tv John Carlin Dawn of the Code War CSPAN December 22, 2018 8:45pm-10:01pm EST
>> mark leibovich, chief national correspondent for "new york times" magazine, the new book "big game, the nfl in dangerous times" came out this fall by penguin press. thank you. >> thanks for having me on. >> keep an eye out for more interviews from the national press club's book fair to air in the near future. you can also watch them and any of our programs in their entirety at booktv.org. type the author's name in the search bar at the top of the page. >> morning, everybody. thanks for joining us today. i think we're going to get going in just a couple seconds. so everyone, thanks for coming today. very honored, glad to host this event. i want to thank aspen for making it possible.
on any given day we would be thrilled to host lisa to talk cyber, so it's exciting to have all three of them here. expect a pretty good conversation. today, cyber is on the front page of every paper, is the topic of every board meeting. it's hard to avoid. john's book is important because it reminds us that was not always the case. wasn't that long ago that it was hard to get cyber news public and boards weren't paying attention. from my perspective, having watched a lot of the things he described in the book first from capitol hill and now in the private sector, it was exciting to read the government's perspective, see what considerations you were making when we were scratching our heads, trying to figure out what was happening and when. i didn't know until i read the book that it was robert mueller who first stood up the computer crimes division in 1991 after reading -- we tried to get director mueller come speak to his part of the history but he's busy right now. i love the fact you all have
handed out a copy to all new prosecutors. maybe "dawn of the code war" will be the next. anyway, none of you came here to hear me speak today. we are very honored to have lisa, david and john. it's my honor to introduce lisa monaco. you probably know her best from her time serving as president obama's homeland security adviser. she had a long career before that starting with the enron task force. she went on to be director mueller's chief of staff in the fbi, headed up the national security division at doj among other jobs. lisa, thank you for all you've done to keep our nation secure. thank you for joining us today. [ applause ] >> thanks very much. i want to thank aspen institute for sponsoring today's event and most importantly, jeff and symantec for hosting all of us
here. they have been really terrific partners and members of the aspen cybersecurity group that i'm very proud to co-chair with ginny rimedi and congressman will hurd. i appreciate your contributions to those efforts and of course, hosting and sponsoring discussions like this morning's. it's a treat for me to be here to recognize the accomplishments of really two great friends, john carlin and garrett graft. they have written a terrific book at a very important time. it's also nice to be sharing, i should say not a stage, but a plot of space here with david sanger. one of the most thoughtful commentators and intrepid reporters on these issues. his byline is must reading. for those of us interested in national security, particularly the direction of the cyber threat. david likes to bemoan the fact when i was in government, some
of the people around me would discourage me sometimes from talking to him. now, david referred to these folks as my minders. i referred to them as staff and colleagues. so it doesn't take a pulitzer prize winning journalist to appreciate the irony that one of those people is sitting right next to david right now and is going to be doing the talking. >> don't talk to sanger. >> now, we have been reminded again just this week how urgent the issue is that brings us here today. the past week's headlines include, of course, the marriott breach, the second largest ever, i think, based on public reporting, involving data stolen from nearly 500 million customers including passport numbers which i think adds a whole new dimension to what has become an all too regular event. on tuesday, politico reported
the national republican congressional committee was hacked and we learned that russian efforts against our electric grid continue. all of these incidents may well involve state actors. we don't know yet, although i think somebody knows, we don't know yet. but they drive home the scope of the threat, the enormity of the challenge and the degree to which we must make cybersecurity a focus of individuals, governments and the c suite. they remind us why we have to bring these issues, especially actions of nation states, into sharp focus, into public view and why we must impose costs and hold accountable those responsible. "dawn of the code war" makes a timely contribution to this effort by telling the origins of exactly that approach. now, i said john and garrett have written an important book and i think that's true for basically two simple reasons. the first is they frankly just tell a compelling story.
as the historian hareri has observed, humans think in stories rather than in facts, numbers or equations. the simpler the story, the better. the second reason is that "dawn of the code war" contributes something unique and that's not easy to do in a world that is overflowing with titles about cyber, many of those with the byline of david sanger underneath them. "dawn of the code war" writes the history for the first time from a unique vantage point of the origin of today's ongoing code war. now, i confess that reading the book reminded me of both a pleasant trip down memory lane and some trauma-inducing flashbacks, but mostly it reminded me of the gratitude i have for the work of the teams of which i was privileged to be a part and to lead, and i got to relive in reading the book great
partnerships. one of the most rewarding of those, of course, was with john carlin. as jeff noted, i served for several years as bob mueller's counsel and then his chief of staff, so i, like john, learned that you credit the team, and john has been religious about crediting the work of others when talking about his book. but john's capability as a strategic thinker and leader in this area shouldn't be minimized. that's why over the years, after we first met as prosecutors, i asked john twice to come work with me to be my deputy first at the fbi and later when i became the assistant attorney general for national security, and as john recounts in the book, in so doing i stole him away from mueller and the fbi. that was a wrestling match, arm wrestling match that i won with director mueller. i suspect there are a few other people in this town would like to be able to say they won a wrestling match with director mueller.
i would end up recommending john later to be my successor both at the bureau and the national security division. i would like to say these were entirely generous actions on my part that i knew that john would make incredible contributions to the national security and do great things. all of which, of course, is true. but these were entirely self-interested actions on my part. because i knew that he would go on to do great things and to focus relentlessly on this issue. that confidence that i had i think was rooted in our shared experience and it's ultimately why i believe john and garrett's book is so important. i grew up as a lawyer in the justice department and at the fbi, and i experienced firsthand the transformation of our national security apparatus after 9/11 to ensure that we wouldn't experience another attack like we did on that day.
we changed our orientation from seeing intelligence and law enforcement as separate silos of operation and competition, and instead, to pooling our information, our talent, our commitment against a new enemy. just as we reoriented ourselves after 9/11 and broke down walls between intelligence and law enforcement, just as we brought a sense of urgency, unity and common purpose to that challenge, i believe we need to apply that learning to the threat that, since 2011, the director of national intelligence has labeled the top threat that we face. that's not terrorism, but cybersecurity and the cyber threat. we need to bring our prior experience to bear and we should not have to relearn old lessons which is why incidentally, i think we should restore the position of the cybersecurity coordinator at the white house. we should be enhancing that role and national level coordination of cybersecurity. we need to bring the same
prioritization, teamwork and partnership that has been effective against terrorism to cybersecurity to build the same muscle memory for cybersecurity that we developed against terrorism. at the national security division years ago in 2011, we recognized this and we set about clearly to try and make that evolution by setting up the first nationwide network of cybersecurity prosecutors, beginning the case that would become the first of its kind indictment of chinese cyber-enabled economic espionage. john and the team carried that forward and changed how we approached the malicious cyber activity of nation states. that has continued and accelerated in the last two years. as i say, imitation is the greatest form of flattery and when it comes to identifying, calling out and imposing costs for stealing our intellectual property, violating norms and attacking our democracy, there
should be no partisan divisions. to the great credit of the men and women whose work is detailed in john's book, that's exactly how they have approached this. so as i said, this is an important book, at an important time, and it's particularly important right now, that we learn the lessons of history. we face an exponential problem in the form of a ballooning attack surface as billions of iot devices without foundational security are connecting to the internet every day in the form of a wild west of nation state cyberactors, in the form of a yawning gap between the skills needed for the cybersecurity jobs of today and tomorrow and those with the skills to fill those jobs. now it's more important than ever, i think, to educate, inform and evangelize on this issue. so "dawn of the code war" performs an important service by documenting the origins of a
much-needed approach and warning of the dangers yet to come, dangers like questioning the integrity of information, distrust of the internet and ultimately, disengagement from it if we keep building on an insecure foundation. institutions are under attack, applying consistent approaches to expose activity of those targeting those institutions, that's the only way we can hope to defend and render ineffective those attacks. i think we need look no further than the public documents from the special counsel exposing the russian efforts to attack our elections to prove this point. so to borrow a phrase from historian and writer jon meacham and his latest book, "the soul of america" one of the points of reflecting on the past is to prepare us for action in the present. i think that's exceptionally good advice that jon has taken and followed in writing "dawn of the code war."
this book reflects on the past work of a great many people and not only prepares us, but i think implores us for action in the present. we would do well to listen. i'm grateful, john, to you for writing this book. thank you for having me here today. i look forward to the conversation. [ applause ] >> well, thank you, lisa. thank you, john. and thanks to symantec and the aspen institute for having us here today. it's a great pleasure for me to be here and have the chance to talk to you about it. in case you haven't read "dawn of the code war" it is a fabulous book. i would say it's the best book on cyber that's been written this year. random house would come after me if i did. let me just say it's a terrific book. most importantly, there are copies of it back there for any of you who have not yet bought
it but i can't imagine anybody in this room would come unprepared, not having done their homework. so what struck me the most about "dawn of the code war" and as you can imagine, i read all of the stuff that comes out on all of these things, is just a sense of what happened as director mueller, as lisa and john began to try to transform the national security division of the justice department to this threat. not an easy thing to do when they had just been through this wrenching transformation that came out of 9/11, and to make people after years of hearing from the president on down that the new mission of the fbi and of the justice department was all going to be counterterrorism, to have somebody step in and say wait a minute, there's a threat that isn't quite as dramatic in what you see but can be far more
damaging in what happens over the long term, was a huge shift. every one of the cases that john and garrett walk us through in this with their inside view of what happened is testament to the grinding nature of getting policy makers, the bureaucracy, to think in those terms. ... >> of the initiatives. the daughter of the founder of the giant chinese
telecommunications firm shows up in canada thinking she was changing planes but it turns out she was changing countries and just did not know it yet. she gets arrested, the arraignment is tomorrow but the indications are violations of the iran sanctions. but of course it is a much bigger said of issues that runs all the way through the china section of your book. so now we have seen this administration twice in two or three months to appease chinese executives or officials in belgium picking them up all over the world and
we have this debate if they don't show up in the courtroom so tell us what is happening here. >> first i just want to echo the thank youse not just for hosting this event but as told in the book to be part of the fight and then to defend our companies. and also along with the director mueller and the most influential but with that model of dedication to fax or work ethics and in a nonpartisan way is that we
could all emulate and to the aspen institute for hosting this in my co-author who can say this book would not have been written without him because i would not say anything and numerous times i could attest to that because it is a vital story to tell my final think you is really a story of the accomplishment and work of others. were those intelligence committee so they were fine with that so to bring it out of the shadow what people can do to educate themselves to protect themselves of the company and the public.
and those adversaries. and the arrest yesterday and to tell the story in detail for the first time in this book. how do you make that transformation cracks as government official i could not say that china was committing economic espionage it was classified. at the same period of time they had been on the line. i didn't have access on the intelligence side they would
work with me on the criminal side but then they would just disappear behind the door never to be seen again. and dad i could see the cyberpeople to have a good graphic user interface or those that are intruding upon universities or nonprofit hopping into american companies and billions of dollars of trade secrets with former director of the national security agency calls the largest transfer of wealth in human history. and did not feel like success.
>> so we have to do something about this to change the way we tackle that. from the people's liberation army in 2014. women to steal secrets from private companies for the benefit of competitors overseas. but david sanger did say what is the point? will that change behavior cracks and then to figure out who did it to make it public so you know the stakes and can take action to impose consequences.
and it has all the same penalties of any other criminal case one thing that is interesting to talk in the book for the first time is sue. so while sankar and others that you will never end up arresting anyone but at the time we had arrested somebody from canada but we were working through extradition proceedings so while reporters were casing the issue we knew there was an individual in canada but what will play out again that china put great pressure on the canadians to convince them not to bring him
back into the united states where he was charged with a conspiracy. and to hack into other companies with those flight specifications. and it looks like two canadian coffee lawn - - coffee shop owners and ultimately they did the right thing we had several hearings but he was convicted and serve time he was named and shamed and put in prison so there are consequences for the action and you are seeing that playbook here when it comes to the arrest with
huawei as we said earlier is to look for the playbook all tools of government power that is contrary to the national security interest of the united states using another proliferation case. but those who benefit from it. but one for terrorism or the other four proliferation of distraction. but that was linked to the subject matter to the arrest of the executive from t h.
so what will happen if they put similar pressure on the canadians is that the normal one - - normal criminal justice process? if it isn't resolved with us government starts to use other tools that ultimately caused much more damage than the criminal indictment because no one in their supply chain could do business with them because we see use of the sanctions but third we will wait to see what we resist or is it a bilateral discussion on trade? whether it's nonproliferation or terrorism or cyberor those actions try not to resolve them with the diplomatic
so your note here in the case of huawei with the pushback is right especially in this case. so who do you imagine that situation where the chinese go after american technology companies, executives so occurred we be at the beginning edge of a tit-for-tat escalation cracks. >> but with other actions there are already rules in china in order to do business
and with that intellectual property to be used. and then to be outlined. and with that subsidiary of a german nacht one - - a national not only did the uniform numbers of the pla with the unprotected part not where you spend the most resources but to have the pricing information but then use that strategy and to force them out of business but to add insult to injury after they go for unfair trade practices so the idea that this is the first blow is not right. we are already there. it's a question of how much will be take?
and relatively cost free and not because the cost-benefit analysis by the chinese government with the research and development rather than investing using my military and intelligence apparatus to take this information it is a different field which is proliferation. >> as you describe the effort and the culture. and what i hope to accomplish.
>> and not just rely on those people. and outside the intelligence community. from years and years and years so talk about that to an outsider. that almost seems duplicative of the entire structure of the us government already has. >> and after september 11th i was surprised to have billions of dollars of invested of homeland security
the director of national intelligence the national security division focused on tearing down the wall that made it more difficult to share information across law enforcement divide when it comes to terrorism threats. and with those terrorism in 2007 and 2008 timeframe. with this new national security threat was called the top threat to our country and that seems like an obvious reform. and and also with those great
stories it is technical i don't speak that language leave that to the information and technology that is different than every type of problem and that's too technical. because of the policy side with that personnel management. and with the chief of staff they were trying to have a meeting of the cabinet and
then to talk about the cyberguys. and the cabinet secretary showing up. so as the cabinet secretary if you don't understand this well enough and not policy choices we are not where we need to be. but not just the cio or chief information security officer. >> and in the insurance world in the credit market is that
those casinos and with that cyberattack with those locations so tell us a little bit about from this attack and what you learned of how quiet the reaction is. >> going around the united states today what was the first major destructive attack? but almost every audience people say sony. sony motion pictures. so what does that look like if
any nation decided to attack the united states through cybermeans like a electrical grid or financial system? >> and now even critical infrastructure. and then experience to brief the president and then start the briefing if you have seen that that is not an easy movie because it doesn't make a lot of sense it is a goofy comedy about pot smokers. >> pot smoking journalist. [laughter] good point. and then not to remember it.
but we probably should have learned better than we did. and when it comes to cyberattacks for those who want to impose their values and then attacking free speech. and those that launch that destructive attack and number two with our practice point at home and then who decided on his own that commission structure deciding to pull the plug that would be far more damaging.
but the third bill and comparing it to sony with that attack to spend so much resources thinking about what cause the biggest damage to the brand or accomplish the goal for free speech here? this is why sony resonates it was also a destructive attack turning computers that employees cannot do their jobs or in intimidating them with a graphic interface with the school but was sony it was massive intellectual property and we have seen that before not to resonate the way that particular act with sony. in fact the third part was the
attack on the sony e-mail system where they stole internal e-mails and then use nontraditional media to push out that information then watched as the mainstream media that was high at the time doing the damage for them to publish their stories so they were helping a foreign nation oversee to execute a plot designed to chill free speech in the united states and under the first amendment it was a traffic about entertainment.
but then to say it was north korea than the narrative changed so united states white you doing more to protect us from north korea and then going to sony? sans and sony and then the russian playbook going into 2016 with that watching them do harm that could be more effective from the most protected parts of critical infrastructure. >> and the national enquirer but here is an interesting point but that vulnerability
the attackers have figured out not how to get into the system but how to exploit and just like angelina jolie like the national enquirer but there is no way we can write the laws so that takes you to the question that just comes up time and again it was just described to the chinese. each one has a characteristic in common and that you can't
look inside the united states but to look at foreign networks so by the time you get it you can have some deterrence. >> do you come to these conclusions about changing the nature of our system. >>. >> but trace this back to the internet itself over a 30 year period almost everything we value books and papers and digital space we have done so
using a protocol with security in mind. with government or private sector for the dedicated adversary so we have to start their what has already happened thinking of science fiction when people take advantage of those vulnerabilities to have the right tool or employee to be safe and then to come up with low cost nontechnical solutions so to see the campaign in france so instead
of trying to keep them out instead they put fake e-mail traffic with the rio e-mail traffic and steal it or dump it but when they had that supposedly did tranche they said some of it is real or fake we will not tell you which is which that kept the media from running stories because they did not know they did not know about that tack neat - - tactic or technique so that's a different way to think about risk and strategies. but it's about time we have that conversation the difference to our society went from a horse and buggy to the
automated car. but just in that one sector of that revolution in our lives going from the driverless car but yet we watch as those were rolled onto the streets 80 percent of the cars are now computers on wheels it with the same mistakes of the internet but with a hacker videos take over the braking system that led to a recall of the regulation using seatbelts and brakes if a hacker can get in this easily to the entertainment system causing problems and we have already seen a piece of this it is
good faith they tested and worked with the design in order to be secure they did not encrypted so publicly available software could happen but then they realized i will not call out it is not microsoft specific but for all those times you got in trouble with your windows computer that is one thing when is your laptop it's another immature pacemaker for your car or drone in the sky. so part of what we need to do is military law enforcement we cannot continue to make ourselves this vulnerable in the space now we have to figure out ways to incentivize security with smart decision-making and then to
get the private sector engaged, we are not there yet but have a mindset with that intelligence problem that is the way we handled the threat so why disrupt those russians operating inside the united states and then feed them false information if it's a small enough scale in the intelligence world. >> but that scale causes real harm to real people now like active measures to occur from overseas we still don't have the mindset to figure out a way to share what government is learning because we are learning incredible amounts and technically to the private sector we haven't been incentivized.
>> so dick cheney got a pacemaker that kept late-night comedians up but it actually merges up with huawei. so one of the concerns that these devices are not made in the united states so with the supply chain is murky at best and companies getting into the next generation it really won't know what is built into the system. but for them to be updated but the chinese idea like beijing
crack. >> how we approach this both strategically crack. >> that is part of why i call the book the cold war with the analogy the cold war it isn't necessarily international legal definition of harm. but we are in a low intensity conflict causing real harm each day and it will take an effort on the scale of the cold war to invest the time not just dollar resources but to make the public recognize the conflict and you see the country focusing that level of technology and who will control it so one of those areas of concern is five g
there are positive benefits so don't want to be completely negative about the technology but smart cars save lives they reduce traffic fatalities moving to smart cities reducing traffic issues that people may have with water contamination but the technology that underlies it to have sufficient broadband or access to connect all of these device devices, there is something wrong with that fundamental technology, then you start to build out our cities and cars and military all using it is a huge problem that makes the whole foundation unstable. so what you are seeing now, the utilization of the existing statutes and tools like the justice department
nor the united states use investment for national security risks and on foreign investment and also to set new rules on technology to be promulgated over the next year and a half with the department of commerce and so we want a country that shares a national security interest so not just criminal law or sanctions but regulatory law to help make that change but we have to make the case that the western base values that underlie the internet for free and fair trade are the rules the world
wants to play so they choose which system they want to have underlying that they understand the threats and they opt for that system that is a war of technology and the values but that's the space we are at now and is an open question who will win. i think we can but this is what it will look like. >> one moment you said talk about the qualifications but essentially to be over classified and getting in the way of the ability to share this information. it becomes absolutely critical
that the pack is spread out quickly the company can transfer information back so there has to be a free flow of the old classification system that if you put a stamp on something over 25 years then the utilities how do you deal with this crack. >> first to acknowledge when we make these cases public and the adversaries get better they try to hide their tracks and i would argue not doing that could be cost free so imagine what those services could do if it doesn't matter if you get caught? collect whatever you want whenever you want?
know about those cases that have already occurred. it with a bright shiny object one of the key things with the type of defense as an indicator is to understand the context what did they do before like facebook indicates it was written in st. petersburg? them with that cyberconference in san francisco and to have this information.
election of france and other places influence operation which is like an information war. so they have married up the simple business of spearfishing with the podesta e-mails then feed them back very discreetly back at certain points of time to create and influences a new phenomenon. and then to have these cyberattacks they collect the data that nobody really hears from that. maybe they got you one - - credit card information maybe they didn't. that doesn't seem to affect people. and then we like to read about
lives? we have already seen a blending of the computer hacking threat where the customers get their information it is a low scale and sophisticated computer hack and then to get the e-mail that says you to be out of your system and let me back on. so give me two bit coins so most every company today would be big deal.
they did work with government to incentivize so yes they did want the $500 with a fellow extremist in kosovo and to have that consumer information and then to become friends with them then to say to be wrongly convicted for computer hacking is radicalized at the very heart and the tip of the sphere to get people to bring the record number where we saw 60 percent 25 or younger one third 21 or younger and
federal international terrorism cases. and training people how to use the juvenile system that we don't use that often and federal prosecution that is one of the most effective people to get those people with radicalization and set communicating through twitter never in the real world. so takes those entrusted to the retailer and turns it into a kill list to see who was from the local state agency and then to use that technology pushes that back to the united states we are coming for you we have stolen this information. because that company works effectively he was arrested
and convicted and is doing 20 years in the eastern district of virginia and outside the long arm of law enforcement was killed in the publicly acknowledged military strike bike cybercommand. so to have to move at the speed of cyberto diplomatic or criminal and most importantly it cannot be solved unless we fix that point to share the information in the first place or vice versa to take that action when i educate companies they were not thinking life or death but do i need to pay for credit monitoring? but what has already happened?
>> so now as a finalist? >> i will not discuss that case in particular but more generally social security numbers as the former white house are on cybe cyberwe need to continue to come up with new ways of authenticating who we are onlin online. it's all out there for sale. >> and with obama you but you can handle it i heard you speak on monday you talk about information sharing i will ask you this question so explain
how well they are doing with that analysis center the industry specific can you comment on that? >> you can pick which one you want to answer. >> as a senior advisor bringing it down to a personal level, within the last month i have received ran somewhere e-mail. is scared that the jesus out of me but it outlined what they were doing we have gotten your e-mail address if you don't pay us a hundred dollars
we will take you down. i got panic stricken because my life is on my computer. i talked to some and we found out this has been happening we want to do for the people have gotten that in this room? i did nothing and nothing happened. but still the terror is there for two days they said if you don't pay us in 48 hours we will shut you down. so as subs - - subsequent question, this is a big issue does the united states have the manpower and intellect to handle it and do we need to do more? do we need to train more people or are they in place? >> i will start with the last one first. no. we do not have enough people who are trained in this area to handle not only the threats
and vulnerabilities but where we see this headed over the next five years. so those specific solutions to be a bipartisan issue for immediate action which the law enforcement intelligence space to be woefully underfunded for what they face the fbi specifically has challenges on its plate but in terms of cyberbut there is also a skills gap in terms of the recommendation of the one hundreds of thousands for those that are prepared to
tackle the svc major companies with funding and incentivizing to have that set of skills with information sharing the model is a good one some are better than others it has to go to that expertise there is a limited number of skills and to be in better shape than others so the financial sector is in much better shape because they made that resource commitment. that causes billions of dollars worth of damage because they pay the ransom so it incentivizes those to keep doing it which isn't just organized criminals but nationstates like north korea
who uses that to raid capital. >> so ultimately at the end of the day to educate people on the threats we may not prevent them from happening but we could after the fact that hopefully the threat will start to decrease. >> this is been great unfortunately we are out of tim time. but we do have time to go walk to the back of the room and by the book. thank you for doing this it has been a great conversation. [applause]
[inaudible conversations] >> another form of resistance during the sixties the superintendent of schools at the time were reinforcing segregation when the schools were overcrowded to keep more black kids in one place and then to lay the ground they would go to all white schools and then would be arrested all
the way through 2015 when the hunger strike happened they went without solid food for 34 days to keep it open so i write about that in one of the chapters and they said that they stopped the hunger strike because they realize the mayor would let them die. so what does that mean to be a person in the city for evidence suggests that the civic leader will literally let you die rather than reopen the high school? so that legacy of resistance is important because i want to make sure organizers understand this is part of your birthright of who and what you come from but also they don't get told all the time that's why people say things if i was a slave i would run away. people are very ignorant of the different forms of resistance and what has been