affect her rulings. could it be better time as a leader in the peurto rican legal defense and education fund on fine organization, provides a clue to her decision against the firefighters? while the nominee was chair of that litigation committee, the organization aggressively pursued racial city hiring and in numerous cases five to overturn the results of promotion exams. it seems to me that in ricci, judge sotomayor's empathies turned out to be prejudiced against another. that is of course the logical flaw in the empathies standard. empathy for one party is always prejudiced against another. judge sotomayor, we will require into how your philosophy which allows activity into the courtroom affects your decision-making. for example an abortion where an organization of which you were

an active leader argued that the constitution requires taxpayer money to fund abortions, and gun control where dew recently noted the second amendment does not prevent a city or state from barring gun ownership. private property, where you ruled recently that the government could take property from one developer and give it to another. capital punishment, were you personally signed a statement opposing the reinstatement of the death penalty in new york because of the in human psychological burden it places on the offender and the family. so, help the american people will follow these hearings closely. they should learn about the issues and listen to both sides of the argument and at the end of the hearing, if i must one day go to court, what kind of judge do i wish to hear my case? do i want a judge that allows his or her social, political or religious views to change the

outcome or do i want a judge that impartially applies the law to the facts and fairly rules on the merits without bias or prejudice? it is our job to determine which side of that fundamental divide the nominee's stance. thank you mr. chairman.

>> this week on the communicators, a discussion on how protected u.s. computer systems are agents cyberattacks. our guest is james lewis of the center for strategic and international studies. >> host: lung before cybersecurity and cyberattacks became part of our election james lewis was studying the issue of how to protect the internet and making recommendations. james lewis spent many hours briefing congress and intelligence agencies on how to provide cybersecurity and he is our guest this week on the communicators. also here, siobhan gorman, longtime national security and intelligence recorder. dr. lewison we could just start, and if he could explain to us what happened this past week? >> guest: this week wasn't really a big deal in many ways. this is a fairly basic attack. someone in fact thousands of computers, turns them into a zombie network and then has them launch packets at targets and

then when the target computer gets hit with these thousands of packets it is overwhelmed and the crashes. they are easy fixes to this and what was interesting to me was that most agencies knew how to fend off this kind of attack but a few of them didn't and that is what is worrisome. this was a no-brainer. >> host: in other words is it fair to say this was a spam attack? >> guest: it is different from spam in that spam has a message and they want you to read it burgoine this uses the same techniques as spam but there wasn't a message. spam is the twin of this kind of attack. >> host: how do we know it came from north korea? >> guest: everyone is blaming north korea. i think we should blame them as often as possible but one of their rules of thumb in this business is its vitriol of bread crumbs leads to a particular doorstep you should be really suspicious because a smart attacker would make it look like it was someone else, so it could have been the russians, it could it been any number of countries. >> guest: what are you hearing

at this point about who the culprits might be other than north korea? >> guest: some people's said perhaps left wing hackers in south korea which is a bit funny. this is a normal part of politics now in north asia. ucf in taiwan, china and korea. these sorts of attacks go on every day applicative in the rations. the russians did this in georgia. they did it in estonia and when i first read about it i thought it was the russians because when obama was there they called him patriotic packer's. maybe some patriotic hacker got their nose out of joint over something he said so the short answer is we suspect north korea and it is good to blame them but we don't know for sure. >> host: how many people does it take to mount such an attack? >> guest: one. >> host: how many computers? >> guest: to write the malicious code you really need one person and one computer but the malicious code then goes out and it affects thousands of

computers so the number of computers involved in the attack were 50 or 60,000. the way that works is if you have a home computer and you are hooked up to a cable network, it is always on and the malicious code will come to your computer. it will take over your computer. you will never know it and it will turn it into a summit. they call them botnets. this was a botnet of tens of thousands of computers used for the attack but the fellow who did it, one or two people, one computer. >> guest: one thing i have heard is the code itself is not very sophisticated. it is a well-known and older version of it will not cut. is your sense that the people, whoever decided to do this wasn't being that imaginative or was not really that good? >> guest: i have mixed feelings because the code was eight revis code. probably got it off of a cybercrime web site. you can buy this stuff. some have rankings, like the

seller has sold successfully ten times in the past but the attack is the most primitive kind of attack. there were some sophisticated parts to it. eight caymen three waives. they adjusted the target for each way. so it wasn't somebody who was a dope. let first i thought basic attack, a kid could do it and now looking at it there must have been some brains behind it. guess could you make anything of these recent reports out of south korea that there has been hard drives that were raised as well? does that seem like a separate issue, and related? >> guest: that would be more damaging kind of attack and we have not seen that in the u.s., so it makes you wonder if it was a different set of attacks. these things go on every day so you can easily have multiple attacks occurring at the same time from multiple countries with multiple target so it could have happened in south korea. >> host: james leasee said zombie computers. could that one code have

infected u.s. computers to make those part of the attack also? >> guest: sure, many of the computers and balton yitzhak were located in the u.s.. when you look at maps, there is a lot in california and new york. >> guest: that was the northern california, so sure one of the problems of these kinds of attacks is a shrewd attacker will use computers scattered all over the world so you confine germany can we confine japan and the u.s.. when people talk about shooting back against the attackers, remember we would be shooting back against california and birmingham. >> host: you also said we should have been able to defend against this. why were we not able to? >> guest: the good news is many agencies were able to defend against it so if you went to the white house which was one of the targets, some of that has to do with the preparation, some of that has to do with architecture and how they

thought about building the system but there were some agencies that went down. when you click on your web site you couldn't get to it. that is not a big deal but on the other hand they should've been prepared. this is not an easy one, this is not a hard one to defeat. >> guest: what does that mean the state department was still feeling the effects even yesterday? you would think the state department's defences, they obviously have a lot of national security responsibility, they would a paid more attention to that kind of thing. >> guest: what it means is we have a lot more work to do. if you have treasury, the secret service, ftc all damaged by this while other agencies escape it, somebody knows the right thing to do and we have to make sure that is a common standard across government. >> guest: where is that effort now? >> guest: the effort is on hold while they scrounge around looking for a cybercoordinator. that could appear before the end of the year. we need somebody, and it is not

azar. >> pelosi's the terms are. what we have is-- think of this is someone to conduct the orchestra. when you have state, treasury, dhs, d.o.d. who is at back in lead the orchestra and that is really the white house. we need the conductor. one of the things that to do is say guys, we have this attack, the performance was mixed. let's all get on the same page. >> guest: what is the hold up? i know you are keeping account of how long it is than that the white house has been working on this issue and has done quite yet produced this official to show the way. >> guest: my guess now is that they have actually picked someone. i don't know who it is but it is an outsider and they have to go to the vetting process and after of course all of the tax problems was some of the earlier nominees they have that for their positions they are very cautious on my bed is currently it is the excruciatingly thorough vetting process that

the white house does. before that there were turf battles and disputes over substance. this is then a messy process but it looks like we are coming to the end. >> host: james liz is the ftc currently responsible for its own cybersecurity and other agencies all individual responsively? gets wet one level that is the right answer. and one level we have had a tribal approach to cybersecurity which is each tribe's gets to decide to do its own thing and that was probably a good way to do this in the stone ages but now it's time to move on. some agencies contract fell to a service providers otis really the service provider that when they have the contract, is responsible so the white house was providing for example and did a good job. the white house does its own stuff. >> guest: you mean the internet service provider. >> guest: that is right, whoever is hosting, providing the hosting services for the white house. i don't know this for a fact

that what i have heard is the agencies that had problems were the ones that tend to try to do it more in the house so one of the answers here is how we get this done at a level where the professionals doing it? that is an insult. how do you get to a level his people is not communicating with citizens. >> host: what is your estimate of how much is being currently spent by the government on cybersecurity? >> guest: you know it better than me. >> guest: they got $17 billion over five years from what the bush administration proposal was and i think they actually asked for $30 billion. i have heard industry estimates the going to 50 billion in terms of what their expectation is but i think that may be beyond federal spending. >> guest: if you look to the federal government is the single biggest i.t. customer in the world so they spend billions every year. and depass cybersecurity got a fraction of that and that is the reason we are having those problems now. that started the chain to the

last period of the bush administration and change in this administration. >> host: what keeps you awake at night when you think about a cyberattack? >> guest: if i was going to be worried about it, for me this has always been more of an intelligence problem and it is an espionage problem. we have as the nation suffered mightily from the ability of our foreign opponents to access the sunsetted request of information and take it further, so what worries me the most is that we have had a counterintelligence disasters in the u.s. and we are just now starting to fix it. >> guest: what about the financial side? what i hear from intelligence officials is their most worried about the impact this is having in terms of death by 1,000 cuts on the financial side. >> guest: we use the death by 1,000 cuts, which is your company and you and then the new

wonder thing, and you have a plan for the new wonder thing but before you can get it on the market some competitor has a very similar product. your company and you are trying to buy another company and say china and when you go to do the negotiations it is like the people on the other side of the table know you are talking points and no your bottom line and know all of your positions. these are not in hypothetical cases, so that is where we are seeing a drag on the u.s. competitiveness, a drag on economic performance and an unintended subsidy for economic competitors. >> guest: and financial crimes two, both together? >> guest: i don't put them together because the financial crimes are a separate and less damaging. >> guest: stealing money. >> guest: it is not a national security director of the loss of technology and military secrets is a national security threat. >> host: have we lost military secrets and intelligence to

cyberattacks? >> guest: oh yeah. it is been going on for about a decade. he actually from military contractors, the pentagon has been hit so many times that sort of cyberthieves or cyberspies tend to focus on the contractors because their defenses are down just a little bit less than the pentagon frequently. >> guest: these are smart opponents. these are foreign states with their intelligence agencies at least three or four of which are as good as ours so they look for the weak spot and they have been very successful. they have got into, i would say dod is the best agency but that doesn't mean they haven't been had. >> guest: d.o.t. is actually been a rather open, more open than a lot of other agencies. >> guest: the best one who is probably late last year, centcom, the classified network for send cam being penetrated by an unknown foreign party. that is a big deal and even a bigger deal was that they

couldn't get the unknown foreign party off the networks for several days. >> host: this is our communicators program. our guest this week is james lewis, with the center for strategic and international studies, cybersecurities the topic. siobhan corpman is also with us. we have talked little bit about the private sector but what is their role in protecting the infrastructure of the u.s. government? >> guest: this is a very difficult issue, and parted it is because we certainly for the last few years have been whetted to an ideology that said the market would lead, that regulation was bad and you know and most business events or things, the market should lead and regulation is bad but when it comes to national security the market isn't going to deliver, so we are wrestling with this as a nation and we are a little handicapped. you don't see this in places in

europe or asia where the role of the government is more accepted. people are not as worried about the government intruding into the industry. that gives them an edge. >> guest: number of government officials i have talked with called it a market failure and i was wondering if you agree with that and if you fix it? >> guest: it is an issue of deep shame because in 1996 i was on a task force to come up with a strategy for securer public networks, right before the internet was being commercialized and i wrote a paper. fortunately not released. the market would deliver it for us and so i went on a recovering market. the market is not delivered. what does delia mean? it means in some cases, some companies do a great job. even companies that do a great job it hacked every once in a while. some companies don't do a great job in their places, the electrical grid, where we should be nervous. do we know what everyone is doing?

will they come to an on their own? if you can go on the web you can see how some-- house security summit had a hearings and those to be best the bee described as shocking so you might see some legislation if we are lucky. >> guest: there were three bills dealing with electrical issue for cybersecurity. >> guest: they are not making any progress of the good news is we have to get out whenever a problem in the bad news is we can't fix the. >> host: let's walk through some of the congressional proposals to enhance cybersecurity. what are some of those proposals? >> guest: the most comprehensive one is sent-- many people dislike it because it creates a very powerful white house office. talks about setting standards for products and for training. it talks about certifying professionals then has the other components in it as well. it has what we call the big switch, the big red's which would be the president has the

authority to turn off the network when it is the affected-- infected. the bill is being revised burke of the initial draft attracted a lot of criticism but i am told by a committee staff that they hope to have a new version there reflects these comments out in a couple of weeks. that bill has become sort of the centerpiece of a set of other efforts. senator lieberman in senator collins on the homeland security committee are looking at a bill that would give dhs more authority. the house homeland security committee has a bill that looks at the electrical industry. their bills on improving fisma, the federal information security management act, and right now is the sort of a paper test. how well did you live up to your plan? >> guest: most of them plan come-- failed, right? >> guest: you can still get a high score and still be

fabulously instacare south senator carper has a bill for example to adjust fisma so it reflects reality, which would be a departure for the government but it would, the package of the legislation, there are other bills on breach notification for privacy. people are talking about privacy legislation. senator feinstein is thinking about legislation. >> host: what are some of the privacy concerns with these bills? >> guest: two sets of concerns. the most important is one of the best way to defend against cyberattack is something called deepak inspection. deepak inspection means looking inside the message traffic to see if there is malicious code and what people say, the way to think about it is suppose, and this is how the laws are written unfortunately, think of a letter coming to you an envelope and i'm going to open the envelope and read the letter to see if there is a malicious code for gilded of course makes people nervous than they should be

nervous after the experience of the last seven years. >> guest: what you think should be done to address that? >> guest: what we don't recognize this technology has changed. most of our laws or read in the '80s when you still have-- their audit date. you can have a difference now between reading a message for content and reading it just for malicious code and the way to think about it, to go back to the letter, suppose i don't read german. suppose i opened the envelope and there was a letter written in german. i could read the letter in the sense that i could look for the malicious code pattern but i would not understand the content. we have the technology to do that but our laws do not prevent us. >> guest: what is the likelihood the loss would change? >> guest: this year, zero. people are driven towards the fact that there are technological solutions that our lives currently block. >> guest: in terms of the discussion about what should be done versus some of the privacy terms making it hard, what is,

it seems a little bit of the overlay is the whole previous warrantless debate, even though that has a tangential relationship to the cybersecurity, not tangential-- the technology is similar. can you talk about kind of the political dynamic there? >> guest: well, you are attempting me to make fun of the previous administration and i will resist. it is hard to tell people trust us when you have clearly violated the law and perhaps ignore the spirit of the constitution. people don't tend to always make the switch that it is a different administration but they say, nsa is nsa and how can we trust them? i think we can trust nsa and the current administration. you can trust and a say in general, but people are nervous because of the warrentless program. and you can't blame them for

that. you can't have a program that was probably illegal, run for years and then say we fixed it, trust us. that kind of-- kurds so we are inheriting a political informant were trusting the government has been damage. >> host: james lewis has the growth in the wireless industry contributed more to the lack of security? >> guest: it has because when you get a wireless router you can do this at home if you want, the password is the password and user name is it meant. that is probably true for all systems so i-- it is easy to do. you can drive around neighborhoods with their laptop or if you have a wireless device and look for open networks. most people are beginning to figure it out. at a minimum, i need to secure my network with wireless encryption. >> host: that means a password? >> guest: at a minimum a passport. the problem is any signal that travels to the air can be

captured so if i can capture the signal, i can probably break the encryption and as he got the food chain, can i do it? no, i can do it. can a cybercriminal do it? pretty easy stuff. can the soviet russian intelligence agents to break it? absolutely. if you are doing high in stuff on the wireless and some of our biggest david preaches have occurred where criminals drove around to chain stores and went in the parking lot until they found one where there was a glitch in the security, download it everyone's credit card data. you are counting on having thousands of systems and each one is secure in what we know from practice is if there is 10,000 systems, 15 or 20 of them aren't going to be secure in my job as a spies to find those unsecured systems. >> guest: for the government how big of a concern is the wireless issue as they try to get their arms around government that works because obviously the

government workers are wireless with their laptops and things like that. >> guest: that is a real problem and they have tried to think about requiring a encryption. many agencies, national security agencies and wireless devices. there are limits on what you can do with wireless routers. where you can install them so i think the government in particular in places like d.o.d. have done a good job of moving this issue under control. don't know about other agencies and of course as you point out, somebody is going to stop at a starbucks in use their wireless router, that is probably hackel. we can talk about this a lot because it is a lot of fun. most countries that figure out you can tap into wireless networks so if you go to example, to china or russia and you take your laptop or your blackberry they are going to hack it. so, when people say to me if i take my laptop to china, is that bad? i say it depends on you feel about sharing.

>> guest: i was actually talking to the head of counter-- and he was talking about how, i think it was even somebody, some technology executive who went to china and hattie fresh pda type device and got off the plane and by the timey got to his hotel it had a bunch of spyware. it does seem like that is a big problem and i wonder how much of a problem that kind of thing is here. people's talk about things like bluetooth slurping and techniques that are being used in the wireless environment that would be a big concern for the government as well as cyberattacker. >> guest: the dilemma here is coming in to be clear don't blame the chinese for doing this. this is what governments are supposed to do. we have our restrictions. you have devah wanting get cohort approval. almost no other country in the world has as many strictures on collection as we do so i don't blame them. that is their job. for us, the problem is, in this

is true for the internet writ large, the benefits to productivity and conectiv dutied are so great that people want to be connected and they put that i want to be connected ahead of i want to be secure and frankly that is a tough trade. we may gain a lot from being connected but we lose a lot from not being secure in fixing that is where we are stuck. >> host: james lewis are other countries more protected because they have a national plan? >> guest: in some ways most countries are not even aware this is an issue. i was talking to someone from the u.n. this morning and you could identify and tire continents where they are not aware this is a problem. the more sophisticated countries, yes. one of the things that it's irritating is when you look at some of the european countries, who saw that united states was going to come up with a strategy, decided they would have their own strategy. they have actually finish. we started before them.

>> guest: you talking about u.k.? >> guest: i'm talking about france in particular but also the u.k.. i was talking to the french cybercourtner and he was telling me what they intend to require electrical companies to be more secure. i said how did you do that? he said, which still have the government's role is more intrusive and france and people don't object to that so they might have members on the board, they might have partial ownership and that gives them leverage to go in and say you have to secure your network. we don't have that leverage. >> guest: does the government have that leverage in the financial-- >> guest: why would you think that? >> guest: it is a big investor in a lot of banks and companies now and i was wondering whether not-- >> guest: we have not taking advantage of that. part of that is coming up with a coordinated strategy which hopefully we will do in the next year but the financial sector is one of the sectors that is done pretty well. they have been poised to think

about security. what i heard from a senior white house official was the financial crimes have quadrupled in the last year because this is a risk-free environment, if you can break in. you can make a lot of money in just a couple of seconds and the odds of you being caught are zero. so, if he can sit in st. petersburg, probe 100 u.s. banks, maybe get into one and make 1 million bucks it is a beautiful crime. >> host: james lewis we have talked about, you mentioned russia, we have mentioned north korea and china. any of the countries that seem to be the source of these attacks? >> guest: when we say country it is important to note that i do lay shorthand so for example, china, you could have multiple agencies that are competing with each other. multiple ministries in china. you could have privateiz