security and intelligence reporter, The Wall Street Journal
  • Laura Galante Director, threat intelligence, FireEye cyber security consulting company
  • Andre McGregor Director of security, Tanium former cyber special agent, FBI

Transcript

  • 10:06:53

    MS. DIANE REHMThanks for joining us. I'm Diane Rehm. Experts say digital arms stockpiles are growing. Many governments concerned about possible cyber attacks and wanting the means to launch their own are making big investments in code. Here to talk about the cyber arms race of today, Damian Paletta of The Wall Street Journal and two cyber security experts, Laura Galante, director of threat intelligence at FireEye and by phone from San Diego, Andre McGregor, director of security at Tanium.

  • 10:07:33

    MS. DIANE REHMHe's former cyber special agent with the FBI. I do invite you to be part of the program. Give us a call at 800-433-8850. Send an email to drshow@wamu.org. Follow us on Facebook or send us a tweet. Thank you all for joining us.

  • 10:07:56

    MR. DAMIAN PALETTAThank you so much.

  • 10:07:57

    MS. LAURA GALANTEIt's great to be here.

  • 10:07:57

    MR. ANDRE MCGREGORThank you for having us.

  • 10:07:59

    REHMI must say, Damian, after reading your piece in The Wall Street Journal out there, it would seem as though everybody's got access to some form of cyber whatever we want to call it.

  • 10:08:17

    PALETTAThat's right. Cyber weapons, cyber, you know, offensive technology. I think we spend several months investigating this because after the hack of the office of personnel management in the government, after what we saw what happened at Sony Pictures Entertainment last year, there's a lot more concern about what nation states can do and...

  • 10:08:35

    REHMSo what nations do have it and how much do they have?

  • 10:08:40

    PALETTAWell, it's amazing. Almost 30 countries have or are developing some sort of cyber weapon technology, some sort of ability to launch a cyber attack, to either steal information from another company, another country, or to actually launch some sort of destructive attack that destroys computers, might knock out, you know, an electrical grid, that sort of thing.

  • 10:09:02

    PALETTA30 countries. You'd think it might just be a handful, but it's really quite many.

  • 10:09:06

    REHMBut you're saying it's capable of knocking out an entire grid. It's capable of doing really mass destruction.

  • 10:09:17

    PALETTAThat's right. And one of the things that's interesting about this, in our story, we compared the nuclear arms race because that's the last time we saw countries racing to try to obtain technology. Obviously, that's, you know, cataclysmic research that could be used. But here is something that's -- it's much cheaper for countries to develop. It doesn't take, you know, I think Denmark is investing $10 million in their cyber program.

  • 10:09:42

    PALETTABut $10 million can go a lot way if you use it the right way. So we're talking about a lot of countries and they don't have to spend that much money.

  • 10:09:49

    REHMAndre, which countries have the most sophisticated weaponry?

  • 10:09:56

    MCGREGORWell, I would say that the United States is still the strongest when it comes to cyber operations and we take that very seriously and we have some really good cyber warriors assigned to us. But when you're looking at our adversaries, you have to look back at the original motivations of spying, the original motivations of warfare and you look at countries like Russia. You look at countries like China, but then you have to be very concerned about state sponsors of terror when you're thinking about countries such as Iran and then going even further into ISIS where because we have a low barrier to entry to be able to hack, you have individuals that have a little skill set that are getting radicalized over the internet and being able to cause a lot of issues to Western interest.

  • 10:10:47

    REHMSo but what you're saying is that we really don't know which countries have what and how much?

  • 10:11:00

    MCGREGORWell, you have to think that every country is preparing for the battlefield, whether it's domestic or international. And so while we're focused on these top tier threats, at any point in time we have to keep up with the adversary and the other tools and the other motivations for wanting to cause either destruction, as Damian had mentioned, or to change some sort of political agenda that could be happening, such as Arab Spring.

  • 10:11:28

    REHMLaura Galante, Damian mentioned the hack into the office of management and personnel. Are we still finding out details of what was discovered?

  • 10:11:46

    GALANTEWe are. The breach at OPM that went public earlier in the summer showed that we have groups that are interested in going after personally identifiable information, not just the research and development, the blueprints of a plane or even networks where they could cause a destructive effect. So with OPM, it really stands for a change where we're seeing an incident where a nation state went after key personal data.

  • 10:12:12

    GALANTEAnd the other place where we've seen breaches over the last year in a half or so that mimicked what was taken at OPM were in the healthcare insurance industry and then also in travel. So using really rich -- finding really rich targets for PII, personally identifiable data is a trend that we've seen from this group over the last year and a half or so.

  • 10:12:33

    REHMAnd what are they doing with that information?

  • 10:12:36

    GALANTEThat's the question, right? So if you're able to take that rich data source and cross reference it with other PII databases, right, that you're getting from other sources, that would put together a very nice targeting basis for a counterintelligence operation, another country to use to find the right targets to go after. But that's just one of many theories on why we think they might be collecting PII.

  • 10:13:01

    REHMSo in addition to collecting purely personal information for whatever uses, you're talking about the creation of possible war technology, Damian.

  • 10:13:19

    PALETTAAbsolutely. And when you, you know, when we use the phrase cyber weapon, it can be a little bit deceiving. People think of some sort of electronic bazooka. But a cyber weapon can be as simple as, like Laura was mentioning, let's say someone stole all our personal information, I get an email from Aunt Susie who wants me to open a link that has a picture of her dog Fluffy. So I open the link and wa-la, I just downloaded malware and infected the entire network of my company.

  • 10:13:43

    PALETTAAnd then, we have, you know, a major problem, bank accounts are being, you know, pilfered through, that sort of thing. So it's very deceiving and that's one of the arts to this, as Andre and Laura knows, is that, you know, these things kind of sneak up on you and you're only kind of as strong as your weakest link in your family and your company and that sort of thing.

  • 10:14:00

    REHMLaura.

  • 10:14:00

    GALANTEOne point that might be worth distinguishing here in the broad sense of what we consider a cyber weapon, is that traditionally, the Department of Defense and many others in the West have seen network attack of tools that are used to destroy a network as different and have a different effect than those tools that are used or those operations that take data from a corporate network or from people, right?

  • 10:14:28

    GALANTESo network attack tools and then exploitation tools are seen in two different lights. And I think, over the last year, the administration has tried to really demarcate that point and whether it was the Sony attack -- and I'm using the word attack very specifically here, right? A network attack versus espionage, which is the OPM case.

  • 10:14:48

    REHMAndre.

  • 10:14:49

    MCGREGORWhich is why we have to go back and look at the ideology and the motivations because while we've put warfare in a box and said that, you know, our conventional warfare consists of an army that is, you know, responding to a specific attack, other countries are looking at it kind of like a special warfare where you're combining espionage diversion, possibly terrorism, putting that all together to be able to fight an unconventional war when they're unable or unwilling to fight a major war.

  • 10:15:21

    MCGREGORAnd by that, they've accepted a certain level of operational risks in terms of conducting a cyber attack that may be a little different than what was expected. So if you take the Sony attack, that would be, in my eyes, a special war because you're getting the country to be able to back off from what they wanted to do without actually ever sending troops or ever launching a missile or ever doing whatever we've described as conventional warfare that we've been very strong at in the United States for many years.

  • 10:15:52

    REHMDamian.

  • 10:15:53

    PALETTAThis is really interesting and it's actually playing out on the 2016 presidential campaign. We've heard in the Republican debates so far, Carly Fiorina and Jeb Bush have both called for retaliatory cyber attacks from the U.S. government to China, specifically, for the attacks they've carried out. And there's a big debate within the Obama administration right now and the Pentagon about what should we do when we get attacked.

  • 10:16:16

    PALETTADo we need to launch a counter attack as deterrent to say, hey, if you do this, you know, you're going to regret it or do we worry about, you know, things escalating? If we counter attack, something even worse is going to happen.

  • 10:16:28

    REHMWell, what happened when the president of China and President Obama met? Didn't they come to some kind of an agreement?

  • 10:16:39

    PALETTAThey did. It was very interesting. They both agreed that their governments would not steal commercial information. So information about specific companies. They wouldn't hack into companies and steal information and then turn around and essentially give that information to their own domestic companies to use for financial benefit...

  • 10:16:56

    REHMOkay, but that's a limited agreement.

  • 10:16:58

    PALETTAAbsolutely. Right. And you'd have to be able to prove, essentially, that that information was used for commercial benefit and if a country violated that, then, you know, what's the repercussions? They didn't get into that.

  • 10:17:10

    REHMBut was there any agreement on refusal to take down infrastructure like the entire web?

  • 10:17:21

    GALANTEThere wasn't an agreement on that point, but I think that's because that's already, in a sense, an established norm, right? Saying that we will not attack a network unless you're in wartime is fairly implicit so norm-like statement or point that I think a lot of countries see right now. But what the Xi/Obama agreement of a few weeks ago did, was that it established a norm that economic espionage is off the table, right?

  • 10:17:47

    GALANTEAnd we've been pressed, for the last two years, to make that differentiation between political espionage and economic espionage.

  • 10:17:54

    REHMLaura Galante, she's director of threat intelligence for FireEye, a cyber security consulting company. When we come back, more information. Your calls, your email, stay with us.

  • 10:20:02

    REHMAnd welcome back. In this hour, talking about cyber security, how cyber weaponry can be used and is being used by countries around the world. Here with me: Laura Galante, director for threat intelligence at FireEye, that's cyber security consulting company. Damian Paletta, national security and intelligence reporter for The Wall Street Journal. He wrote an extensive piece in yesterday's Wall Street Journal about this entire issue. And joining us from San Diego, Andre McGregor, director of security for Tanium. And he is a former cyber specialist agent for the FBI.

  • 10:21:02

    REHMHere's a tweet from triangleman, who says, "how much weakness in infrastructure can be attributed to agencies like the National Security Agency having a split mission to both infiltrate and to protect?" Damian.

  • 10:21:27

    PALETTAThat's a great question. So the NSA, the director of the NSA is Navy Admiral Mike Rogers. An they're in charge of protecting the Pentagon's, you know, dot mil networks from intrusions, which they've done to some success but not -- they don't have a perfect track record. But they're also in charge of collecting information, as we all know from the Edward Snowden revelations of two years ago.

  • 10:21:50

    PALETTAAnd they're building these, essentially, cyber warfare teams. Some of them are going to be staffed by the Army, Navy, Air Force and the Marines and their missions are a little bit unclear. But they're going to be cooperating with traditional warfare teams, so they're going to be essentially complementing, you know, troops on the ground as they conduct exercises in some sort of cyber warfare capacity.

  • 10:22:14

    REHMAndre.

  • 10:22:15

    MCGREGORI want to say that the weaknesses that we're looking at are less attributed to any specific agency and more to the fact that we haven't really discussed the hard problem, which is, at the end of the day, we have old, outdated systems. And we want to look for that simple answer. That simple answer is something that I can put inline in my network that will make me whole again or the panacea to solve the problem, when in fact it's we have old applications, we have outdated software, we're not patching and updating computers as we should and we have poor password capabilities that, at the end of the day, it doesn't matter what we do.

  • 10:22:55

    MCGREGORAll the intrusions that I've ever been to -- and I've been to hundreds of intrusions -- have all been very simplistic attacks. And when I look at it, people say, Oh, that was a sophisticated attack. And I say, Well, it was a sophisticated attacker throwing a brick through the jewelry store window. It doesn't take a lot of effort to -- so people talk about things like zero data vulnerabilities, and most of the attacks outside of classified systems that I've been involved in have not involved any sophistication whatsoever. It's been that brick through the jewelry store window.

  • 10:23:25

    REHMYou know, it's interesting, President Obama has certainly talked a great deal about infrastructure. And we think of roads and bridges. But surely, cyber weaponry and all of our old, outdated systems here are part of that infrastructure, are they not, Laura?

  • 10:23:49

    GALANTECertainly. And I'd add the financial system to that as well, right? If there's any more critical piece to our economy, it's understanding what moves markets and what could be potentially debilitating. So understanding what is anomalous behavior in a network? What looks different? Is a key part of trying to see, are we breached, are we seeing some sort of activity that we need to figure out how to block and get out of the network?

  • 10:24:12

    REHMDo we have any idea how much cyber attacks have cost us?

  • 10:24:21

    PALETTAI haven't -- I'm sure there's been estimates and it's got to be in the tens or possibly hundreds of billions of dollars. I mean, we've seen, you know, companies brought to their knees. We've seen countries, like Ukraine, which was, you know, brought to its knees and it lost a lot of ground to, you know, Russian separatists because of successful cyber attacks. As Laura has pointed out, there's been a lot of cyber warfare in the Syria conflict. So, you know, it's one thing to steal information, bank accounts and stuff, but this stuff is actually being used in parts of the world in warfare.

  • 10:24:51

    REHMDo we know how large our own budget is for cyber warfare, Andre?

  • 10:24:58

    MCGREGORI can't speak about the budget just because we have so many moving parts with that. I will say that we have a lot of resources that we're putting towards the cyber fight and it's still not doing it. I remember right before I left the FBI we had 1,200 cyber agents and that's for the entire world. So you have to think that with all the intrusions and all the hacks that are going on every day, we're losing some. We're not able to investigate them. It's like being able to -- calling 911 and no one actually picks up the phone. That's what we're dealing with right now.

  • 10:25:34

    REHMAnd here's another tweet: America has been slipping in math and science academic standings long term. How much of a problem is this for cyber security, Laura?

  • 10:25:50

    GALANTEWe meet a lot of organizations, both in the U.S. and abroad, that are having a tough time hiring the right level of talent to arm their security operations center, commonly called SOCs.

  • 10:26:00

    REHMAnd what do you mean, the right level?

  • 10:26:03

    GALANTEPeople who have the experience to understand what network traffic looks like. It's that simple, right? So we're in a deficit of who you can find that has the talent. And I think a lot of the larger cyber security companies get that talent. But for the manufacturer in the middle of Pennsylvania, attracting the right 15 people for their security operations center to see that their intellectual property isn't going out the door tomorrow is really a challenge that a lot of companies are facing.

  • 10:26:28

    REHMDamian, talk about the integration of cyber security into the military. What does that look like?

  • 10:26:39

    PALETTASure. So, like I mentioned, the -- there's a division of the Pentagon that's headed by the same person who heads the NSA, Mike Rogers, and it's called Cyber Command. And, you know, it's not the most transparent part of the U.S. government for sure, but they have become a little more transparent recently, I think, because there's been so much focus on what the U.S. is going to do to respond to these cyber attacks. So they're creating 13 of these national mission teams. Nine of them have already been created. And the teams are going to have different focuses.

  • 10:27:08

    PALETTANow whether that focus is going to be on critical infrastructure like we talked about, either defending or attacking, or whether that's going to be a team that's focused on the Pacific region or a team that's focused on Russia, we're not really sure yet. But there's going to be specific teams that are going to be, you know, responsible for this sort of thing, with 60 people per team, you know, a lot of different capabilities. They're going to have both offensive and defensive missions.

  • 10:27:32

    REHMHmm.

  • 10:27:32

    PALETTAAnd, you know, a lot of stuff they do we're not going to know about until possibly after it happens, if at all.

  • 10:27:37

    REHMAnd that brings up a tweet we have from Philippe, who says: Are developing countries more likely to be on the offense or defense in the age of cyber warfare, Laura?

  • 10:27:55

    GALANTEIt's a good question because it underlies the inherent problem in cyber security, is that you're looking at an asymmetric weapon set. So five guys in a room can code a weapon that can have a mammoth effect, right? And Sony is a case like this, right, where we probably were looking at an actor that didn't have a whole lot of traditional capability, in the sense of, we weren't thinking of North Korea as the place to, you know, look for massive capability, yet the effect they had was mammoth, right? So are other countries that don't have large, you know, well-funded military, is going to see cyber as a way to get on footing that they would need to compete on the world stage, I would certainly say so.

  • 10:28:37

    REHMHow do you answer that, Andre?

  • 10:28:40

    MCGREGORYou can look at a country like Iran where, in 2009, we were plagued with them doing Web defacement, which is a very simple attack on a website where they would put the Iranian flag or a burning American flag, say death to America. And then, over the years, we watched them grow as an adversary where they taught themselves how to hack better. And in 2012, you had the DDossing attack where, at first, when I was investigating that case, I said it was more of a nuisance, it's more of a bee sting, but then realizing that you're taking down entire companies based off of a very simple attack. And now you've got an adversary where they've created hacker tools that are actually used in the wild by hackers.

  • 10:29:21

    REHMHmm.

  • 10:29:21

    MCGREGORAnd they're creating software that's being used on the open market. So you've watched over six years, where an entire country went from an attack where no one gave them any credit to actually being the third-top country threat against Western interests.

  • 10:29:35

    REHMAndre, you said you were investigating. Where is the law on all of this? How does it function?

  • 10:29:45

    MCGREGORThe law is very antiquated when it comes to cyber-threats. I remember, at one point, I was investigating a case for a theft of trade secrets and I was talking to a judge -- it was an individual at the Federal Reserve Bank that stole the code to the accounting software, which prints all of our checks -- and I explained to the judge what happened. And he said, Well, that wasn't theft. According to the law, it -- the item is still there. So it was just a copy of the code. So unless you can prove that the code was actually used to make money that later caused harm to the United States, that -- there was no theft.

  • 10:30:22

    MCGREGORSo when you think about that, the laws are created that, Hey, you owned something. I took it away from you. You don't have it anymore. When we were looking at that source code, I'm just making a copy of it. So unless I can prove that I stole Adobe's source code and then moved it to another company and created Bob's Company and stole -- took profit from them, that's where the law has not caught up with cybercrime.

  • 10:30:43

    REHMYeah. And it does sound as though the law is trailing way behind, Laura.

  • 10:30:49

    GALANTEJurisdiction is the other problem, right? When this is perpetrated in China or wherever it may be, trying to indict and actually, you know, get a prosecution on this is really tough, right? But one thing where we have had some success is in sanctions, or at least they've been put on the table, right? So before the Xi-Obama agreement a few weeks ago, it was heavily leaked that there were potential sanction on the table against China, should economic espionage continue.

  • 10:31:17

    PALETTAAnd one of the interesting things about that Xi-Obama discussion and also it highlights how difficult this is in terms of attributing who's behind an attack. Both, you know, the President of the United States and the President of China said, you know, We agree to not do such-and-such. But, by the way, we don't do it anyway, so -- and you can't prove it, so, you know, even though people argue that they can prove it. But it -- there's a deniability.

  • 10:31:40

    PALETTAAnd another thing you mentioned earlier about -- or someone tweeted about which countries are getting into this. In our investigation, we found that obviously it's the top-tier countries -- U.S., China, U.K., Russia. But there's also a similarity -- a lot of the countries around Russia and the countries around China are getting into this as well, because they feel like they have to, right? If they don't build some sort of cyber program, they're going to get run over, bullied by the big country that's in their neighborhood.

  • 10:32:05

    REHMHow much do we know about Russia's cyber capabilities?

  • 10:32:11

    PALETTAIt's a great question. Russia is considered to be one of the most advanced, one of the most sophisticated, one of the best in terms of, you know, getting in and stealing information specifically. And they also, as I mentioned, have participated, have used cyber weapons in, you know, to facilitate and to complement warfare in places like Ukraine. And they've also done it disruptively in Estonia. One of the tricks about Russia, though, is it can be difficult, when they launch an attack or when Russian hackers launch an attack, to determine if it was the Russian government that was behind or if it was just kind of Russian gangsters who were doing things, you know, that benefit the Russian government.

  • 10:32:48

    GALANTERussia's had an environment of benign neglect. So allowing cyber activity to continue without state sanctioning or without direct state sanctioning has been happening for quite some time. But when you look to official document on this and official doctrine, you see that the Russians, since 2010, have put cyber operations -- they call it information warfare -- into their doctrine. So saying, We will use information warfare -- and cyber being part of that -- to predispose world opinion to the Russian use of force. And you saw that in Ukraine very early in the conflict. And they see this as one piece of a master strategy to get at their aims.

  • 10:33:29

    REHMAnd you're listening to "The Diane Rehm Show." We've got callers. Let's go to the phones. First, to, let's see, Oklahoma City. Charles, you're on the air.

  • 10:33:46

    CHARLESHello, Diane. Thank you for taking my call.

  • 10:33:47

    REHMSurely.

  • 10:33:49

    CHARLESI have a question about the merger, basically, between science fiction and science fact in the terms of cyber security and cyber warfare. Specifically, the concept that has been written about for decades in science fiction in (word?) called ICE, I-C-E, which stands for intrusion countermeasure electronics. Basically, it's like an automated counterattack that would, for instance, when it detects a cyber intrusion, would piggyback along that signal and in some way disable or compromise the attacking computer system as a way to stop that attack and cause deterrence. I was curious if there was anything that was happening along that lines or is in the near future for current technology.

  • 10:34:41

    REHMAndre.

  • 10:34:42

    MCGREGORI mean, we have a lot of warfare tools at our disposal. And I think the problem that we run across is that we still don't have the basic foundation for simple protections. So being able to -- for a company, or being able for -- to protect against any cyber attack, we have to have good cyber hygiene to even have a baseline for being able to detect something like that.

  • 10:35:10

    REHMAll right. Let's go now to Pipe Creek, Texas. You're on the air, Roger.

  • 10:35:19

    ROGERHi.

  • 10:35:19

    REHMHi.

  • 10:35:19

    ROGERA lot of the discussions have been around the concept of a broadside attack on infrastructure by a cyber threat. But I think a much more insidious threat and more subtle is displayed by the Ashley Madison break-in account, of people that had online affair accounts. The idea of a foreign body being able to get intimate information about your life and then using it against you, unless you do some sort of insidious act in their name. And essentially, you almost instantly turn American citizens into home-grown terrorists, at the remote control of a foreign body. And I have to believe that this, in many ways, could be far more detrimental and widespread than a broadside attack against a larger infrastructure.

  • 10:36:08

    REHMDamian.

  • 10:36:09

    PALETTAThat's an interesting point and that was one of the concerns about the Office of Personnel Management theft. So you have -- in the OPM breach, you have more than 20 million Americans who either worked for the government or went through a background check. And they filled out this huge, you know, voluminous form that includes everything from their mental health history to their, you know, financial records, all sorts of details like that. Now, obviously, someone could use your mental health history to try to blackmail you, right? And if -- I'm going to reveal this if you don't go spy on X, Y, or Z. And so I know that's one of the big concerns and they've been paying a lot of attention -- the counterintelligence folks in the U.S. government -- to how to mitigate that.

  • 10:36:49

    REHMAndre.

  • 10:36:50

    MCGREGORI think you have to look at it like the hostage crisis back in the '70s, where you were taking people and kidnapping them, and that's what we're doing now. We're able to take a -- get a stranglehold of your data, whether it's encrypting through Cryptolocker or some sort of ransomware -- or there was one case where there was a hospital in California where the attackers took over their Voice Over IP system and said, You're going to pay us $30,000 or we're going to shut down your hospital. And they didn't pay and they shut down the hospital and had no ER services for the entire time till they paid the ransom.

  • 10:37:26

    REHMAndre McGregor, director of security for Tanium. Short break. We'll be right back.

  • 10:40:03

    REHMWelcome back. We're talking about cyber security, the network of nations who now have the ability to attack, as well as to defend. But Allen in Indianapolis wants to know, where does our responsibility fall in escalating this new war. Didn't the Iranians step up their activity after we attacked them with Stuxnet, Laura?

  • 10:40:37

    GALANTEStuxnet does mark the first very public admission that the U.S. and Department of Defense officials confirmed that it was a U.S. operation against Iran. And that certainly was looked as the kickoff to other nation-states getting into the game. The other, the other pivotal moment is Cyber Command. When the Department of Defense stood up Cyber Command and acknowledged that cyberspace was a war-fighting domain in the same sense that the air is and the water is, this gave other militaries the impetus to say, well, I'm going to be cyber-spending on my budget, as well, and figure out how to have that capability.

  • 10:41:16

    REHMAnd we just don't know how large our cyber-spending is.

  • 10:41:18

    PALETTANo, I mean, part of it is -- you know, it's part of the classified budget and also because I think as Andre mentioned, it's kind of mixed in with the Air Force budget and other agencies, the NSA's budget, the CIA's budget. The Department of Homeland Security spends a lot of money on this, as well, and the FBI spends a lot of money investigating cybercrime. So it's, you know, very comprehensive.

  • 10:41:39

    REHMAnd here's a question from Arch in Fort Lauderdale, Florida, a question I think lots of people wonder about. Andre, I'll send this off to you. Is the general public truthfully informed in all instance when cybercrime occurs, or are we just told there are computer glitches, such as with recent airline system shutdowns?

  • 10:42:11

    MCGREGORThat is a very good question, and so my -- my many years of working critical infrastructure cyber in New York, my biggest concern, and I think this is a concern that I can say for the entire United States government, is that you have an attack on a system like that. How do I discern that it was a cyber attack, or was it mechanical failure, or was it human error? Well, I don't know because I don't have the time to deal with trying to figure out whether or not it's one of the three. I have to get systems up and going again.

  • 10:42:38

    MCGREGORWhen we want to determine if it's a cyber attack, unfortunately many times we're going to have to wait until the adversary says, hey, I did something. When you want to take down a system like that, you want -- it's going to be in a terroristic fashion, and they want the credit. So we're going to either have that intelligence beforehand to say that it was an attack, or the adversary is going to openly say that I attacked that system. Otherwise many times it is human error, or it is mechanical failure that caused something like the glitches with the airlines.

  • 10:43:07

    REHMLaura?

  • 10:43:08

    GALANTEOn the other hand, we do see a lot of breaches were the company is very well-informed that they've had a breach, right, whether they're hearing it from law enforcement or from their own network security.

  • 10:43:19

    REHMBut they're not saying such.

  • 10:43:20

    GALANTEBut they're not disclosing it, right. And disclosure is a big topic of this time, and the question is what sort of disclosure bar is needed, or what sort of materiality of the breach is needed before you need to disclose. And the SEC has put out a note a few years ago now, saying that if you suffer a material breach, you need to disclose it. But what that bar is is very much the kind of unlitigated question to this point. And we haven't seen that many disclosures compared to how many breaches we've been investigating over the last few years.

  • 10:43:52

    REHMYou know, we've been talking about cyber-hacking globally, but what about the individual we heard about on network radio, including NPR, the guy who had something like $500,000-plus taken from his bank account, and the bank said they were not responsible because it wasn't insured in a certain way. How much of that are we likely to see?

  • 10:44:29

    MCGREGORI'll speak to that just real quickly, that cyber-fraud is one of those areas where we need to spend more time on it, but again with the inundation of computer intrusions, we just can't. So when you're looking at those specific cyber-fraud cases, you go back to the Nigerian prince scams and the lottery and eBay and non-delivery of goods, and a lot of that surprisingly still goes back to Nigeria. And I remember at one point I actually contacted the Nigerian government and said, hey, we've identified somebody in your country to -- that is conducting this, can you arrest them. And they said, well, we have Boko Haram killing people. We don't have the resources to be able to go after that. So unless you want to send someone over to arrest them yourself, we are not able to combat this.

  • 10:45:17

    MCGREGORAnd so that's what you have to think about is there's a lot of other crimes that are going on that these countries are dealing with that are beyond cyber-fraud.

  • 10:45:25

    REHMAll right, do you want to add to that?

  • 10:45:27

    PALETTAWell, I was just going to say you know, last week I got an envelope in the mail from my bank with a new ATM card, saying there's been an incident, and here's your new card. And it didn't say what happened or how it might affect me or any details like that. And I know there's this big fight in Washington between the Chamber of Commerce and others about what should be required in terms of disclosure.

  • 10:45:45

    PALETTAYou know, should a company be required to notify you within 30 days that your information might have been stolen, was stolen? Should they have more time? Should they be able to figure things out? Should they work with the FBI for several months first to try to get to the bottom of it? This stuff is happening so much faster than the law can keep up with it, and I think we're just going to have to deal with that for the foreseeable future.

  • 10:46:08

    REHMLet's go to Julie in Hillsdale, Michigan. You're on the air.

  • 10:46:11

    JULIEThank you, Diane, I love your show.

  • 10:46:14

    REHMThank you.

  • 10:46:14

    JULIEI'm one of the 5.2 million OPM people that were hacked in the federal government. I was with banking, the FDIC, and I left them 18 years ago. And all they did was send us a letter this past June and said, well, we're going to monitor you for a year and a half. And basically they're not sure what they're going to do with us. And I'm also in the group that a couple weeks ago, when the premier was here, or the president from China, my fingerprints were stolen, as well, and by the people that are now hired by the government to monitor those of us that have been totally hacked, where they know everything about me for the first 43 years of my life, including my fingerprints.

  • 10:46:58

    JULIEThey just basically said, well, we can't help you. You just, you know, in a year and a half we're going to -- they're done monitoring you.

  • 10:47:05

    REHMSure. Yeah.

  • 10:47:09

    JULIEAnd we're just kind of left out in the open, and it's kind of too bad. And we -- they told us nothing, just a letter that came and said you have to go through this site and sign up and stuff, and...

  • 10:47:17

    REHMNow Andre, what recourse does she have?

  • 10:47:21

    MCGREGORI mean, I struggle with the same problem. I lost my SF86, and I tell people that, you know, acknowledge -- that we acknowledge that China did this. They're not trying to open a mortgage or a credit card in my name. So when we're -- this is kind of that turning moment, that pivotal moment that we, as the everyday, average citizen, yourself included, says, what is happening behind the scenes for the cyber security protection of my data.

  • 10:47:48

    MCGREGORSo we press submit when we register our car, but what happens afterwards? Are we asking those questions as citizens and saying hey, I want to know what type of cyber security protections you have in place because once it's gone, whether it's your IRS data, your Ashley Madison data, the OPM SF86 data, you can't get that back. There's no new credit card. There's no credit protection that can do that. We have to be serious about cyber security today as citizens, not just leave it to the corporations.

  • 10:48:15

    PALETTAWell, so let's say if Andre, you know, Andre had worked at the FBI, let's say instead of working at Tanium now, he's working for the CIA undercover, and, you know, a foreign government has his fingerprint information, I mean that could be very -- you know, he has a new identity and everything, but he has the same fingerprints. And if it's -- you know, and they might have to send him back to the U.S. because that could be very compromising, very dangerous if a foreign government has the fingerprint information of five million Americans, which it sounds like they do.

  • 10:48:42

    REHMHere's another question. On what basis do you assert the grid can be taken down? Is the claim that Aurora and Stuxnet support that assertion?

  • 10:48:58

    MCGREGORI can say it's very refreshing, having learned a lot about power generation and transmission and distribution to say that it is not very easy to take down the grid. Now it would be a systemic attack that cascades itself very similar to the brownouts that we had in New York City in order to do that, and even then we've put some resiliency in. So when we're looking at the grid, when we're looking at our natural gas pipeline, there's a lot of protections in place right now, because there's still a lot of human interaction with those systems, but at some point in time soon, we're going to start removing those humans and having RTUs or remote terminal units being monitored from a central station, and that's when we're going to need to be more concerned.

  • 10:49:43

    REHMHere's an email from Sara, who says, not a day goes by that we don’t hear some ghastly new disclosure of hacked personal information. My husband and I just received notification from our brokerage admitting to a recent cyber security breach. The notice encouraged us to enroll in identity theft protection and to take other steps, but the cynical part of me doesn't even want to further disseminate my personal information to protection services for fear of the exact same nonsense recurring. What do you recommend for personal cyber security in light of these daily disclosures, Laura?

  • 10:50:39

    GALANTEIt might sound simple, but watching your own transactions, right. Are you closely monitoring what's happening on your credit card, right? You can either turn that over to the protection agencies, which is what the caller is referring to, or the emailer is referring to, but be on top of your own understanding of what's happened to your own profile online and not...

  • 10:51:00

    REHMTo your bank account.

  • 10:51:00

    GALANTEYour bank account.

  • 10:51:02

    REHMYour credit card account.

  • 10:51:04

    GALANTEYour email. Is something funny? Are you getting a spear-fishing email? Are you getting an email that seems too good to be true? Don't click it. Right? These are the basic protections that people have to take. Would you put something online that you wouldn't say in the real world? Think twice.

  • 10:51:19

    REHMWould you do something that you wouldn't want to see on the front page of the New York Times, the Wall Street Journal or the Washington Post? And let's take a caller from Brunswick, Maryland. Hi Perry, you're on the air.

  • 10:51:37

    PERRYHi Diane, thanks for taking my call.

  • 10:51:39

    REHMSure.

  • 10:51:40

    PERRYI'll be very brief because I know we're ending. This -- I have never been in IT, but I've always -- it's always seemed to me that these simple fixes, current software, current hardware, better laws, they've just been around for years. I was involved in the Y2K run-up, and there was a lot of derision in the IT community about the importance of making necessary changes. And so it just seems to me nothing has changed, and I just -- I'm just completely confused as a taxpayer and as a person who's seen this over the years and knowing how secure my computers are, how I use a separate, non-administrative profile for everything I do on the Internet.

  • 10:52:26

    PERRYThese are simple things, and why the IT people, who are paid lots of money, can't get this right and why our Congress can't get this right is just totally confusing to me, thank you.

  • 10:52:37

    REHMVery frustrated.

  • 10:52:37

    PALETTAYeah, I mean, it's hard, too, because we're -- we're a society of technology, and we're a society of convenience, and we want to pay our bills online, and we want to, you know, have our iPhone on public Wi-Fi, you know, at the public square, and then something happens, and you think, well, what did I do wrong?

  • 10:52:55

    REHMHow did they do this?

  • 10:52:56

    PALETTARight, I mean, we all have to take a little bit of personal responsibility, too. You know, your password can't be password. I think President Obama said at Stanford earlier this year that his password had been 123457. I mean, when you have to -- you have to kind of take it up a notch in your own personal behavior.

  • 10:53:12

    REHMAnd you're listening to the Diane Rehm Show. Let's go to Larissa in Washington, D.C. Hi there.

  • 10:53:22

    LARISSAHi Diane, and the guests. My question is, since it's a global issue, I wonder if the United States does the same thing to other countries. Spying, after all, is all over.

  • 10:53:40

    PALETTAOh yeah, I mean, this country has a proud history of spying, and I think that, you know, there's been public admissions on the Hill from the heads of our intelligence agencies that we are in this business, and we take great pride in it. And I think James Clapper, the director of national intelligence, said that our cyber-spies are very capable. The question is, you know, where are the lines. And I think one of the things we've -- public discussions we've had since Edward Snowden is, you know, there needs to be some limits, there needs to be some boundaries that our spies won't cross.

  • 10:54:10

    PALETTANow whether that's domestic intelligence collection, whether that's spying on Angela Merkel's cell phone, there's going to be some things that are going to be secret, and there's going to be some things that are public lines in the sand that we won't cross. The question is, you know, when we have a different administration, or if we're in a time of war, you know, do we need to sort of push those boundaries. Good question.

  • 10:54:25

    REHMAndre?

  • 10:54:26

    MCGREGORSpying is very much a gentleman's game. It's spy versus spy. There are rules that have been acknowledged over the years. And what's happened is it becomes so blurred, exactly what Damian has said, where I'm collecting intelligence to support the national security of my country, and no one is going to ever say that you shouldn't do that.

  • 10:54:49

    MCGREGORBut then when you start to blur that line and provide a competitive advantage to private industries inside your country using that same intelligence, that's where it's no longer a gentleman game, and the spy versus spy is out the window. And you're starting to see with the agreements between China and the U.S. where we're trying to rein that in and go back to that, but you're going to start seeing more countries come out of the woodwork that have that simple capability to hack, to leverage cyber-tools to get intelligence that they could never have ever gotten before until today.

  • 10:55:23

    GALANTEOne of the -- one of the key points, though, is that national security is in the eye of the beholder. If your national security is your economic security, what right do you have to defend that, right? So that's not something that China's typically used in defense of the economic espionage that they've been accused of perpetrating, but states definitely see this as an additional modality to try to get at the most targeted and coveted information that they can get.

  • 10:55:49

    REHMFinally, what are the new stakes, Damian? Are we headed toward a new world war in cyber?

  • 10:55:59

    PALETTAI think it's very scary, but I think this is a new normal. I mean, this is -- they're not going to be a cyber-disarmament. These are parts of the intelligence and militaries of dozens of countries to stay because it's cheap, because it's very effective and because, quite frankly, if you want to defend yourself, and you want to participate on the world stage, you have to have these kinds of capabilities. Otherwise you're just going to kind of get bullied or pushed around by countries that do.

  • 10:56:26

    REHMDamian Paletta, national security and intelligence reporter for The Wall Street Journal, Laura Galante, director for threat intelligence at FireEye, Andre McGregor, director of security for Tanium. We'll all be watching very closely. Thank you so much.

  • 10:56:51

    PALETTAThanks, Diane.

  • 10:56:51

    GALANTEThank you.

  • 10:56:52

    MCGREGORThank you.

  • 10:56:52

    REHMAnd thanks for listening, all. I'm Diane Rehm.

Related Links

Topics + Tags

Comments

comments powered by Disqus
Most Recent Shows

Coronavirus Cases Skyrocket Across The Country

Friday, Nov 13 2020Diane talks with Dr. Michael Osterholm, director of the University of Minnesota’s Center for Infectious Disease Research and Policy and member of President-elect Joe Biden's coronavirus task force, tells Diane why he's calling for a national lock down.