>> you been watching booktv, 48 hours about programming beginning saturday morning at 8 a.m. into monday morning at 8 a.m. each and. nonfiction books all weekend every weekend right here on c-span2. .. >> this week on "the communicators," several of the nation's top cybersecurity analysts look at the nature of cyber threats against and what they suggest to strengthen u.s.

systems. we talk with james lewis of the center for strategic and international studies, alan paller of the sands institute, and catherine lotrionte of georgetown, university. this is the final segment in a monthlong series on cybersecurity. >> host: well, this is week four in our look on "the communicators" at cybersecurity and cyber threats that face the u.s. and this week we've invited tree cybersecurity experts to join us to talk about some of these issues. first off, james lewis who is the directer of the technology and public policy program at csis. he also worked on the president's recent cybersecurity report. also joining us is catherine lotrionte, she is is director of the cybersecurity project at georgetown university. she served in the general counsel office at the cia and also worked on the president's foreign intelligence advisory board during the george w. bush

administration. alan paller is the founder and research director of the sands institute, and he was also an adviser to both president clinton and president bush administrations at different levels. thank you all for being here today, we sure appreciate it. if i could start with a question for all three of you and, mr. paller, we'll start with you. how would you assess the cybersecurity threats currently facing the u.s., and are we doing enough to confront them? >> they're explosive, they're expansive, they're getting larger, and they're getting more sophisticated. and although we're doing a lot, we're falling further and further behind every week. >> host: why? >> guest: because the technology of the attackers is accelerating, and the sharing of data among the attackers is elegant. and our technology to stop it is just not catching up, and our sharing is abysmal. >> host: so what's the solution? >> guest: we actually know what to do meaning people have found

wonderful solutions across the four different arenas, but most people aren't doing them. so you have examples where good things are happening and a whole lot of reasons why other people aren't doing them, and most of the reasons are money. i don't mean they don't have enough money, i mean people are making so much money doing the wrong thing, that they don't want to switch over and do the right thing. >> host: catherine? >> the threats are getting more sophisticated and complicated, and that will continue. in the terms of what we're doing on the defensive side, you can never do enough defensively, and there's no such thing as perfect security. so there'll be a movement, and i think there is, to think off of the defensive side and start thinking more offensively. and we're talking at a nation-state level. so international engagement becomes critically important. >> host: can you give an example of what you mean by offense? >> guest: so it is very much

tied to the defense, and they're technologically related as well as the policy and legal are interconnected. and part of doing defense well is knowing the offensive capabilities and actually using them. so if you know that your security is not ever going to be 100%, one then it's logical to come to the conclusion -- and many have -- that you will start seeing what is sometimes referred to as more, a more aggressive defense. so as we get into the area of more aggressive defense whether from the government or private sector, and this is an important aspect of the role of the private sector, that is, in effect, offensive work. but some have termed it more aggressive defense, more aggressive security. >> host: james lewis, same question. >> guest: i actually don't believe in threats. i think what you have is a remarkably insecure infrastructure built that way,

insecure bl the way the internet works now, and you have people who take advantage of it. these criminals, spies, armies, eventually maybe we'll see terror is. so what i see is a place where there's no penalty for doing bad things, and it's probably unfixable. so when i look at it, i think what is it we need to change to make this a safer environment. so far we haven't done very much. the u.s. position has been to rely on the private sector and to rely on market forces. that works so well in all other fields of national security. no, it doesn't work at all, and that's part of why we're in a mess. so we need to rethink what we're doing, and that's proving to be very difficult in the current political climate. >> host: insecure bl, unfixable, in a mess, what -- and so what about cybersecurity keeps you awake at night? what is your biggest fear? >> guest: nothing keeps me awake at night about cybersecurity. i don't think we're facing any sort of drastic attack in the

near future. right now as far as i can tell the only people who have the capabilities that could do real harm are big countries like china, russia, a few others. they're not just going to attack us for fun. when you see those capabilities spread to people like the jihadis or to north korea, then we'll have to worry. and, you know, it depends, people say usually we have somewhere between two and five years before the true nuts get cyber attack capabilities. so i don't worry too much. you know, sometimes i worry that, you know, a chinese spy or a russian criminal might accidentally trip over something in cyberspace and cause an immense blackout or crash wall street, but that's the only thing we have to worry about is somebody that's playing around and makes a mistake. >> host: alan paller, what's your response to that? >> i think -- parallel ideas. we have traditionally try inside the automobile world said

drivers need to drive more safely, and we're still dying in large numbers. it wasn't until we made the cars and the roads safer that we began to have a chance to have people driving safely and staying healthy. we're building, what jim -- i don't know exactly what jim means, i by think what he means is the computers that are coming out are ip defensible because it's cheaper to build one that you can defend. the networks that we build on are not defending us. boeing protects you as an employee, if you don't and work with an isp, they don't do anything to protect you until you pay a whole lot of money. so we have networks that are unsafe, computers that are unsafe and users who make mistakes. but the users making mistakes are the smallest part of that. >> guest: i think we will, um, just have to accept and get used to working on networks in if a system where it is unsecure, and we have to anticipate that we've been compromised and learn how to operate while we're compromised.

i think that's the reality of it. but good hygiene, all of that, the standards all good to do. i still believe there'll not be 100 % security. i spend most of my time thinking about the calculated, strategic approach of nation-states in this space. and there are states that are reorganized themselves, created cyber commands, have hired and trained as part of their military army cyber warriors. and when states do that, they're serious about it. now, it may not be tomorrow that we see that, and they may start with, um, the theft of intellectual property. that had happened prior to engagement in conventional war bear. -- warrer warfare. but it is more the state to state and even those jim refers to, the crazy individuals, the

lone wolf whether it's a terrorist or not, they're in somebody's jurisdiction, someone's state. so key to that is the engagement with the state actors to get at even the lone individuals that are doing this. >> guest: but one thing maybe we want to make cheer is i don't think there's ever going to be a pure cyber war. you might see terrorists do a cyber attack, a stand-alone, but no country's crazy enough to depend on cyber weapons because they're just not that good. you could do some harm, you're not going to win any wars with a cyber attack. >> host: let me bring in siobhan gorman of the "wall street journal." >> host: thanks so much for joining us. focusing on the threat question, we've seen a lot more public act acknowledgment of cyber attacks, and because we've seen a slew of discussions about, you know, the attempts on nasdaq, the attempts on sony, the attack on iranian nuclear facilities, an attack on

the computer security firm rsa, i'm wondering what you've seen in terms of these attacks that has concerned you, if anything, or if this slew of attacks actually shouldn't be of concern. maybe start with jim. >> guest: they shouldn't be of concern, but none of it's particularly new. you have espionage that's been going on since the early 1980s, you have crime. very lucrative, i'm kind of sorry i'm not in the business some days, very lucrative cyber crime that's been going on for at least a decade, and then you have the military potential. a few years ago at idaho national labs we saw the test that showed you could destroy critical infrastructure with cyber attacks, so none of this is new. what concerns me is that we're having a hard time figuring out how to protect ourselves. right now we're still sort of depending on, i don't know, fasting and prayer, and i don't think it's working very well. >> guest: i think that the

stuxnet on the attack on the iranian nuclear facility was a significant game changer. it indicates and shows that the cyber, it is not just limited, but that is a problem on the intellectual property theft and espionage, but that this is a political tool, one that can be legitimate; self-defense, we could make a number of arguments. but that was a significant, i think the point to estonia, too, but i think stuxnet was an indication of where we're at and where states may go. >> host: alan? >> guest: i'm with catherine on stuxnet. it had one troubling effect, and that is although it was targeted only one site, about 15,000 copies of it got out in order to get to that site, and every one of those copies is in the hands of people who can learn from it. and two things happened. one is it became acceptable in

some circles to use cyber attack to do physical damage to critical resources. and, two, the resources are out there. but i guess i'm on a different wave, i think -- i call it the awakening, this public knowledge. i think it may be what was needed to stop the historical pattern of security that people like to write about and then not do anything about it. and although we can't get to 100%, we can raise the bar a lot higher without damaging operations. we can do a lot of good if we get out of the let's write another report about security and spend our money on actually making systems more secure. >> host: but when you mention stuxnet and particularly all of the copies now that are floating around, what do you make of the response we've seen so far from the u.s. and other governments and private industry? i mean, is the u.s. government now prepared if someone were to

try to mount such an attack on some of our critical infrastructure? is private industry prepared at this point? have they now responded now that we all know what that threat is at least, what's the response? >> guest: it has been might min. there's a stick your head in the sand. when the first big espionage attacks were reported by "time" magazine, the response of the government was to claim that it didn't happen, and when they couldn't prove it didn't happen to change its name and can classify it so nobody could talk about it. stick your head in the sand when you don't know a solution seems to be the main government response. that's true in the critical infrastructure. we, there's a concept for stopping these attacks called the kill chain where you follow every single step along the attack chain, and you put in defenses at every step so if they get past three of them, they can't get past the fourth. we're not doing that. we're writing reports about vulnerabilities in the utilities without even looking at how

stuxnet was done and how you'd stop it. >> guest: the one thing people need to face up to is we cannot protect ourselves against the high-end attacks. so the people who are at the top of the game are going to be able to get through, and we'll need to think of other ways -- resiliency, deterrence, military doctrine -- along with the hardening of critical infrastructure. there's always an opportunity because a lot of this depends on tricking one person, and i can tell you now that for every thousand people i can trick at least one. >> host: catherine, you mentioned earlier state players. is china a threat, and is the chinese government, in your view, directing some of these cyber attacks? >> guest: so in terms of the reporting and what has been discussed, um, publicly already we, there's a pretty good indication that at least with two states that there's

indication that they're if not explicitly conducting them, at least backing them through other parties, proxies. that, that is a significant problem dealing -- which complicates attribution when policymakers actually want to make decisions as to what the proper response would be from the u.s. for instance, if we were a target. and it's gone beyond the major concern right now is intellectual property theft which is a problem for national security, but we're moving and with stuxnet we're moving beyond that, it's not limited to just steeling a country's -- stealing a country's secrets or technological advancement. so whatever if it's china, if it's russia and if it's proxies, we need to have our own doctrine prepared, our policies in line with international law that what our response would be in the case of a state using proxies to attack us and what would be our

defenses. if a defense is not perfect, one might then as in traditional times in the cold war with the soviets have to think of more of the aggressive/defensive moves or what would be considered by some as offensive. whether kinetic or cyber. and dod has just said in their strategy that they reserve the right to respond to a cyber attack with kinetic force. it may be wiser to respond with kinetic force, it may not. you still have cyber options. but the offense needs to be connected to any discussion on the security side. >> guest: just to take this proxy a little further just to make it clear, for example, in china every pla district, people's liberation army district, has a competition every spring where they pick up people who they've found were doing hacking into other people's systems, and they put them in these competitions, and the ones who win go into intense

30-day workshops, but they don't go into the government. they kind of are outside to the government but accessible to them. we've tracked a couple of them that have done some deep penetration into the defense department. they've won the contest, but they within on the military payroll. >> guest: there are students in china, for instance, to get an a you are to exhibit and demonstrate how you can break into one of the most supposedly secure systems. if i were that student and that was the goal of the class, i would pick something like, you know, nsa, see if i can break into nsa. now, whether the government funds, encourages that through the universities, um, and backs it and is just the recipient of whatever goods come from that, or the students don't necessarily have to work for the government. so there are different levels of witting and unwitting proxies. but the key to that is leveraging through diplomacy

hopefully before any military engagement with the states to get an understanding of what is acceptable behavior emanating from a state whether it's from your student body or your private companies or individuals. what's acceptable in the state's responsibility, to make sure no other state or territory is harmed from something emanating from your country? >> guest: while we're doing the diplomacy, we need to remember that in that part of warfare or part of economic competition the weapons in the next competition will be people and we're way behind on the people side. our colleges aren't teaching people how to defend computers or how to develop new techniques. our high schools aren't teaching the basics. our middle schools aren't teaching programming. we're so far off the path. we do have a wonderful thing that jim helped with called the u.s. cyber challenge which is a big national we e decision, thousands of kids are engaged,

very positive, not the kind of negative pressure that pla's doing. it is finding wonderful kids, but we're way behind, and we need to ratchet that up at a very fast rate. >> guest: one thick you want to think about, though, is we can split different categories. so the chinese are the best at economic espionage, and they have an advantage there because the u.s. doesn't do economic espionage. the russians are the best at financial crime, and they have an advantage there because the u.s. does not permit or engage in financial crime. um, but the u.s. is best attritional intelligence collection -- at traditional intelligence collection. so we might not want to set that precedent because some people might say what are you guys planing about? >> you're tromping all over my networks, you're just as guilty as i am. and that's not true, but any solution has to take that into account. >> host: jim, you had mentioned earlier there need to be policy

measures such as deterrents in order to kind of create a bunch of different layers of cyber defense. what's your assessment of how far along the u.s. is in deciding on its policies of, you know, what is deterrence in cyberspace, what is an act of war in cyberspace, some of these things that probably need to be clear if you're really going to make use of those policy tools? >> guest: the obama administration has made a lot of good progress, so i think we're further along than sometimes might be the public appearance. and in deterrence, pretty good idea, we have something called cross-domain deterrence which is you do cyber, i do a missile. that's a good idea. the issue with deterrence is there are some things that are not deter bl through military force, and that gets into the definition of an attack. so espionage, crime don't usually justify a military response. we're really good at deterring military attacks, we aren't deterring espionage or crime.

and that because the definition that people are revolving around hasn't been formally accepted yet around the world. but where we're coming out this is just like any other kind of military conflict. the laws of armed conflict that exist now apply, and there's not an attack if there isn't physical damage or casualties. a little bit of a gray area there, but people are moving in that direction. i don't want to talk too much, but the area of greatest dispute is that our fuzzy foreign friends are making the argument that we need to expand attack to include information warfare, and that's because they say that ideas are information warfare. one security official from one of these countries once told me twitter is an american plot to destabilize foreign governments. they really believe that. and that's because they fear ideas. but for me an idea is not a weapon. compelling someone through force or the threat of force is an act that falls under armed conflict.

telling someone a different idea and trying to persuade them, that's not warfare. but we're going to have big fights over that this the future. i'm wondering, catherine and alan, what sorts of examples of cyber attacks would actually fall in the category of warfare, an act of war, as opposed to espionage in some of these and crime and some other things that we sort of tolerate? >> guest: so that is probably one of the most important topics to get states to start specifically discussing under their view and interpretation in the cyber context, what would constitute a use of force versus an armed attack which triggers, of course, the self-defense provisions of the u.n. charter. espionage, um, also known as at least one of the oldest professions or at least done ever since the creation of states, espionage is, one, not criminalized under international law. there is no treaty that prohibits and outlaws spying,

clandestine collection of information. the use of force or the threat of use of force against the political independence or sovereign integrity of a state is prohibited under the u.n. charter. defining and understanding in a cyber context what would be a threat or use of force, and you can't forget it's type of use of force against political independent, southern integrity. -- sovereign integrity. there are exceptions under the charter. if you have suffered an armed attack, the state can actually add one of the strongest exceptions under article 51. what amounts to an armed attack under cyber is what we really have to start getting agreement on. some have advocated the mere attack against a critical infrastructure is automatically considered an armed attack under the u.n. charter and will trigger then, um, the legitimate self-defense mechanisms of the state, military as well. >> host: do you agree with that

assessment? >> guest: possibly. i say we start with that. we recognize that some states may view that, and now let's look back at our critical infrastructure, um, and what that would mean. the policy people, that's what we expect or need policy people to focus on. um, the use of force is, that threshold is lower than the armed attack. you can have and some have opined that espionage may rise to the level of the use of force. covert action typically is accepted as a use of force, but espionage not. and so you need -- in cyber we need to distinguish exploitation which there's a lot going on which we do and other states do from what would be an armed attack. if we get agreement from at least some key state actors that have the capability, well, this is what we would perceive an armed attack to be. therefore, we don't want to go there.

>> host: well, say somebody unleashed an attack like stuxnet on the u.s. does that constitute an armed attack? >> guest: so stuxnet is really interesting because you would have, you have to look at the facts around the, what was the justification or the legitimacy, if you will, for that. arguably, one might propose that it was a self-defense move. that against their nuclear facility. now, even if you have justification under the u.n. charter, um, for a self-defense argument, you still feed to make -- need to make sure that your action is proportionate to the threat, and that would get back to consequences after you've conducted it in cyber, what are those, how do we know what the consequences -- so it has to be proportional, even if you've got justification. so if you did something without legitimate justification under self-dependence like a stuxnet, then it can be viewed as an unlawful use of force and could

be, arguably, rising to the level of an armed attack depending on how a state interprets that. >> host: well, okay. say in the stuxnet example then it's deemed an armed attack, and you're inclined or you're approved to take some sort of defensive action. who do you go after in self-defense in the stuxnet example? i mean, at this point we don't know who did it. there's been speculation that there was -- >> guest: let's put a little caveat on that, though, because if there's an effect that's equivalent to physical damage, you could argue it's an attack. there's still a decision that has to be made probably by the president about whether this is an act of war that justifies a u.s. response. >> host: right. >> guest: normally, we don't respond. if you think of the beirut bombing, we know who did that, we know which state was behind it, and we took no accelerate military -- overt military action against them. the same thing's going to happen

here. the president will have to decide, do i want to pick a fight this week? how do you -- >> host: well, you could also authorize covert action so you're doing sort of a secret attack back. but i am wondering, i mean, and can the stuxnet example is really instructive here because nobody has been able to say with certainty who was behind it. so what do you do in that circumstance, say the president likes to do that? >> guest: i like to leave those questions to catherine and jim. >> host: it's the attribution problem. what do you do, say there's been an armed attack where some self-defensive action has been justified whether it's covert or overt. what do you do when you can't pinpoint it? >> guest: i was actually going with that stuxnet itself was a legitimate self-defense move. >> host: okay. >> guest: the question is still relevant in terms of attribution, but you would have to know the facts of what your target was and whether in taking

those actions that could rise to the level of a use of force in an armed attack. and using the word "act of war," it's actually irrelevant. domestic purposes, constitutional separation of powers, yes, but under an analysis of international law the word "war" is not even used in the relevant positions of the charter. if you suffered an armed attack, you have the authority -- if one chooses, of course, you're not compelled to have to respond -- often like khobar towers, uss cole, it often depends on if you have enough information in which to base because under international law you clearly have to know who the perpetrator was before you take action against a potentially innocent party. so attribution will be a problem. but on the stuxnet, i was actually saying that if stuxnet, one could argue that it was a legitimate self-defense move in and of itself. now, you do worry about the tit

for tat and that going on -- >> guest: but that's, we ought to -- you probably know this, and it's probably good for the audience to know, um, the ability of the u.s. to attribute an attack using intelligence means is extremely high. attribution is not a problem. okay? the problem is making a decision, do i want to start a war with china now, or do i want to let it ride? but attribution as a problem is routinely overstated because people are unaware of the classified side of this. >> host: yeah. what you're saying is that this isn't just a technical question, you can use human sources or other types of intelligence to figure out just like any sort of attack when someone was trying to cover their tracks, who did it. >> guest: we've sort of written off -- not written off, but we're working on warfare that went by espionage because it's been going on forever. and normally that's, you can do that, but in this paul