tv Book Discussion on Cyberphobia CSPAN February 21, 2016 4:30pm-5:31pm EST
digital signature people print out a document, the sign it with a wet signature, then the make a pdf and e-mail it back. this is something i suppose to be secure. simply don't understand this in most countries, identity and access are hopelessly conflated. so if you want to rent a microphone system, sort of thing i'm talking on now, and you want to rent that good britain you hand over your address, your date of birth and a coach your driving license or passport. that is enough information to open a bank account. just to rent radio microphone system. this is crazy. we're handing out our immutable personal data. you will never guess another mother's maiden name. if you hand that stuff over and it's copied you're in sirrous dish syruppous -- you're in serious trouble. much better too have this crypto graphically based identity and
i'm not saying the estonian system is the one that wins because the singaporans have -- they flew a big delegation into estonia and said we want to do this for all of east asia, so people are often quite unwilling to trust their own government but if you say this is a service provided by another government, you can use it or not use it, an opt-in sturges people -- they have issued 10,000 of these. you can pick one up at the estonian embassy just down the road for $40 or some small amount. i think this solves one of a fundamental problems on the internet, which is proving who we are because civilization is based on the trust for interaction between people who don't know each other very well. and we use all five of our senses and all sorts of learned responses and other keys and safeguards which means we can do this to each other, face-to-face
and also by letters, and -- but we don't have a way of doing that on the internet. i can't proof who i am on the internet. you can't prove it's me. we want get together and prove that someone else who is they say they are. this is one of the biggest responsibility wed have. the sort of systems i can solve that. go to estonia. >> you mentioned at least three different aspects of the cyberphobia. one is criminals draining accounts of all kinds. the second of all, we'll say perhaps intelligence of getting opm data for whoever's own purposes, probably not for financial gain unless they sell it. third, -- use an example -- st.s nets, an offensive use of this. are we looking at different
actors, for instance, states in some cases, versus criminal individuals and other -- in other words, are these very separate enterprises we can separate? should they be seen as one? >> the easiest way to look at this is to say some things only governments can do. high-end national intelligence services. have got amazing capabilities, for example, in using bulk data. you can be for it or gift it but that's only thing a government can do. getting stuff into firmware, into a keyboard and find everything type on the keyboard and getting that back to some beyond and control serve are in a secure way. getting data on screens. hacks of mobility devices. these are pretty sophisticated capables and you can buy some bits of them on the internet.
you can buy very simple malware which you can send a text message. there's a lot of stuff only governments can do. expensive -- buying expensive -- vulnerables, holes in soft ware, hardware, no-else knows about. the good ones are expensive and it's a matter of budget youch put those capabilities together and you get something like stocks net which really only a government could have done. the american government boasted about it, so it's no longer really secret. before we get to that, too. but that is the kind of -- i think this is the least of our worries of ordinary people. i guess everybody here has seen the o'bourne identity" but they're not documentaries. i'm not jason bourne no one in this room is jason bourne, we're
being attacked in a simpler way. i think leaving asigh the high-end stuff, so many of the vulnerabilities are over -- if i want to get ton the network, i want to get on a -- i want to find out how you do your invoicing i want to steal some data and get in and change my grades, all sorts of reasons to get on the network. they'll go to linked in, find someone who has lots of -- find out who they worked in the past, a gmail address and say, i found these picks, take a look. and then they click on it, nothing opens, they forget about it and it is very baseic spear
phishing attacks. links and attachments can be used by any one of the threat actor biz think the opm hack started with someone with a targeted spear phishing attack, and then got on the network, and once you're on the network you may need tools to try to get control, root over the network, but there's this -- very big lump of simple vulnerability which everybody has. >> let's go to audience. we have othermake crow phone if -- a microphone if you just raise your hand until the microphone gets to you. emily. go ahead. just introduce yourself before you ask the question. >> thank you very much, mr. lucas, for doing this. i am marcus picker, work for german national public raid glow washington. what i'm concerned about evening more than the technical aspect
of all those things is the fact that the american government employed someone who didn't even have a college degree, it got him into the most sensitive government systems, and he could manage to get all those things out and get away with it. until now, at least. so, how do you think governments or societies can protect themselves from those kinds of breaches? the regular things that people actually steal something. >> yeah. well, it's a great question. you didn't actually mention the name edward snowden. could have been some other hacker as well. there's been -- government likes to beat up industry over security. and they're right to do it. it's scandalous we don't share information better between
different companies in the same distribution across industries. we need to do a much better job about protecting the data that is entrusted to us as companies -- whether it's the data of our employees or suppliers or customer arizona anybody else and i think should be serious penalties for people who are careless and wreckless and should be civil and criminal liability, but if you want to see a really bad didesigned network you're likely to find until the public sector than in the private sector. it's absolutely terrifying how badly protected out of date systems, badly administered by demoralized people. this stuff is happening again and again and again, and at one -- i think one can make several points. one is that i think this is very good reason i would we should not support any government mandates attempts to weaken encryption. if there's going to be
government mandated book doors in commercially provided encryption, that will be a fantastic target for criminals, and i have zero confidence those -- it's as if everybody in the country has to give a front door key to the government to make sure there's no front-door key in their front door that the government can't open, and that -- all these front-door keys instinct neatly labeled, kept at the local prognosis station, don't have to be -- that could be interesting for criminals. we should have very modest expectations of government's abilities to keep our data secret and we should be much tougher of what wet share with governments. go going back to estonia. there's no single point of vulnerability. they have a federation of databaseses connected we something called the x-road which works on a very simple but robust challenge and response
system. so it will be really hard -- not impossible because nothing is impossible -- something like the opm hack would be really difficult to do. you need the depression of lots -- the cooperation of lots of people and nobody simultaneously at different points for -- and the final point i'd make is why do we keep all this snuff electronic databases anyway? if you look at films -- john he krcarre novel. now, these days you would probably hack in. there you have to physically get into the registry, have to distract the person who is there to stop you copying files. have to get access to a file, logged in and logged out. who looks it's it, how long. i you want to steal all the documents in the registry you have to attack with a major military force and then take the
stuff away in trucks, and the omm is like that. only 20-30 years ago, the chinese would have needed trucks to take the stuff out of the opm. now you can do it on a usb stick. so one of the big lessons, ask your gift why are you keeping stuff? you have convenience. absolutely. is that worth the vulnerability? one of the best stories i've come across this year is the blooming -- intelligence agencies are buying manual -- because you can -- there's a saying, i've heard from some cyber security guy, you can't hack a steam engine. no electronics -- nothing to hack. steam engines would actually survive the carington event in the way no other form of transport would. so we have to be quite prudent about moving away from things
that can't be hacked and very resilient towards things that seem convent but are actually vulnerable. >> thank you, mr. lucas. i study energy and environment here but before i used to work for the korean government agency doing cyber security. i think the recent international political environment has kind of come to the state that international norms is important and the cyber space, but hearing from your example in estonia and other east asian -- i feel it's not only the states that have different per sorptions cyber space and also the people of each state have different values and different cultural norms that they expect from the cyber space. so i kind of want to hear what you think about, is it even necessary to build international norms? is it even plausible or is it
more practical and make -- it doesn't make more sense when you come -- when we have more effort that are done domestically, then kind of national boundaries. >> it's a great question. i think we are developing -- we're beginning to develop norms in the way we use social media. i was looking at some e-mails i had done -- been sending and receiving about ten, 15 years ago. and i noticed a lot of people used capital letters to show they were angry, and that's become socially unacceptable now. we have laws, that there's sort of way we enter act by e-mail. people sent long e-mails in the old days. enough it's rude to send long e-mails if you expect people to rate. so -- i think that the --
there's a -- if you look at shipping, which is the first really sort of global industry, we slowly developed in the maritime world -- we have enormous -- about emergencies. the duty of see farers to pick up others in distress. they will pick you up. we developed ways of messaging, the days before electronic messages we had flags put up saying i'm in quarantine. we dealt with parts. we have the nests and the pirates and america's first overseas motor engagement was going after pirates endangering american shipping. so this stuff builds up on a case-by-case basis. the fundamental problem is that the internet is a means for doing other things and the norms about those other things very widely. so you can quite easily get the
banks of the world getting together saying, we're going to have very tough rules about preventing people cashing out the proceeds of cyber crime. the classic cyber crime queue get into someone's internet banking, good threat them to do something stupid and then you stay that money. that money doesn't appear in your pocket magically. you transfer into it another bank and another bank and at teach point you're doing the transfer there's a point of vulnerability. someone lad to open that account. maybe you hijacked another account, going from one hijacked account to another, but at some point a physical person went into a bank and opened the account. so we could have a quite easily imagine a lot of reputable banks saying we're going to superintendent norms for transfers that makes it much easier to trace stolen moneys, hops from country to country and account to account and if you don't play by our rules we me a stop transferring money to you. and you have reputable bank gonzalez the world saying we
want to play. we want to be in on that. sigh can see that happening. what is much harder is things like the use of information, because if you look at the -- there's been a big push in russia and china to bring the internet under the control of the un agency and national telecommunications, the body that sets dialing codes and the rule ford the telephones. and that makes sense. why not have a u.n. agency in charge. it might well work better than the -- these thing wes have at the moment but the problem is one thing that russia and china want to deal with is what they call information weapons. that's what we call news. we're not going to reach consensus on that because they think it's part of national sovereignty on the internet, the government should be able to control what information goes in and out. we say, no, that is totally unacceptable. but by the way, can you help us
with child pornography. it is totally unacceptable. so countries have radically differentieses what us accessible. one one country says is terrorism ice countries -- you can have a global ban or terrorism won't have terrorism on the internet and then the chinese government says you have extremists on your server, take it down. what's going to happen? i think we have to very very modest in our expect additions, whether it's a clear common interest, as there has been in shipping, we'll make some progress. where there's no common interest, i think we just have to accept what is going to health. >> i'm a student in finance. i want to follow up on the previous question regarding the -- preventing cyber security
and i meant to if you're familiar with the information sharing act -- >> absolutely. >> -- in congress. so there's a proposal -- by most financial institutions and also many other businesses in the americas and i just want to hear your comments on how likely it's going to be passed and why the technology companies are -- they kind of opposed the cyber security information sharing act. >> this -- we call the category of really boring and really exciting. most people have no idea about this. opposite you get -- once you get into this issue it's very important. it's been five years it's been sitting there, bouncing around in the senate and house and different versions of the bill and amendments and so on and it's not going some momentum and it's in this process which i know what is brilliantly well
where people put aside their party differences and concentrate on something that is actually going to work. so sorting out details. it does help -- i was talking to ibm. they really support this. there's a lot of -- obviously not everybody happy with it but seems to be pretty broad consensus across industry that people want -- for example, people worried about the antitrust side. you get every major company in industry and the first thing they say is into we all be here? we don't want to go to jail. and if you're talking about stuff that could be seen as from an antitrust point of view is problematic, you want to have bulletproof legal protection on that. probably overstated and companies love to say we can't do this for antitrust reasons but gives some security on that. i think we have already got quite a lot of information
sharing but i want to see mandatory breach reporting. i think if somebody had legionnaire's disease, they would not say, we won't say anything because it was could our students to panic and some might sue it us. they would sigh, whoa do we have to tell? because the disease is a public health menace. we need to take the same attitude to -- we need really good ways of identifying malware which we don't really have because sometimes the tax yonny i the code or sometimes it's what actually did, and so i think trying to -- there's a kind of action problem there it's worth trying to make everybody report malware the same way. i think we'll see it from the kind of -- the other problem is that it's always going to be in
interests of individual companies to say -- to keep quiet about an attack because they don't want their shareholders to see but if everybody is doing it then you can be brave together. so i think pushing that. again, i'm not sure legislation is absolutely necessary itch think maybe you can do it more on a voluntary basis. so i'm kind of agnostic but glad do see shares some legislative attention. this comes after five years of basically nothing. >> hi. i've been in the security industry for a while. my question is your thoughts on the role of the private certificator, particularly security companies with threat intel teams that expose cyber operations and point fingers. do attributions. in my experience as a divide
within the community on the appropriateness of that, and the effectiveness of that. often with these campaigns you can share indicators and point fingers but it really only causes a tactical disruption rather than some sort of strategic change in my opinion. so, be curious about your thoughts on the ethics of private companies doing attribution and exposing indicators and if you think in the long term this will do anything or they're gloverred marketing fodder. >> -- glorified marking fodder. >> it's in the interest of the companies to show they can do stuff. the challenge -- an amazing amount of cyber security product and service, which is basically useless. and is bought by people who don't understand the problems. they need to do something and say this has a big company's name on it and i've bought this
company's services. will it actually defend you? very likely not. i'm not a big sort of booster for the cyber security industry. and they are, like any company, they will sort of talk up what they do. but the real question is how do we raise the cost of doing business in the criminal economy? and i think many people are -- have a role there because if you're on the other side of the world and you go by an alas. you're in chat rooms and you buy and sell malware, maybe develop it, you're making quite a bit of money. comes in bitcoin and subtly you are linked and snow, ircan never go to a civilized country, the european union, any g-20 country, maybe make -- you will kind of think maybe this is not such a smart idea, and we can
start building up profiles of people and scaring them. i think the -- not making any comment about the kim.com case but i think if people like kim.com thought they were invulnerable and then turned out they weren't and they were attendant away to jail and facing criminal charges. so i think companies have a role in reducing the comfort zone. i think a more -- coming to hacking and hacking back and everybody -- this is where you put stuff on your network, which isn't the real secret. it's just labeled, temping secret, and then the bad guys steal and it take it back on to their network with some malware you put in the file and -- maybe a beacon, maybe opens up their network to your scrutiny. the georgian government did this brilliantly when they realized they were being hacked by the
russian military intelligence. so they put a file on their network called something like secret nato plans to attack russia, and of course the russians spotted, stole it, opened it, and it was laden with malware which had been supplied to georgia by an ally who has never been named so obviously i couldn't possibly imagine who that mite be, and the russias open it and -- first of all, screwed up everything on the network and sent it back to georgians and presumably from through to the aim not mouse ally, and also turned on the web cam, the georgians put a report on the internet where you seesaws the guys sitting there in t-shirts, laughing about, hey, we got that this great stuff but the microphone was turn on. that is not legal. you can do it as a government, as intelligence agencies. they're allowed to break the law. but as a private person you can't do that in britain we have
the commuter hack act and if you hack why computer, you steal something and goes on your computer, just manipulated your computer without your consent and i could be prosecuted. so we need too think carefully what the legal framework is for kind of cyber self-defense. in the kinetic world we understand this well. the stand your ground law but pretty good defense, he hit me so i hit him back and i broke his jaw, i killed him, but he did hit me first and i can proof that. and so we haven't yet work out the vibeber version of that, particularly can you outsource that capability to a security company? so if you come hit me, can i pay him to hit you because you hit me? and the kinetic world that ills not allowed. i have to do the hitting myself. i can't get any bodyguards to bead beat you up. are we going to say in the cyber
world that's okay? i think probably is. but we're at the very early stage of thinking this one through. can we have questions on then side of the room? >> go ahead. >> just one question to continue that thread you. have been party to discussions about what these -- what kind of attacks could be actually considered acts of war? >> that is a really tricky question. you've got two axises. one is the a attribution. during the cuban missile crisis, jfk knew those were soviet ships. the soviets knew>=cpç they were american missiles in turkey. no doubt that was not our problem working out who did it. and in the digital world you can be really fluxed about who did an attack.
secondly, what actually was this attack? if you run to take a hypothetical example, you run russia's miss. computer network, the sensors and equipment that tells roche, are we being attacked bit another country? and you are -- someone breached your network, someone is in there now, was that espionage, trying to final out our it worked? was it reconnaissance. you should turn the computer off and go back to the manual system. now imagine you're not the person running the russian esteem -- system but you are another country, america, maybe it was your spies 0 another service has been on the russian computer so as far as you're concern it's normal, and suddenly they turn if a their computer, go into manual. why? well i have to do something you
raise your level. now match the russians. first of all you think the americans attacked your computer network. belt deer something. so we have a very dangerous position here where we don't know what the attack is and we don't know who is doing it, and i think we have to have great deal more emphasis on these kind of nil-nil hotline sort of things. a far more difficult problem than we head with nuclear during the cold war, and there may be no answers because you can't do deterrence with digital weapons. ...
>> the last point is the most important. in the justice system we have seen in belgium with the terror attacks. the broader mechanisms for cooperation. before it disappears off into the bit cleanly and. so was a huge amount of low hanging fruit they didn't necessarily trust the farmers but they needed
but finally more people are worried about being sued then going to jail. i might do something to be careless with these lawsuits that have just started is a harbinger i gave you my data as you lost it. i will sue you. to say i don't want to do that what do i have to do differently? also was some legal standards. i have this neat idea for
how successful do you think countries such as russia and china also the subject of wikileaks with this system looking for the complete openness of news and information. exposing the acts of government. in is this a new fact of life? >> that the governments could never shut down. with an amazing amount of information with the chinese
and the russians and the others have to get used to it. but that really hasn't happened. we have seen the ability of the russians to dominate with the propaganda but a technical means and there is a small percentage of super curious people in it is a the hassle ases what is available is interesting. so they're very short of many. and on the second to
question governments don't have the right to have secrets. the end with those principles and if it is democratic gore totalitarian government and during that search and it is the question about what is kept secret? end in this country the trifecta is elected executive. it is said nearly enough the when you get into the debate he say the most important
question is what said judges on the fisa court you could kill the party stone dead. but what struck me with wikileaks in the state department official in the room that i would say any way is there is one that said if he ever went to the the state department with justin of brilliant piece of writing. there is some very talented in the state department. may be to say those
>> on behalf of the entire staff i am pleased to welcome you with the book jfk is forgotten crisis. the a gripping story of the conflict peasants' state history of the resonates today. pooley 90 classified documents to stem the tide of the all-out war to explain how this forgotten crisis more than half a century later. please join me to welcome him. [applause]
>> thanks reintroduction and all of you for coming out tonight. i want to begin by taking you back half a century on the morning of october october 601952 john f. kennedy's national security advisor arrived in his office in the west wing of the white house there was a file perspired by the situation river the most important top-secret documents that he had to see before he saw the president that day. to documents were notably important. one was a memo from the state department from the bureau of intelligence and research. with the border of the himalayan markers to deteriorate rapidly and a very good chance that a war would break out between
china and canned india. it if that happened in india would probably be the loser in the called on the prime minister and to you alienate our allies in pakistan the other document that morning was a report from the cia that summarize the results of recent overflight from the island of cuba. that the soviet union was in the process to put intermediate range ballistic missiles which have the capacity to hit almost every american city east of the mississippi.
with the local paula deen changer by the soviets. in retrospect wannabes is well down. we see movies of the of cuban missile crisis and all these studies and there should be. the closest we have come to armageddon. jfk was dealing with issue that meant we but not be here today but with the apocalypse. 50 years later it is even more dangerous than people thought. airtran six and 8,000 soldiers in fact, there were 50,000. to bring only intermediate-range missiles
in to surround the guantanamo naval base with the missiles and that they had the authority already delivered from moscow. he could fire those tactical weapons. but just as that was so important is shifted completely overlook the other crisis. china and india are the world's two biggest countries by population. the cutting edge of a competition between democracy and communism. in the whole cold war was fought out -- that out one
of the planks he campaigned at the united states wanted india during that competition. that memo was prescient then then chinese began to overrun that "frontline" position and within a week or two and a very serious position in to look like it would be defeated. very reluctantly asked the united states to the united kingdom for assistance and by the end of october united states and the royal air force of weapons and equipment with ed new delhi international airport to the frontlines of the himalayas.
then the chinese stopped. then they started again. at the end of november to overrun all of eastern india. if you think bellow part that sticks out all of that looks like it would fall into chinese he hands. there were some who thought they would march all the way to calcutta to take the second largest city. on november 19, 1962 with that national-security council meeting but the american ambassador and had
already previewed that with the second letter. to say we're on the verge of killing under bill whole world will see a cut in this giant marching with a democracy. i am not sure india will survive this catastrophe. is immediately needed 12 squadrons. into more squadrons to be stashed immediately to india to join in the war. event of a ph.d. in bombing raids into tibet obviously
to see if the soviet union will survive the invasion. this is the biggest you possibly find anywhere. 17 am i message to pakistan saying don't think about it. to send signals he was very unhappy and then wanted to be compensated. for the up pakistan neutrality. he refused to give into the black male that if you enter the war that is part of the alliance.
so it was written in the memoirs it looks like india would disintegrate. the martial law was declared in much of northeastern india. with that pakistan that it could open up. in for no explanation and the chinese announced within one month they would draw back to where they started. the chinese records and not available but the archives
remain sealed. nehru claim to that kennedy was convincing the chinese to stop but it was america's resolve ted kennedy's determination not to let the chinese manifested in the battle group to persuade beijing to not let the crisis go any further. in line with the chinese haven't stopped? led the united states have found itself at war? when we had better get more thinking it was the better part of three years. here nehru was asking us to go to war with china and again. we will never know.
so kennedy almost certainly would have said yes first because he really did believe the indian democracy was crucial to the united states with the global balance of power. because his ambassador is a personal friend whittle will certainly have recommended it because just one year later in the fall of the 60 united states air force with small squadrons from the royal canadian air force goes into india for military training exercise which is exactly what nehru ask for one year before so we actually practiced. the conflict between china and india ends in this cease-fire but the conflict
is a dover. they never settled. the border dispute remains the longest settle dispute today. either party and not succeeded one iota to move forward. bill likelihood of another war is probably pretty low. i wouldn't say that about another india and pakistan war but is serious reality. so that dispute continues to this day. that has led to to other things. access between china and pakistan and. and then to look at the perspective it is 1962 with the alliance begins in it is
called the all whether allianz it is a snub that the united states. is taller them in the himalayas deeper than the indian ocean and in china and pakistan signed agreements that lead $46 billion of chinese investment. and of course, the nuclear pollution. they have been secret nuclear partners and china gave if plans for the nuclear-weapons force. faster than any other country this has led to a triangular arms race.
between china and pakistan on the one hand iran and india on the other. just two years ago to proudly announce to allow live for the first time to target beijing with nuclear weapons. so the crisis averted in 1962 remains a problem to this day. and the story of the crisis and just like the world played and the role played by the cia but i will finish with one final word. but if theyer