>> this week on "the communicators," a discussion on how protected u.s. computer systems are against cyber attacks. our guest is james lewis of the center for strategic and international studies. >> host: well, long before cyber attacks became part of our lex si con, james lewis was studying the issue of how to protect the internet. he's spent many hours briefing congress and intelligence agencies on how to provide cybersecurity, and he is our guest this week on "the communicators." also here, long time national security and intelligence reporter. dr. lewis, if we could just start, and if you could explain to us what happened this past week. >> guest: this week wasn't really a big deal in many ways. this is a fairly basic attack. someone infects thousands of

computers, turns them into a zombie network, and then has them launch packets at targets. and when the target computer gets hit with these thousands of packets, it's overwhelmed, and it crashes. now, there's easy fixes to this, and what was interesting to me is that most agencies knew how to fend off this kind of attack, and a few of them didn't. that's what's worry sh. this was a no-brainer, we should have been able to beat it. >> host: is it fair to say this was a spam attack? >> guest: it's different in that spam has a message and content, and they want you to read it. this one used the same techniques, but there wasn't a message to read. so, yeah, spam is the twin. >> host: and how do we know it came from north korea? >> guest: we don't. everyone is blaming north korea. i'm all for it. i think we should blame them as often as possible, but one of the rules of thumb in this business is if the trail of bread crumbs leads to a

particular doorstep, you should be suspicious. a smart attacker would make it look like someone else. could have been any number of countries. >> host: what are you hearing about who the culprits might be other than north korea? >> guest: some people have said perhaps left-wing hackers in south korea which is a bit funny. this is a normal part of politics in north asia. these sorts of attacks go on every day if not every week. it could have been the russians. the russians did this in georgia, they did it in estonia. in fact, when i first read about it, i thought it was the russians because when obama was there, you know, they call them patriotic hackers. maybe some patriotic hacker got their nose out of joint over something he said. so the short answer is we all suspect north korea, and it's good to blame them, but we don't know it for sure. >> host: how many people does it take to mount such an attack? >> guest: one. >> host: one. how many computers? >> guest: oh, the computers. to write the malicious code you

really only need one person and one computer, but that malicious code goes out and infects thousands of computers, so the number of computers involved in the attack, i think, was about 50 or 60,000. but the way that works is if you have a home computer and you're hooked up to a cable network, and you know this very well, it's always on. the malicious code will come to your computer, it will take over your computer. you will never know it, and it will turn it into a zombie. so this was a botnet of thence of thousands of computers used for the attack, but the fellow who did it, one or two people, one computer, you know? >> guest: i've heard the code itself isn't sophisticated, it's actually a well known and an older version of a well known code. whoever decided to do this wasn't being all that imaginative or wasn't even that good? >> guest: you know, i have mixed feelings because the code was, as you say, sort of a reused

code, probably got it off a cyber crime web site. you can buy the stuff. some of them have rankings, you know, like this seller has sold successfully ten times in the past, but the attack is the most primitive kind of attack, but there were some sophisticated parts to it. it came in three waves, they adjusted the target set for each wave, they changed the zombie computers they were using, so it wasn't somebody who was a dope, right? first i thought, basic attack, kid could do it. and now looking at it, there must have been some brains behind it. >> host: do you make any anything out of these reports out of south korea that therapy hard drives that were erased as well? does that seem like a separate issue? unrelated? >> host: that would be more damaging, and we didn't see that in the u.s., so it makes you wonder if it was a different set of attacks. these things go on every day, so you could have multiple attacks occurring at the same time from multiple countries. could have happened in south

korea, my guess would be not related. >> host: you said zombie computers. could that one code have infected u.s. computers to make those part of the attack also? >> guest: oh, sure. no, many of the computers involved in the attack were located in the u.s. in fact, when you look at maps of where the attacks came from, there's a lot of california -- >> host: i heard there was a server that did some of the command control. >> guest: i thought that was in northern california. >> host: yeah. >> guest: so, sure, one of the problems with this kind of attack is that a shrewd attacker will, you know, use computers scattered all over the world so you can find germany, japan, the u.s. when people talk about shooting back against the attackers, remember we'd be shooting back against california and berlin. >> host: you also said that we should have been able to defend against this. why were we not able to? >> guest: well, the good news is that many agencies were able to defend against it, so if you

went to the white house, they were completely unaffected, and some of that has to do with preparation, some of that has to do with architecture, but there were some agencies that went down. and when you clicked on their web site, you couldn't get to it. that's not a big deal, but on the other hand, they should have been prepared. this is not an easy one -- this is not a hard one to defeat, pardon me. >> host: what does it mean that the state department was still feeling the effects even yesterday? you'd think that the state department's defenses, they obviously have a lot of national security responsibility, that they would have paid more attention to that kind of thing. >> guest: what it means is we have more work to do, right? if you have treasury, state, secret service, ftc all damaged by this while other agencies escaped it, it means somebody knows the right thing to do, and we have to make sure that becomes a common standard across the government. we aren't there yet. >> host: where is that effort now? >> guest: the effort is sort of on hold while they scrounge

around looking for a cyber coordinator. that could appear before the end of the month, that would be good. you need somebody -- and it's not a czar. people always use the term czar. we don't have czars in the u.s. government, and when we do, that ends up badly. think of this more as someone to conduct the orchestra. when you have state, treasury, dod, who is it that can lead the band or orchestra? that's really only the white house. one of the things they have to do is say, guys, we had this attack, you know, performance was mixed, let's all get on the same page. >> host: well, what's the hold up then? i know that you're keeping a count of how long it's been that the white house has been working on this issue and hasn't quite yet produced this official to show the way. >> guest: my guess now is that they'd actually picked someone -- i don't know who it is -- and they have to go through the vetting process. after, of course, all the tax problems with some of the earlier nominees, they're very

cautious. so my bet is currently it's the excruciatingly thorough vetting process that the white house does. before that there were turf battles, disputes over substance. you know, this has been a messy process, but it looks like we're coming to the end of it. >> host: so, james lewis s the ftc currently responsible for its own cybersecurity all individual responsibly? >> guest: at one level that's the right answer. at one level we've had kind of a tribal approach to cybersecurity which is each tribe gets to decide to do its own thing, and that was probably a good way to do this in the stone ages, but now it's time to move on. some agencies contract out with service providers, so it's really the service provider that when they have the contract is responsible. so the white house has the service proside, for example, that did a pretty good job. >> host: and you mean the internet service provider. >> guest: yes, that's correct. well, it could be at that level.

whoever's providing the hosting services for the web site. what i've heard -- i don't know this for a fact, but what i've heard is the agencies that had problems were the ones that tend to try to do it more in-house, so one of the answers here is, you know, how do we get this done at a level where you have professionals doing it. that's an insult. how do you get this done at a level where you've got people whose job is security and not communicating with citizens. >> host: what is your estimate on what is being spent on cybersecurity. >> guest: you would know that better than me. >> host: they got $17.5 billion from the bush proposal, and i think they asked for $30 billion. i've heard industry estimates that go into 50 billion over five years in terms of what their expectation is, but i think that may with beyond just -- be beyond just federal spending. >> guest: if you look at federal spending, it's the single biggestivity. customer in the

world. that's one of the reasons we're having these problems now, it wasn't a priority. that started to change in the last year of the bush administration, it's changed very clearly in this administration, so we're in probably the double digit billions now. >> host: what keeps you awake at night when you think of a cyber attack? >> guest: if i was going to be worried about it, if me this has always been more of an intelligence problem and an espionage problem. we have, as a nation, suffered mightily from the ability of our foreign opponents to access sensitive or classified information and take it for their own use. so what worries me the most is that we've had a counterintelligence disaster in the u.s., and we're just now starting to fix it. >> host: what about the financial side? because what i hear from a lot of the intelligence officials actually is that they're most worried about the impacts this is having in terms of death by a thousand cuts on the financial side.

>> guest: i would call it the economic side. >> host: yeah. >> guest: we use the death by a thousand cuts which is you're a company, and you invent the new wonder thing, right? and you have the plan for the new wonder thing, but before you can get it on the market some competitor has a very similar product. or you're a company, and you're trying to buy another company in, say, china. when you go to do negotiations, it's like the people on the other side of the table know your talking points, they know your bottom line, they know your positions. how does that happen? and these aren't hype hypothetil cases. that's where we're seeing a drag on u.s. competitiveness and really an unintended subsidy to our financial competitors. >> host: and financial crimes, right? do you put them together? >> guest: i don't because the financial crimes are separate in some way, less damaging. >> host: stealing money versus information. >> guest: bank robbery's fun, but the loss of military secrett

is a national security threat. >> host: and have we lost that through cyber attacks? >> guest: oh, yes. >> host: yes. >> host: no doubt? >> guest: probably for about a decade. >> host: and frequently from contractors. the pentagon has been hit so many times. sort of cyber thieves or spies tend to focus on contractors because their defenses are down just a little bit less than the pentagon frequently. >> guest: these are smart opponents. these are foreign states with their intelligence agencies, at least three or four of which are as good as ours, so they look for the weak spot, and they've been very successful. they've gotten into i would say dod is the best agency when it comes into this stuff, but that doesn't mean they've been hacked. >> host: dod's been quite open about it actually. >> guest: yeah. the best one was probably late last year, centcom. the classified networks for cent

come being penetrated by unknown foreign party. that's a big deal. and even a bigger deal was that they couldn't get the unknown foreign party off the networks for several days. yeah. >> host: this is our communicators program, our guest is james lewis, cybersecurity is a topic. shevan goreman is also with us. we've talked a little about the private sector, but what is their role in protecting the infrastructure of the u.s. government? >> guest: this is a very difficult issue. and part of the it is because we certainly for the last few years have been wedded to an ideology that said the market would lead, that regulation was bad. and, you know, in most business events or things the market should lead and regulation is bad. but when it comes to national security, the market isn't going

to deliver. so we're wrestling with this as a nation, and we're a little handicapped. you don't see this in places, in europe or in asia, where the rule of the government is more accepted. people aren't as worried about the government intruding into industry. that gives them an edge. >> host: a number of the officials i've talked with about this have called it a market failure, and i was wondering whether you agree with that. >> guest: in 1996 i was on a white house task force right when the internet was being commercialized, and i wrote a paper -- fortunately not released -- that said we didn't have to worry about things like security because the market would deliver for us. the market hadn't delivered, the market has failed. what does failure mean? it means in some cases some companies do a great job. even those companies get hacked every once in a while. but some companies don't do a

great job, and there's places -- the electrical grid -- where we should be nervous, right? do we know what everyone's doing? have we held them to a common standard? will they come to it on their own? you can see there was a series of hearings on what the electrical industry was doing, and those can best be described as shocking, so you might see some lex if we're lucky -- >> host: there are three bills just dealing with the electrical issue for cybersecurity. >> guest: there are, but their not making any progress. the good news is we figured out we have a problem, the bad news is we can't fix it. >> host: what are some of those proposals, dr. lewis? >> guest: the most comprehensive is a good bill put forward by senators rockefeller and snowe. many people dislike it because it creates a very powerful white house office, it talks about setting standards for products and training, it talks about

certifying professionals and has other components as well. it has the big red switch which would be that the president has the authority to turn off the network when it's infected. >> host: a private network. >> guest: a private network which is startling, and i'm not quite sure it's constitutional. the bill is being revised, the initial draft attracted a lot of criticism, but i'm told by committee staff that they hope to have a new version that reflects these comments out in a couple weeks. that bill's become sort of the center piece of a set of other efforts. senator lieberman and senator collins on the senate homeland security committee are looking at an authorization bill that would give dhs more authority. the house homeland security committee has a bill that looks at the electrical industry. there's bills on improving the federal information security management act, and right now it's been sort of a paper test, you know, how well did you live up to your plan? >> host: and most of them

failed, right? the vast majority? >> guest: it doesn't make any different because you can get a high fisma score and still be fabulously insecure. senator carper, for example, has a bill to adjust fisma, so it affects reality which would be a departure for the government, but it would -- the package of the legislation, there's other bills on breach notification for privacy, people are talking about privacy legislation. senator feinstein is thinking about legislation, a lot of activity on the hill. >> host: what are some of the privacy concerns with these bills? >> guest: two sets of privacy concerns. the most important is that one of the best ways to defend against cyber attack is something called deep packet inspection. and deep packet inspection means looking inside the message traffic to see if there's malicious code. and the way to think about it is suppose you -- and this is how a lot of our laws were written, unfortunately. think of a letter coming to you

in an envelope, right? and i want to open it and read the letter to see if there's malicious code, right? that, of course, makes people nervous, and they should be nervous after the experience of the last seven years. >> host: what do you think should be done to address it though? >> guest: what we don't recognize is technology has changed. most of our laws were written in the '80s. they're outdated. you can have a difference now between reading a message for content and reading it just for malicious code, and a way to think about it to go back to the letter example is suppose i don't speak german. suppose i opened an envelope, and there was a letter written in german. i could read that letter in the sense of going through each line and looking for the malicious code pattern, but i wouldn't understand the content. we have the technology, but our laws don't prevent us to be -- >> host: what's the likelihood those laws could be changed? >> guest: this year zero. people are being driven towards the fact that there are

technological solutions that our laws currently block. >> host: in terms of the discussion about what should be done versus some of the privacy concerns that make it hard, i mean, what is -- it seems loo like a little bit of the overlay is this surveillance debate even though that has kind of a tangential relationship -- not tangential, i mean, the technology is similar, but the purpose is obviously quite different. >> guest: sure. >> host: can you talk about kind of the political dynamic there? >> guest: well, i don't know, you're tempting me to make fun of the previous administration, and i will resist. it's hard to tell people, trust us when you've clearly violated the law and perhaps ignored the spirit of the constitution. and people don't tend to always make the switch that it's a different administration, but they say nsa is nsa, how can we trust them? i think you can trust nsa under the current administration. you could trust nsa just in

general. there, you get me in trouble. but people are nervous because of the wireless program. and you can't blame them for that. you know, you can't have a program that was probably illegal run for years and then say, oh, we fixed it, trust us. that kind of thing really hurts, so we're inheriting a political environment where trust in the government has been damaged. >> host: james lewis, has the growth in the wireless industry contributed more to the lack of security? >> guest: it has because when you get a wireless router, and you can do this at home if you want, the pass word is pass word, and the user name is admin. so i can drive around. i do this -- well, i shouldn't -- it's easy to do. you can drive around neighborhoods with your laptop or if you have a wireless device and look for open networks. now, most people are beginning to figure out at a minimum i need to secure my network with wireless encryption. the problem is -- just which

means a password. >> guest: at a minimum. the problem is that any signal that travels through the air can be captured, so if i can capture the signal, i can probably break the encryption. as you go up the food chain can i do it? no, i can't do it. can a cyber criminal do it? for easy stuff, sure. can the soviet russian intelligence agency do it? can they break it? absolutely. some of our biggest breaches have occurred over wireless where criminals went around to chain stores and downloaded everyone's credit card data, you know, you're counting on having thousands of systems and each one is secure, and what we know from practice is if there's 10,000 systems, 15 or 20 of them aren't going to be secure. and my job then as a criminal or spy is to find those unsecured systems. >> host: so for the government then how big a concern is the

wireless issue as they try to just sort of get their arms around and secure government networks? obviously, government workers are using wireless with their laptops and things like that. >> guest: well, that's a real problem, and they've tried to think about maybe requiring endescription -- encryption in some cases. many national security agencies ban wireless devices. there's limits on what you can do with wireless routers, where you can install them. so i think the government, particularly places like dod, have done a good job of moving to get this issue under control. don't know about other agencies, and, of course, as you point out somebody's going to stop at a starbucks there and use their wireless router. that's probably hack bl. we could talk about this a lot, because it's a lot of fun. if you go to china, russia or even some european countries and take your laptop or blackberry, they're going to hack it.

when people say if i take my laptop to china, is that bad? i say it depends on how you feel about sharing. >> host: i was talking to the technology executive who went to china, had a fresh pda type device and by the time he got to his hotel, it already had a bunch of spyware junk on it. it does seem like that's a big problem, i just wonder how much of a problem that kind of thing is here. people have talked about blue tooth slurping and all kinds of other tech week ins that are -- techniques that are being use inside the wireless environment that would be a big concern for the government as well as the private sector. >> guest: you know, the dilemma -- and to be clear, i don't blame the chinese for doing this, this is what governments are supposed to do. we have restrictions on our ability to do it. you have to get a warrant, court approval, that's appropriate. but other countries, in fact,

almost no other country in the world has as many as we do. for us, and this is true for the internet at large, the benefits to productivity and connectivity are so great that people want to be connected. and they put that i want to be connected ahead of i want to be secure. and, frankly, that's a tough trade, you know? we may gain a lot from being connected, but we ruse a lot -- lose a lot from not being secure. >> host: james lewis, are other countries more protected because they have a national plan? >> guest: you know, in some ways most cups aren't even -- country aren't even aware this is an issue, so i was talking to someone from the u.n. this morning, and you could identify entire continents where they are probably unaware this is a problem. the more sophisticated countries, yes, one of the things that's irritating is when you look at some european countries who saw that the united states was going to come out with this strategy, decided they would have their own

strategy. they've actually finished, right? we started before them, and yet they've finished -- >> host: are you talking about the u.k.? >> guest: i'm talking about france in particular, but also the u.k. and those places i was talking to the french cyber coordinator, and he was telling me what they had done to require electrical companies to be more secure. and i said, how did you do that? we could never get away with that here. he said, you know, the government role is more intrusive in france, and people don't object to that. they might have members on the board, partial ownership, and that gives them leverage to say you have to secure your network. >> host: does the government have that in the financial industry right now? >> guest: no. >> host: no? >> guest: why would you think that? >> host: well, it's a big investor in a lot of, sort of banks and companies right now. >> guest: we haven't taken advantage of that. i think part of that is getting people in place, part is coming up with a coordinated strategy.

the financial sector's one of the sectors that's done pretty well. they've been pushed by their regulators to think about security. what i heard from a senior white house official, though, was financial crimes have quadrupled in the last year because this is, this is a risk-free environment. if you can break in, you can make a lot of money in just a couple seconds, and the odds of you being caught if you live in another country are zero. so if you can sit in st. petersburg, probe 100 u.s. banks, maybe get into one and make a million bucks, it's a beautiful crime. >> host: we've talked about you've mentioned russia, north korea, and china, any other countries that seem to be the source of these attacks? >> guest: when we say country, it's important to note that i do it as sort of a shorthand, so, for example, china. you could have multiple agencies that are competing with each

other. multiple ministries in china. you could have private citizens who are, who are involved in this. and, you know, on a day when they're mad at the u.s., they could launch thousands of attacks like this. there's lots of players in this. you could have cyber criminals, right? you could have cyber criminals hired by a government. so when we look at places, you can find them in europe, you can find a couple in the middle east, a lot in asia and even in the u.s. now, in the u.s. it's a little more difficult because we have strong law enforcement, so if you commit this kind of crime, you will eventually be caught. but in russia or china our chances of being caught -- as long as you attack places outside -- are pretty small. >> host: how, how strong is the international effort these days on the harassment front to crack down on these kinds of things? i mean, i think recently there was this case where a bunch of these phone pbx systems had been

broken into, and there were pakistani links. it was mostly broken up in italy, and it seemed like that was an interesting law enforcement cooperation between the italians, the u.s. and the philippines. i'm just wondering if that's uncommon or if that's increasingly common. how good is that cooperation? >> guest: you know, if you talk today the fbi, they would tell you things are getting better. even in countries like russia they can get cooperation on some issues. the problem we have is that most places don't have good laws, right? so the classic example, now fixed, was the love bug in the philippines where they basically could give the guy the equivalent of a traffic citation because they didn't have penalties for hacking. when you look at the broad effort to get effective laws, that's come to a stand still. when you look at case by case cooperation, that's going better. >> host: james lewis, center for strategic and international studies. thank you very much. the report that you did for the