tv The Communicators CSPAN December 21, 2015 8:00am-8:31am EST
protecting privacy of american citizens while doing cybersecurity and promoting information sharing. >> host: so how has the focus changed over the last couple years when it comes to cybersecurity and protecting against cyber attack? >> guest: well, especially after a lot of the incidents that we've seen, for example be, the sony incident and the incident against opm in the federal government, there's been a a lot of focus on making sure that we have areas protected and parts of the economy protects that aren't necessarily in the critical infrastructure, aren't necessarily the major federal agencies, making sure that we have a lot more coverage, more broad coverage across a wide range of different entities. everyone is at risk of having a cyber incident, and how do you go about making sure that you have the resources that those
institutions need that traditionally have not gotten the direct funds or the direct information that they need in order to protect themselves. >> host: in your personal view, what's our biggest vulnerability? >> guest: right now i think it's just that we have a lot of old systems in place, and the newer systems are better equipped to, in order to protect us, we need to be able to update those systems based on the known threats we have and building security into the networks themselves. so as the networks begin to grow, how do you go about building in security into those systems. you have to be able to upgrade some of the old technology that we have. >> host: and when you talk about the old systems and the new systems, specifically what are you referring -- >> guest: well, the best example is, again, the office of personnel management case is where you have a system that was 25, 30-35 years old depending on which pieces you're talking about, and you're trying to protect it today, and you don't really have the resources to do
that. so you have to be able to upgrade some of those systems. you can't expect an '80s mainframe to be able to hold the kind of sensitive data that we've been, that we have in the past, over the past 30 years. we need to be able to upgrade to i new systems in order to do that. >> host: joining our conversation this week is corey bennett, cybersecurity reporter for "the hill" newspaper. >> thank you so much. obviously, related to a lot of the issues you mentioned, congress is trying to move a cybersecurity bill that would encourage information sharing between the private and public sectors. tell us what benefits you think that bill could bring. the white house has been onboard mostly for this bill. >> guest: yeah. i don't want to overstate the importance of information sharing. i think that it is one key point. obviously, i worked on it, and i do think that it is important. the key point here is as we begin to upgrade those systems
as i was talking about earlier, those systems that have the ability to receive information and to automate this process of knowing when a threat comes in, you get that information can then be automated, get to the edges of the network, and we can build protection faster. so as we learn about a threat, we can get it immediately out to the edge of the network rather than it taking days, months or sometimes years to get where it needs to be to patch systems. so that's really the main goal here, is to create the ability to automate and to give people incentive to share that information that we need in order to find the threats faster. >> you mentioned you don't want to oversell it to a layperson who's watching this and might think, you know, how would this stop the breaches i've seen at target, home depot, etc. would it stop those breaches? >> guest: well, again, if you can get to the point of having upgraded systems even at some commercial institutions, you get to the point of having upgraded systems that then can take in
that information. so then it happens at one store, and all the information goes to other stores. both of those incidents were malware that had been known out there that the systems just were not fully protected at the edges of the network. it's hard to get to that point today. but we can update those systems, get the information to where it needs to be and have them protect themselves, we're going to be in better situations. again, it's not the only means you need to protect yourself. you need to do the regular patching, you need to be able to have hardened systems in the first place and make sure that you have the right, the right protections in place and look for the right things, have the training and staff that can do this in the first place, stop the incidents from happening in the first place is the best protection. so, but then, obviously, this is an added piece that can help us to move it forward. >> host: ari schwartz, what's the purpose of a cyber attack?
>> guest: so there's a range of different reasons for cyber attacks. we usually in national security council reserve the word "attack" for something that is really damaging, something where hinges are breaking, where computer systems go down, where computers are broken and cannot be used again. so you'll hear me refer more to incidents in this case. because when information is taken, it obviously causes a lot of harm, but we're not talking necessarily an attack. it could be a crime, it could be espionage. we want to make sure we keep the language of when we're talking about things like when the electric grid goes down or computers break and systems go down and we can't use them. to be able to separate out that language. you have these different purposes, depending, you know, espionage or industrial
espionage in some cases or could just be crime, right? or it could be many some cases people just want to make a point, and they use the means, the internet as a means to make their point, denying service to people, etc. that happens quite a bit as well. >> host: are these individual players who are creating these incidents? be are they state actors? >> guest: we're definitely seeing an increase of state actors in this space. we see a lot of countries now ramping up their abilities in this area, and it makes it a lot harder for folks to defend themselves. i want to say it's growing exponentially, but it is definitely we are seeing growth. it seems exponential to the public because we have new tools now that we didn't have in the past, and that has given us this insight to the kinds of threats the incidents, the attacks that we may not have seen before. and now we're seeing a lot more of it. so what has become public is
certainly a lot larger than it was before. but it is growing at some rate as we -- >> and who are those countries that you're talking about? those nation-state actors who are kind of the primary adversaries in cyberspace, and what do they want with u.s. data? theoretically china with opm data? >> guest: obviously, china, russia, iran has become an increasing player, north korea in the sony case, right? they were identified as the actor in that case. they want different things for different purposes. clearly from an intelligence point of view, it makes sense to want to gather data, try to figure out who individuals are, try to pull many that information -- pull in that information and make decisions about it based on the information that you have from that point of view. that's the main reason, but we've seen other instances where they just want to take down a particular company or service of some kind that they feel is in their national interests.
and all -- there's a wide range of companies that have been targeted that you would not think should be, would be on the list of companies that a nation-state would be interested in. so it is something that almost every company in the u.s. and organization in the u.s. needs to think about. >> a casino was supposedly targeted by iranian hackers because of sheldon sheldon adelo you're right. you wouldn't think of them as a natural target. i'm interested in understanding exactly, you explained the difference between a cyber attack and signer espionage. a lot of the work we see from nation-states is cyber espionage. people warn that it is very possible. congress is moving legislation on this. we haven't seen it though. why haven't we seen it if we're so vulnerable, and will we potentially see it because of the vulnerabilities that we have on our power grid currently? >> guest: it's taking things up
a level to do that, and so a nation-state would really need to want to take down the power grid and make a statement in order to do that. i think the power grilled -- grilled isn't, some have said it's an imminent threat. i'm not quite sure it's imminent in that way, but it is a major concern. the electric sector has done quite a bit to build up its resiliency and to work in this area. they're improving, but there's still a big risk out there that things can be planted in advance and then used by a nation-state when they want to use it. and that's really the concern, are these companies scanning their networks regularly looking for things that we know are out there or things that we might not know are out there, things that look strange, and how do we go about finding those in advance considering it's going to be to see things in advance and use it when they need it. not to try and implant it and then put the attack at the same time.
>> and there has been evidence that russian hackers, for example, are kind of sitting on networks, the power grid networks, just flushing out vulnerabilities. >> guest: i mean, nation-states are pinging each other's utilities in general, and i'll leave it at that. >> sure. >> guest: you know, that is just a fact. >> host: ari schwartz, what's the responsibility, in your view, of the isps many preventing these cyber attacks? >> guest: youyou know, it's interesting because we want the isps to play a role in security. as consumers, we expect them to looking out for our interest, as companies, but there's a question of how much you want them to look into your traffic. we have privacy questions about that. what kind of role do they play as, you know, a gatekeeper for the network, and what kind of role do they play just delivering the communications and making sure the information gets to where it wants to go. you know, the internet has grown the way that it has because we have had these open networks,
and we want to be able to keep that going. at the same time, we want to be able to build in protections. the telecommunications folks and the isps are doing a lot more to try and figure out how to balance the two and get to the right place so that they are keeping the networks open at the same time building in more protections. sometimes that means that they charge for those services, and sometimes that means that they provide them as a baseline service, and there's an ongoing debate on that issue. >> host: and given what happened in san bernardino and the use of the telecoms, or the telecommunications infrastructure, is the pendulum swinging away from privacy again? >> guest: you know, it's an ongoing back and forth, and the key really is to try to do both at the same time. i don't -- i've always been one, i worked on privacy issues before i came into the government. i was in the government for five years mostly working on security
issues, but working on some privacy issues too. and, you know, we keep having this kind of ongoing discussion as though we have to have one or the other. you can either only have privacy or only have security. my view is they are both written into the constitution, especially from the government, the side of the government doing this kind of protection. we have to be able to do both at the same time. that's what the american people expect. we should, we should do our best to do both at the same time and not take the excuse, basically, that we can only have one. >> where should we draw that line, though? senator dianne feinstein, for example, has introduced a bill that would require social media platforms -- twitter, facebook -- to report suspicious terrorist activity on their networks. is that crossing the line? is that too much of an infringement on privacy? privacy advocates have said so. is that crossing the line? >> guest: well, the social media community does that today. they do a lot of this voluntarily, and they're improving their ability to do it
and they're investing more in doing it voluntarily. i guess there's a question of what more would you expect them to do if you mandated it versus what they plan to do in the future voluntarily. i don't understand -- in some ways i worry about capping that as well, putting it in legislation. that's all they're going to do as opposed to this push to say, you know, where are the lines here and how do we go about promoting it in a way that encourages hem to do a lot more -- them to do a lot more voluntarily and invest in and protect their users as much as protecting us as well. how do we get them to understand and to continue to invest in this space. >> speaking of the pendulum swinging, encryption has been another issue that has come into the conversation in the wake of paris and san bernardino. what is your opinion on encryption being part of this conversation and people using these attacks to kind of promote the fact that we might need an entry point into encrypted
devices, we might need a back door potentially? >> guest: well, i mean, there's two sides to this. we often talk about this as a security risk versus privacy debate, and in real estate it's for -- in reality in order to secure systems all the things you need to do to proactively secure systems rely on encryption. the greater use of encryption actually ends up protecting systems better. the question comes when something happens behind the scenes and law enforcement needs information. if you have layers of encryption on top of it, law enforcement can't get access to that to do the investigation. >> how much has that impacted law enforcement? >> guest: well, so far there's actually not that much evidence of cases where it has impacted law enforcement, but we are seeing this greater end-to-end, push for end-to-end encryption. i think it will end up securing the networks better. this is exactly the type of thing we want to see. i was talking at the beginning about moving to new
technologies, and one of the benefits of new technologies is you can build in a lot more layers of encryption if they're faster technologies without an impact on the performance, right? so that's what we want to do, is really build in greater levels of encryption into the system, right, so that it's harder to attack, harder to penetrate. those are positives. but when that happens, and it is going to be harder for law enforcement to get access to that information. so we have to figure out other ways to go about getting law enforcement the information that they need to do their job, and that's where the tension comes in in this discussion. >> how do we do that though? what type of alternatives are available? michael mccaul has called for a commission on technology and law enforcement to, obviously, look into. some people say there aren't, there is not an alternative, there is not a way for law enforcement to get at that encrypted data. is there an alternative? how do we get there? how do we find it? >> guest: well, i think there
are a lot of alternatives out there, but when it comes to certain kinds of encryption, right? when you're talking about end-to-end, there's less choices there, and that's where a lot of the debate is over kind of picking off wiretapping information in transit. but when you're talking about information actually being on a cell phone, you know, there are ways to store that information and get it even in this case the san bernardino case, the information was on a cell phone. they tried to destroy their cell phones, it seems as though they're still from what i'm hear anything the press stories, seems as though they're still getting information off these cell phones even though the folks tried to destroy it. the same would be true -- i don't know what kinds of cell phones they were, but the same would be true depending on what type of, if it was encrypted or not, and actually that was the case in the french incident as well where someone was using a cell phone that had some encryption on it in terms of the trends that's natural, but law enforcement had access to that immediately. >> the full device was not
encrypted, in other words. >> guest: right. but it was being backed up where they could get access to it, when they had the device itself, they could get information from it as well. so law enforcement was not hampered necessarily by that. but in that, even though there was some encryption involved in that case. you have to figure out what exactly information they need and how we can get it to them best depending on the type of encryption you're talking about and the tool you're talking about which makes it a lot more complicated of a discussion. >> host: ari schwartz, the move to the cloud, has it made it easier for law enforcement to get that information? >> guest: you know, it's different in different instances. so, obviously, as you have more information in the cloud, if it's not being stored encrypted, in an encrypted way or if it's being stored in a way that the provider can get access to it if for some reason they need to, that could give law enforcement more, greater ability to access that under existing law.
and existing understanding of law. but if it's encrypted and there are stronger protections around it, it could eventually mean that they'll get less access to it. so in the short term, it probably means they have had greater ability to get access to information. in the long term, that might continue to be the case. >> host: to put it really simply, and i hate to nary row it down this simply, but hillary clinton has called for facebook and other social media outlets to get rid of these sites that are being used by terrorists. is that, is that realistic? >> guest: well, i think what they can do, and this is what i was referring to earlier, is take down things as they pop up and monitor -- >> host: but isn't that whack-a-mole? >> guest: it is somewhat whack-a-mole, but they have been able to automate a lot of that, and i think they can go further in that regard, and they -- from what i've spoken to them, they plan to do that.
there is, you know, efforts to make it easier to do that, and i think we can take advantage of technology in order to be in our favor in this realm as well as when it works against us. >> some of this speaks to as well the government's ability to conduct digital surveillance. we, obviously, this year just finished a big debate about a phone metadata program known as section 215. the usa freedom act was passed, we got rid of that. we're now going to have the battle coming up on internet surveillance, on section 702. what do you think -- there has not been as much of a unanimous push to eliminate that program the same way there was to eliminate the phone metadata protection program. do you think that should be altered, changed, eliminated? what do you think's going to happen moving forward? or is it being proven that we need that in light of the recent terrorist attacks? >> guest: i think there's a difference in the way those two programs have been seen by advocates, but in particular by the commissions that have looked
into this. >> can you explain that? >> guest: privacy and civil liberties oversight board which is a bipartisan commission that was created by, advisory board that was created by congress that gives public comment on this type of activity, they -- especially as it relates to terrorism, they said that 702, there were some tweaks to it that could be made, but it generally was a good idea -- >> and explain exactly what 702 does for someone who may not understand the contours of it. i know it's kind of big. >> guest: yeah. it allows information -- it allows law enforcement and intelligence to get more information from folks working with companies directly to get communication information under certain court supervision, i think is probably the fasters non-lawyer -- [laughter] of what 702 does.
the issue, i think, has been -- and the other review that went with on was the president called for review after the nsa disclosures came out, and that board made very clear they thought 215 was a big concern, and they had a lot less concern with 702. again, some tweaks to it they suggested, but i think that those two different groups making those kind of recommendations on this front changed the way that a lot of people are talking or changed the way when people were lumping those two together. again, this doesn't mean there can't be changes to it, but we're talking about it much differently than we're talking about the telephone metadata program. >> what do you say to pryce add slow -- privacy advocates? this plays not only into 702 but also into the current debate
about the cyber bill. the privacy concerns there have been it's just another way to shuttle private data on americans to intelligence agencies such as the nsa, to the fbi? what do you say, the white house initially had concerns about that provision and has since come around as some of the language has moved forward. explain your concerns and why, perhaps -- >> guest: i think the white house is still concerned about it, right? even in the statements of administration policy that they've written on all the bills, they continue to raise privacy concerns there. but they're supportive of the general bill overall. again, the point being that we can do both at the same time. the question is what information is coming into the government, what is the government doing about it, and what is the oversight that you can put over it. one of the keys that the white house had when i was there and continues to be a concern is that to make sure this goes through a civilian portal. when information comes in to the government, you have some civilian entity looking over it. and the reason that's important is because that allows for
public oversight. if it's all going through nsa, through the defense department or through intelligence, the intelligence community, it is much more difficult to do the kind of public oversight that you need to make sure that the privacy controls are put in place that we must have. so that has been a key point for the white house. privacy groups, obviously, feel as if that's not alone enough. they're concerned about how the information's shared afterward. so that becomes a key question about how you go about looking at these issues. >> host: arkansas key schwartz, were -- ari schwartz, would we be having this conversation were it not for edward snowden? >> guest: i think we would. you have to remember on this particular bill there was an earlier version of it that happened before the snowden revelations where the white house actually threatened a veto of it with this exact same point in mind, right? that said nsa is -- if this information goes straight to nsa
as the original bill wanted, cispa it was called, then we would have no oversight over it, and it would be a major problem. and that was before the snowden revelation came out which often gets lost. the president has said this was something he cared about beforehand. that is one thing i really point to all the time to people to say this is proof that he actually meant that. he really -- there has been concern in the white house of the kind of oversight that you can do of the intelligence community publicly and how to go about addressing some of those privacy issues. that will continue to be the case even in the future as, you know, as we start to raise some of the concerns on the security issues that we've seen in recent months. >> host: is this an area overall of cooperation between the administration and the congress? >> guest: yeah, this is an area, i think cybersecurity has been an area where we have had a lot of bipartisan work and a lot of work between the administration and congress. and you've actually seen that
starting from where we started with that bill that, where the administration threatened to veto. we've seen a move toward the center here, and that's the reason i think on the part of congress the ability to come up with bipartisan solutions in this space has made the white house change its point of view which gets at your questions, your comments as well about, you know, how to -- why did the white house change its viewpoint. it has to do with the fact that there was this kind of coming together on good solutions that address the privacy issues, that show transparency in the space but still protect security and do a better job of getting information where it needs to be. >> what does congress, you mentioned that congress and the white house have worked together on this. obviously, the white house would hike to see other things from congress. what else should they be doing on cybersecurity, what else could they be doing? be. >> guest: yeah. >> i'm not speaking on behalf of the administration. >> guest: my view has been that
there is, that we've seen a number of cases where the agencies and entities that are being hit are ones that we would normally not expect that to be the case. we'd not expect that to be the case. and it turns out almost every time those entities don't have the technology that they need. we need to really think about how we're investing in these agencies and these technologies. traditionally, when it comes to terrorism, we give our money to fbi, dhs, nsa, the intelligence community, right? those entities are the ones are seen as protecting us. that's not enough -- >> host: and finally, we're almost out of time. i apologize. you've moved on to a company called venable which is what? >> guest: it's actually a law firm. i'm not a lawyer. we're building a consultancy that's going to work with companies to try to help to protect hem, figure out ways to
protect them in these different areas and build the protections up in ways that work with existing law, that can happen where people don't have to be afraid to look because hay know that they have -- they know that they have the ability to do things under the protection of attorney/client privilege and at the same time use the new technology to search and find the concerns that are out there in the cyber area, cyber threats. >> host: ari schwartz is formerly the former senior director for cybersecurity at the national security council, and corey bennett is with "the hill" newspaper. thank you, yes men. >> guest: thank you. >> c-span, created by america's cable companies 35 years ago and brought to you as a public service by your local cable or satellite provider.
>> today the potomac institute for policy studies hosts a discussion on the escalating violence in jerusalem and what's needed to create stability in the middle east. scholars and experts from the region will be part of the conversation. that's live at noon eastern on c-span. >> special representative for afghanistan and pakistan richard olson testified to the house foreign affairs committee. he said pakistan's becoming a more constructive partner in the region but more needs to be done to target terrorist groups operating there. other topics included pakistan's nuclear arsenal and u.s. foreign sanction to pakistan. this is two hours. [inaudible conversations] >> this hearing will come to order, and there is a vote in
progress, so my intention here is to begin the hearing, and then we will, we will suspend for the duration of the votes and allow the other members of the committee to come forward. but in this fashion myself and congressman poe can make our opening statements, and maybe some of the other members will be able to as well. so this hearing is on the future of u.s./pakistan relations. the committee has repeatedly urged pakistan to take meaningful action against key islamist terrorist groups operating within its territory. unfortunately, pakistan -- which is now home to the world's fastest growing nuclear weapons program -- has remained a fount of radical islamist thought. it was so surprise that one of the san bernardino attackers, tashfeen malik, studied at a pakistani school spreading a