tv Inside Story Al Jazeera December 22, 2014 5:00pm-5:31pm EST
years, he died today of lung cancer at the age of 70. that's going to do it for this edition of al jazeera america. we'll see you back at 6:00 eastern. >> right when cyberattacks an american-based subsidiary of a japanese company, is that a matter for u.s. government security concerns? is it a threat to the u.s. at all? that's "inside story." >> hello, i'm ray suarez. the u.s. government entities
that work this out has less and less his station about pointing the finger of blame at north korea as the source of the devastating hack of sony pictures. the forced entry, the threat, the embarrassing public disclosure of private material. the president has united states has expressed his concern. the hack has been described as a security problem for the u.s. there is even talk of putting north korea on the list of state sponsor of terrorists. in what way is the north korean computer attack different? worrying, threatening? that's our focus this time on the program. >> i don't think it was an act of war. i think it was an act of cyber vandalism that was very costly and we take it seriously.
>> should the government have done more when it appeared as blackmail from an attorney state? that's the question. confirmed that north korea was behind the most emgear racing corporate hacks of the year. this is not a sony security problem. this is a national security problem. and the government has got to lead it. on "meet the press" sunday. >> the fbi has been just terrific in this. they have been diligent, unbelievably confident in helping analyze and understand what the source of this attack was. now the rest of the government has got to get behind it and has got to figure out a way that we can protect our national security. but now we've got to have some actions following the words. >> have sony and other companies done enough to protect themselves from the new age risks of cyber crime? president obama pledged early on in his first term he would focus more government attention on web
security. >> this approach starts at the top. from now on our digital infrastructure, the networks and computers that we depend on every day will be treated as they should be, as a strategic national asset. protecting this infrastructure will be a national security priority. >> does that mean if sony says it needs help from the u.s. government, protecting corporations becomes the government's responsibility? the answer might depend on who is hacking you. north korea is not the first state to be accused of cyberattacks. earlier this year the department of justice indicted five officers in china's military for economic espionage against american companies. now in an unique eternal its reported that the u.s. is speaking china's help in north korean threats. last year, tens of millions of credit card numbers were stolen from the retailer target servers
after a major security breach. other institutions, jp morgan chase, home depot. even the u.s. posal service has all been victims of digital attacks in the past. cyber crime costs the internet in north korea is experiencing severe technical problems. one computer security expert in the u.s. describes the north korean system as totally down. when are governments, allies, and defenders of private business, when do governments seek protection of private entities as part of their own
interests and why. we'll look at the action and reaction of those who pick the locks on sony's electronic front doors. joining us, ceo of global cyber risk, a cyber risk management firm. and chris hill, and alan friedman, a research scientist at george washington university. jodie, with such high profile breaches just in the past several months is there an explicit or implicit responsibility of government to help shore up corporate defenses? >> well, the government should not be shoring up in the sense that we don't need the government inside the companies building their security programs. but we do need the oh government to have effective law enforcement, and to conduct
effective international investigations and provide resources to help facilitate the response to these incidents. that's the role of government. >> idoes it matter who the hackers are? if it's a gang looking to steal visa numbers or someone working at the arm of a government. >> companies have to be prepared, and they have to be as protective as they can. and they need to understand that there is a wide range of threats out there, and they need to be prepared for all of them, the most likely ones who will be targeting, and it's possible through an enterprise security program to be prepared to manage incidents of a wide range of attacks. >> alan friedman, when you first heard about this, and the
suggestion that it was north korea, did you see, really gee, sounds like north korea? >> i was fairly skeptical. i was interested at first. when it first came out it was leaked documents and sony has been the target of a lot of people people on the internet. they make enemies of online groups who try to defend as what they see is online free speech, but also what amounts to illegal pirating. i thought it was something similar to that. once we saw the scope of the malware destroying thousands of inside sony as well as the constant rhetoric, it was curious that north korea was behind it, and then the u.s. government announcing--90% likely. >> and the particular interview
and the subject matter. >> that circumstantial evidence was great but that is the ideal cover for someone who is trolling or trying to make fun of sony. >> ambassador, are we still getting used to a world where this is part of the arsenal of countries making various kinds of war on each other? >> i think this is an increasing part of the arsenal. we don't have a framework of it yet. people have been talking about the non-proliferation of the nuclear treaty, obviously we're a long way off from that it's a challenge to figure out what is private sector and public sector. this is not easy. it's cheer when you have a country like north korea doing what it does that is completely
irresponsible apart from the rest of the world. we don't have much choice but to figure out a way to respond and go after them and make sure that they don't do it again. >> a lot of evidence has been generated that state-related actors from china have gone after purely commercial interests in the united states. how does that implicate the u.s. government when it's a state actor when it comes to a bunch of vandals to try to make it difficult for a private business to do its work? >> well, obviously the onset of non-state actors whether it's al-qaeda or some computer hackers, this is a whole new world that we have to deal with. but i think the government is instituted to protect our borders, and so clearly our borders have been breached, and i think we have a big problem.
when we look at where--at north korea's behavior it's one thing to have the world's worst human rights record. it's another thing to be building inter continental missiles to put nuclear weapons on them, and now we have a cyber effort on their part. it's part of this north korean exceptionalism that we have to deal with. >> international law sits very comfortably between matrix, borders, capitols, what's in one country versus what's in another country. but the whole world of the internet has ushered in this place of placelessness, and ubiquity being everywhere all the times. is there a fit when one of the world's ambitions is not to be in any one place. >> it is a tough fit.
prosecutors, prosecutors, government officials have to stop at government borders. and assistance for cyber crime assistance through a legal assistance treaty or a letter through the courts. that takes months when minutes matter. this is a huge matter. we've been working on this issue with the cyber crime and justice committee to try to come up with at least a straw man for the organizations to start thinking about. because it is a huge international issue that we can't solve, but we can talk about ideas to stimulate them. but when you have an international investigation, and you have communications going from one provider to another to another around the globe, and you have to track and trace those packets and hops, it's extraordinarily complicated, and it takes a lot of effort, and you definitely have to have the assistance of governments to do that. >> you know, alan, a lot of
people are just worried is my visa number that i just gave to target safe? they're not thinking, did someone in moscow use a fake i.p. in latvia to bounce something off of something in antwerp to come after target? do you then have to involve the latvian government in addition to the russian government to run this thing down? >> i made the mistake once of telling a room full of law enforcement officers that cyber crime should not be a law enforcement issue. if you're trying to cut down on cyber crime, you're never going to get the bad actors and if you cut off the head, another one will grow up. the solution is to find what are the autonomies of scale that allow someone sitting halfway around the world to actually use ten million credit card numbers. we in the united states are
protected by credit consumer laws, but now it allows the ec ecosystem to morning. they push the responsibility on certain actors in the financial system to make a choice how much fraud do we accept or how easy do we make it to use these systems. when it goes out of balance, that's when government steps in, and that's when we look at how close we are to the system breaking. >> what is in it for the north korea. with all of its encounters with the outside world what motivates the government in pyongyang is sometimes hard to figure. stay with us.
primetime news. >> welcome to al jazeera america. >> stories that impact the world, affect the nation and touch your life. >> i'm back. i'm not going anywhere this time. >> only on al jazeera america. >> you're watching inside story. i'm ray suarez. whether it's kidnapping foreign nationals, firing test missiles over neighboring countries or hacking the computer systems of a major multi national corporation understanding north korea's state interest is sometimes hard to do. especially if you use the same yardstick as the one you would use to assess the work of other state actors. so ambassador hill, is it important to understand why north korea is doing what it's doing? understand it's motivations. understand the way it size the world when you try to figure this out? >> oh, it is very important to understand why they're doing
this, why they behave the way they do, no question. the issue is, of course, what to do about it. north korea is your proverbial her mitt kingdom. it sits there in splendid isolation in plot so splendid isolation. it has a ruling family that approaches a ruling religious cult. they don't mind that the rest of the world doesn't like them. but they don't like the ridicule of the world. they usually have tomorrow after organizations, and they felt this was the right thing to do with sony. i think they may have taken on more than they bargained for. i was. just in china last week, and i was really struck by the fact that the chinese, who have traditionally asked the u.s. to
give the north koreans a pass on these things, how the chinese are fed up with them at this point. this is a real opportunity for the u.s. to go and sit down with the chinese, who by the way have had their own challenges with cyberattacks, and see what we can do to work something out forwards north korea. >> ambassador, there is talk of putting north korea back on the list of sponsor for terrorism. >> it's essentially a list that if you're on it, the united states is not allowed to give you military assistance, economic health. it's more of a symbolic type thing. i know there is discussion is this attack a terrorist attack. if it is, should they be back on
the list? as far as i'm concerned we can put them back on the list after all. they were taken off the list as part of a political deal. first, they were eligible to come off of it and then we did a political deal to get them off the list in order to do some disablement of their nuclear facilities. they've since renounced the nuclear deal, and as far as i'm concerned they can go back on the list, but i don't think it make any difference in terms of their behavior. >> well, alan, a lot of military parallels and analogies are used when discussing the new sort of arms race in cyberspace. there is something going on in the north korean web today. what do you make of it? >> a good way to evaluate this sort of thing is to put the word cyber off. terrorism, vandalism, if you go through the loops and it's
vandalism but it's not an act of war, it's not an act of terrorism. we learned that some things are going on with the north korean internet. i would be skeptical to find the u.s. officially behind it. it's, one, our intelligence goals are to maintain access to a north korean for intelligence. it's unlikely that we would deprive ourselves of this type of information. and it's also too cheap. if we're going to do something, we're going to spend a lot of money and make it sophisticated. >> like the arms race there is a mutually destruction fear, and you can use it as an incentive
that we're not going to do to you what we don't want you to do to us. does that work where consumers are not sitting at home ordering books or cds making movie reservations on their hand-held device. can you not hold denial of service attack where only the military and a few leadership cadres have access to the internet in the first place. >> maybe this is some of the assistance we asked for from china, i don't know. that would be a nice turn. but in a country, in a globally connected network, i've looked at the laws of armed war wear and parsed out where we could say certain parts of critical infrastructure are necessary to uphold society, civilian life as we know it and protect it.
we could say in a few amendments to the head convention, the geneva convention, the u.n. chart for say certain aspects about cyber to help control the conduct of nation states. we have not gotten there yet. the book "the quest of peace" was a start in the right direction, but as you mentioned we're early in this process. and so countries like north korea would be some of the last to follow on with that sort of thinking, but we have to remember that the united states has been one of the most active countries in engaging in cyber warfare, and the way we've conducted ourselves, in iraq, and some of our middle eas middlmiddle eastern engagements. >> as more comes out about the hack itself it's important to ask did sony drop the ball? was the company already the
>> we're back with inside story on al jazeera america. i'm ray suarez. let's say you run a company that not only keeps personal records on its hard drive but other confidential communication between senior executives and even proprietary information about your company's creative output. did sony take enough care to protect the keys of the kingdom? with us our guests. alan, let me start with you. is a lot of the blame not on whoever did this outside of our
borders, but sonny itself? >> well, on one hand they went explicitly after sony. if someone with even moderate means a sign that they want to come after you they will succeed in doing something. the question is how much. that's where the defender comes in. it's the choices they make and the money they spend. we know that sunny failed the security audit in 2005. there are roomers that circulate in the industry about how little they cared about it, who they were promoting and why. this was an environment where they should have been aware of a cyber security threat. >> is this going to set off a round of escalation? are other creative entities, sony's competitors, going to say let's toughen up?
>> every company needs to understand that there are best practices and standards for security programsish and they have to undertake the o right activities, have a dedicated team assigned and deploy technologies and do continuous monitoring and be prepared. >> is it going to force them to spend a lot of money? >> well, they have to spend some money. a lot of companies view security like wiring and pluming in a house. it's just a hole you pour money in. but as sony can tell you, target, and home depot, these are expensive incidents. this one especially was four-pronged. so it's something that companies have to start looking at in saying have we really paid attention? do we have a full security program? are we ready to commit to be in a position that we need with a strong security posture? >> well, you've been live to go technical and legal perspectives
on this program, let me talk to a diplomat about whether small, week, and let's say poor countries are going to want to submit to international compacts that in favor the wealthier places, the most powerful places in the world where internet commerce is really an important part of the work they do every day. when it could mean that a poor, weak country giving away a forced multiplier, giving a way to project power beyond it's borders? >> you got it. this issue comes up all the time. a country like north korea, which fits the definition of poor and weak is always looking for kind of asymmetrical solutions, whether it's an army that is largely at this point a lot of special forces, whether it's nuclear program, which they've been pursuing for some 30 years, or now cyber program. it is always a problem for these countries to go along with solutions that are designed for
more main treatment counties. that said, you know, it's not our fault that north korea is small and weak, but it is our duty to protect ourselves from this kind of thing. i think you'll see a lot more of these efforts to try to have international solutions to these questions and certainly our relationship with china, which is frui fraught with all kinds of issues is going to be a combination of competition and cooperation. what i'm hoping in the coming weeks we'll see more cooperation than competition in this field. >> alan, is this going to be solved by a combination, not just legal things or technical things. >> it will require a number of things working together. there has to be a depreciation that legal solutions are important but won't solve everything. if countries want to pick
fights, they'll pick fights. the technical sign that we've seen for years you cannot defend yourself completely with technical means. the real solution will lie in the organizational layer. how do you have an organization that is large but nimble enough to respond to an attack, identify the weaknesses as you see them, so they can defend and be resilient is the magic word. >> good to talk to you all. that brings us to the end of this insid edition of "inside story." thanks for being with us. from washington, i'm ray suarez. >> coming up at 6:00 p.m. eastern on al jazeera america, after two nypd officers were murdered police across the country are taking extra safety measures. and new york's mayor is asking protesters to stay off the streets.
also widespread internet outages hit north korea after the regime threatened the u.s. for its response to the massive cyberattack. we have that and more coming up at 6:00. >> let us bow our heads for a word of prayer. our father and our most gracious god. as this family, the murdough family and their friends, as they gather, we ask that you send your comforter, your holy spirit, your guide, to be with them. >> queens, new york. jerome murdough's family is laying him to rest. four months ago, 56-year-old jerome was arrested for