tv The Communicators Cristina Chaplain GAO report CSPAN December 8, 2018 6:29pm-7:00pm EST
the movie. i called jimmy stewart, who was a republican, and he autographed a poster for me, which we auctioned off at my first or second fundraiser in san antonio. i had a friend pay $1000 for the poster. that was the biggest contribution we have had so far. he had an autographed jimmy stewart poster at his house today. that brings back happy memories. >> representatives lamar smith no, tonight atpua 8:00 eastern on c-span and c-span.org. listen on the free c-span radio app. c-span, where history unfolds daily. 1979, c-span was created as a public service by america's cable television companies. today, we continue to bring you
unfiltered coverage of congress. the white house. . public policy events in washington, d.c. and around the country. c-span is brought to you by your cable or satellite provider. this week, on the communicators, we want to judiciary to cristina chaplain. she is the author of a government accountability report on weapon systems cyber security. what is the overarching find? this is in the development process. not so much fielded weapons. many are vulnerable to be hacked. they are very vulnerable to cyber attacks in general. when these testers tried to penetrate the system they found that it was relatively easy to do so. a lot
of the time it was due to very simple things like poor password management, not doing enough patch updating and things like that. it looks to be a pretty grim situation. the feds are taking a lot of action. there is a long run out of them. a lot of it has to do with the culture. it has to do with hygiene and taking it very seriously. who requested this report? the committee of armed services. both sensor read -- senator reed and the chair as well? cristina is our guest. we are joined by our guest right now. she is with bloomberg news.
>> thank you for having me. i am curious, you mentioned the long boat ahead we have to making the systems more secure. what should we do in the meantime to deter adversaries? >> there's a lot that can be done by shoring up the culture and pay attention to cyber hygiene, password management. these basic things in how you manage the controls that you already have in place. you can take a lot of steps forward just doing that. once they are there, there is a lot of legacy systems. how do you mix that in with the new systems coming online? they will probably be more secure but you still have issues with what you already have. that is going to be a challenge for them. one of the interesting things in your report as you describe a 27 year timeline from her cyber security and systems became a
salient point of concern to the present day. there was a turning point in 2014 when there was a real attention paid to cyber security could -- several security. could you elaborate on that timeline? also, the specific challenges of the security of our armed forces? there could be issues with these other systems. on the other hand, they went to operational testing and they could also be sick. it is not that other weapon systems are vulnerable, we are looking at what happens during the acquisition process. if you go back to that timeframe, i think we started in 1996. during that. , the emphasis was on networking and bring systems together and eliminating all this. they did pay attention to cyber but mostly from business systems and
things of that nature. not so much the weapon systems. we may have a better situation with the systems and things like that. he have the weapon systems. along. of time. we see more connections and cyber not being a priority. as we say in how report, there could be a whole generation of weapon systems that were hauled out in this scenario. could you tell -- walk us through one particular weapon system and what you found? we can't do that because of the sensitive nature of it. i can tell you what a test might have found. these are operational testers that may be looking at an aircraft program or something. as they come to the end of the developing cycle. you
will see how this thing will work in a realistic environment. when testers went to work on the system in terms of cyber. they found it was easy to get in. they could very easily gets a password. sometimes they can look at passwords in the package. that's what happened in one case. they were able to gain control of the system. they could escalate their privileges and being inside of a system to where they could gain full control of it. a lot of times it all went back to these basic issues. guessing passwords, patches. if you look at the test
report, they have made progress in recent years. there is more being done on the acquisition side to make sense -- they can still hack in pretty easy. we have a long way to go. do you know how long it will take to get to the next step in cyber security? it all depends on the priority they put on this and the sustained attention. i think they could probably improve their posture and a couple of years if they really insured people would pay attention to the more basic things they need to do. they could have a lot of insurance -- assurance that they -- to have a lot of assurance that you are protected could
take a long time. is there a time when there isn't a conflict? how does it play out in the event that the u.s. would go to war with an adversary? i think that whether it is these or wartime, they are going to find the same ways a system can be penetrated. they are going to look for weaknesses. they are always scanning for weaknesses. they may already be in some networks now, just kind of brodin. i went up with the time that they will have to do something. if it is a wartime scenario, that is where you may see what you actually have in your system and get some disruption. there has been a lot of concern on the portfolio that i usually review. you have everything from systems being built -- would destroy satellites and a lot of cyber
worries. there is a lot of spectrum of things to worry about. you have a typical wartime scenario where systems can be jammed. can our signals not be carried across the way they want to be? that is electronic warfare worries. then you would have a whole set of cyber worries. these could be things already in a network. you talked about this big part of the acquisition process. we are talking about private companies that are building these prior to the pentagon receiving them. is that correct when did you begin your work with private companies? correct. we are looking at the government management of them and what the government was doing about assuring security. there is a story to be told on the contractor side in terms of how they will protect their own
networks and what they're doing on these programs in terms of cyber itself. in general, contractors are doing what the dod requires of them. for a long time, up until about 14 or 15, cyber was not a high priority in weapons. it is up to the government to demand that of its systems and build it into the design. then it is the contractors to implement them. the government demands. those weapons party 2014 or 2015, can they be patched adequately? they are. they just -- they address vulnerabilities when they are discovered. later on in the process, it is more difficult to do. you don't have the opportunity to do that in
the design process. you have to think of your architecture for cyber and the layout controls that have to be in place. there are firewalls and protections. there are all kinds of things that have to be in place. you don't want that happening at the end of acquisition. you talk about private companies. i'm interested in how you think the dod should deal with information sharing. a lot of this information is very classified. it is important to keep our weapon systems classified. on the other hand, sometimes that means the creators don't know what vulnerabilities they are dealing with. how should that balance be
struck? we have seen the problems with the programs themselves. a program does not always have a lot of vulnerability -- may not learn about of all rebel the other its own system or another system that is similar to its own. there are a lot of problems in information sharing. some of those are inherent in the classification. some of those are related to the fragmented nature of dod. there are companies on top of that. that is a really big challenge for dod. that is something that we want to explore and follow up on. when dod has found his own abilities, can you talk about the process of actually patching them? what does it look like on the ground? we don't have an exact number. in the test reports, vulnerabilities that were previously identified were not always corrected. only some of the vulnerability is were actually corrected. that is a problem. we are not seen that
happen to the degree that it should be. does the pentagon appreciate your work? are they resistant? we are expecting pushed back but generally they have been appreciative. we have had a lot of programs reach out to us. we have had people in the cyber security sector reject to us. there are other players involved with this. i have been very surprised at the reception we have gotten at dod. it tells me they are indeed all in themselves accountable. they did not fight the issues on this report. they did not disagree with the findings. it seems like
they are really taking this seriously. how many people at the pentagon are working on cyber security issues? do you have any idea? i don't have an exact number. there are plenty. you have the whole test community. there is a good portion of them dedicated to cyber. every military branch has a pretty big cyber team. it doesn't seem with have enough qualified people to do this work. they are really in need of bringing in more people. i think it is a difficult thing to do for the government. it is not as attractive as some of the private sector companies for cyber people. that is one of the biggest challenges they face. you talk about the red team. who made up the red team?
usually, players from the testing community. they could be from army test command or air force test command. it could also be from a broader operations and test evaluating team. in terms of weapons and systems acquisition, you mentioned that the bodies that specialize in cyber security are involved but only when they asked to be. do you think they should play a more active role? in some cases they probably should. they are under an incredible set of demands for protecting broader infrastructure. it may be hard for them to devote more resources toward weapons. i want to follow up --
did you make recommendations to the pentagon about cyber security? we did not in this report. that is something we wrestled with considerably. it seems that there is a lot of things to be done. there is already been -- there has already been a lot recommended. there was a report where we focused less on cyber. we have tens of recommendations for them on that front. the defense science board has many recommendations. the dod ig has had many recommendations. they are all focused on areas that we pointed out. workforce accountability and putting in the right framework for cyber. we would like to see how these things are made. defense has revamped almost every policy that relates to cyber. they
should be taking a lot of better actions like conducting vulnerability assessments within portfolios of weapons and across networks. there is a lot being done. i think we wanted to see how that was implemented and if more needed be recommended. i'm guessing that because of the nature of your work that you have the clearest to do what you do. >> right. i was wondering if you talk about the issue of automation. there is facing automation to her the navy has considered reducing his personnel because some of the tasks to be completed by automation. do you think there should be investment in backups of automated systems? how do we handle the rise of automation? i think that is a great question.
that is what happened over the past decade or so. you have more components. when they are networked together, there is a need for people there as well. there needs to be backups. that is something we should look at. it is something they should be considering. that can be pretty expensive. if you're going to build a whole another backup system behind one system. it is something that they should consider. they think about what happens with the systems when they are attacked. just be resilient. you can make them cyber proof. how can you be resilient even in wartime scenario? >> you mentioned the patching of systems and creating backups for automated systems. i am
wondering, there is a whole host of systems. you discussed the weapon systems themselves. then there is the navigation system that has to do with where weapons are deployed to and then there are command and control systems and industrial control systems. there are all these different kinds of systems. how do think about where the -- how to prioritize those funds? >> one issue we did see is when you are updating patches, it is a very challenging thing. yet to go to the system that it is connected to. there's some of the area that has dod in discovery mode and that is control systems. that is going on right now. they are trying to learn more about that. the first thing to do is learn more about what could be affected. what is tied in. what do we really need
to worry about and prioritize? connecting all the systems is a big issue. >> is this government accountability office report available online for people to read for themselves? >> it is. we wrote it in a way that it could be read as a public report. -- >> is there is that a that is classified? >> we had a classified briefing for congress. we are still giving that briefing to some players. we did not necessarily have another written classified report. our goal is for our first review in this area and to get the message out. then we can go and do that more detailed work. >> you reported that he congress. why did you do that? >> they asked us to do the work.
>> what is the cyber command over the pentagon? how did the playable -- play a role in your report? >> that is a subunit of strategic command. it is also. up with the national security command. they don't necessarily have any direct management over weapons. their role is to help advise on that issue. >> the dod cyber security strategy mentions the variety of adversaries, especially china and russia. in interviewing people, what were the specific concerns on their mind?
>> they're mostly on basic cyber hygiene. let's get our culture in place to focus on cyber. then we can weigh out these more advanced threats. right now they don't have test systems or the types of threats you might see from russia and china and north korea. they are not allowed to in terms of testing. they don't want to potentially disruptive the system. they seem to find my issues on that. that is all problem. those people have lots of time to work on getting into a system. they are extremely sophisticated on how they get in. it is a great worry. first, we have to get to that first level of security. >> you have a sense of how u.s. forces are prepared for cyber security relative to other countries? >> i do not know that.
>> you alluded to a problem that could already be baked in. they don't test for that. did you take some samples send let's test this weapon system to see if there is a bug in the cyber? >> we do not do the testing. it was dod's operational testers. we review the report. we are seen some activity with regard to that. i think dod is reigniting their bug bounty program. they will have some people tried to break into certain systems. >> can you explain that pentagon bug bounty program? >> they let people out there do their best to try to break into help them learn. in this case, it is being run by this digital service. it is a small group comprised of techies that are
from the outside. people from google and places like that. trying to get the dod on par the commercial does -- commercial sector. >> you mentioned that as part of this report. you looked at testing that had already been done. could you tell us about the process behind this report and also, given that this was the first report on weapon system acquisition, what are the next steps ? we talked to all the major players involved in cyber security. we reviewed all of the items that are out there. then we just interviewed a lot of programs and a lot of officials who have anything to do with that cyber process. whether it is the cio, and essay. -- and nsa. we do have a team like that
. as far as the next step, now that we have a baseline of what we see in cyber and what needs to be done, we will probably drill down on certain areas. hopefully the contract inside. that would be the first area that we really drill down on in terms of contractors that work with dod. we would also like to look at the issue of how vulnerabilities have been fixed after tests and to try to get percentages. >> how do you go from getting a masters in journalism at columbia to testing weapon systems at the pentagon? >> good question, i was a journalist for a few years in the finance area. i always use
these reports to do my work. -- i became interested in working with them. the plan was to do it for just a couple of years. i ended up staying there my whole career. i gravitated toward technical issues and eventually went online as of -- as an evaluator. i ended up directing that team. we normally look at defense programs and issues. we thought the cyber issue is pretty important. we see that it rises a lot in our work. >> when you answered alyza's last question and talked about the different processes, there seemed to be a lot of doors into potential hacks. >> correct. i think that's one of the illustrations we have right up front in our report, we
have system and showed you what the attack surface looked like. people think of weapons system of being alone, protected, impenetrable. they don't realize all of the little places that they connect to other networks, even the internet sometimes or that they have ports and things like that that can be accessed at different points in time. you think about when a ship comes ashore to visit, can people get in there and start plugging things in. there is a lot of different ways a system can be accessed if you're creative. >> alyza of bloomberg, we have time for one more question. >> you mention you specialize in acquisitions of space systems and i'm wondering as the u.s. moves forward with space force, how we should think about securing it? securing space systems is one of the biggest things they are
looking at in the department of defense and one of the reasons they are creating a space force. i think a lot of attention needs to be there. countries are not only thinking about cyber attacks for space but there is actual physical attacks. you might have to rethink your whole architecture. do you want these big huge monolithic space systems out there, they're easy targets or do you want to move to an architecture that might be more proliferated, lots of little satellites, making working with the commercial sector to host some pay loads so you can be in a resilient position in the event you did get attacked. >> cristina chaplain, did this report scare you personally? >> yes, it did, as many reports do. d.o.d. is taking these issues seriously and that they hopefully can turn their culture
around and focus more on so cybersecurity. >> cristina chaplain, alyza covers cybersecurity and the white house for bloomberg news. the weapons systems cybersecurity report is available on the g.a.o. website. this is the communicators on c-span. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2018] c-span, where history unfolds daily. in 1970 nine, c-span was created as a public service by america's cable television companies. today, we continue to bring you unfiltered coverage of congress, the white house, the supreme court, and public policy events in washington dc and around the country. is brought to you by your
satellite provider. the supreme court heard arguments for apple incorporated versus pepper. they will be deciding if a group of app purchasers can sue the company for allegedly monopolizing the app store and charging higher prices. >> the argument first this morning in case 17204. apple inc. v. pepper. mr. wall. >> thank you, mr. chief justice, and may it please the court. the only damages in this monopolization is in a 30% commission that apple charges developers, which allegedly causes those of developers to increase prices. the case is barred by the brick doctrine, because they pricing decisions are necessarily in a causal chain that links the commission to any consumer damages. if the commission increases beyond the competitive level,