to pay the hotel bill. is to where. they maintains and it turns out i've had one for a long time. ..

>> how are you? how are you? [applause] >> do you want to watch this program again? visit booktv.org to watch anything you see here online. type the name of the book or author at the top of the page and click on the hour glass. you can share anything on facebook or twitter by clicking on the share box at the bottom of the page. all top authors and books available at booktv.org.

>> good afternoon and welcome to sight and sound. i am the associate director of studies here. it is my pleasure to announce a discussion between myself and edward lucas and his book "cyberphobia." it hold as great interest for the audience. one is our own personal security of your computer and bank account and other things. the second thing he deals with is the massive security issues involved of all that you can imagine and how cyber can affect

the nation's census, utilities and security systems of all kinds and i think we have seen many examples. mr. lucas is a senior editor at the columnist. he has a long career in russia and eastern europe. one book i am familiar with is the new coal war in 2008 and a revision in 2013 and a third in 2014 which you take a look at it and you will see many of the things he said earlier are even more true or true now that were predicted back then. the subject is "cyberphobia" and i will have mr. lucas talk about the book and we will engage you in the audience with questions and we will have a general discussion. we are good here until at least

6:00. with that, mr. lucas. >> thank you very much indeed first of all to having me here and all of the people involved in organizing this. i presented the coal war in 2008 and it was a skeptical audience then. the difficulties in russia were just being questioned. and my message is quite a gritty one. i think we have designed the internet putting convenience and low-cost and innovation and e we have been doing that for 20-30 years.

as a result we have vulnerabilities in the system. badly designed networks, disorder, which can be displaceddisplaced any of the numbers of spies, hostile militaries out there and the pranksters and the crooks. it makes sense to divide them up into those passages when looking at them at threat actors but many of the tools they are using are similar. and people did say to me when i first started writing this why are you turning your attention from european security to

internet security? and actually, as i started researching this i became more of the parallels that we built up with the european security at the end of the cold war based on the assumption of good will and trust. we all get on. we have difficulties but we can resolve them and this was based security order are a lot of cooperation and dialogue and work into the future. that is the way we setup the internet assuming at the beginning it would be for academic purposes. we never thought about questions of identity and never thought about e-commerce. it was against the rules to use the internet for commercial purposes back in the beginning. if anyone said back then this is going to become the central nervous system of lives and he will use it for banking and

infrastructure and other things people would say it is not designed for that and are you sure? but we went down it because it worked. it is cheap, convenient, flexible and you can develop it. now we are stuck. i think the first message is it is going to get worse, a lot worse possibly, before it gets better. we have become accustomed to serious bridges. if i said at&t would be hacked and 20 million files would be stole people would say what is hack? but we have breachesi happening all of the time now so it is difficult to determine even. my friends at the ft and other papers say mega core was hacked, maybe the chinese, maybe

criminals, we don't know. and most of the organizations say why is that different than the breach from the story we ran last week. so breaches are normal is the idea but they are not. tens of billions of dollars a year are flowing out of our pockets into the criminal economy. i am skeptical of the cyber company numbers. people are talking about $500 billion a year. and that is not just a loss to us but a large chunk of it is going into the pockets of some of the worst people on the planet. people that would like to do us harm. the first thing i think we have to do is start speak enlish, -- english or russian or any normal language people speak. the most important feature of

this book, and maybe what makes it different from any other book, is i didn't use any computer jargon. the word cyber appears twice in the book. once in the title and once in the gloss. we have simple messages that get across complicated ideas in public health and change the ideas. we have simple messages. you don't need to know the difference between a pen and a gasket to be a save driver in a car. we are not there. the solutions for problems we have are not primary or technical. we kind of learn what we need to do and i will get to that in the q&a and tell you things like

identity insurance, better network design. the problem is changing tuned behavior. the packers are humans and we need to determine and get into the criminal economy and disrupt it and raise the cost of doing business. we need to say to people who are hurting and people who are scared should be scared because when people are scared and hurting they change their behavior whether it is individuals, companies, governments or anything else. i will stop there and i look forward to robust questions. if you read the book and think it is rubbish, please tell me. if you haven't read the book and still think it is rubbish that is okay. if you want to ask a question about russia that is okay too. we will kick off with questions >> if i could just have you pursue the issue you mentioned about some of the simple

measures that take place and although the gloomy prognosis, are we in a period where we will talk about the wild west, i mean western united states in the 19th century and other wild west? in other words where they are sorting these things out and it will take several years as these things become uncover and based on where we were 5-10 years ago we were moving in the right direction by government or personal? or are we really marking time and looking way ahead? >> the criminal economy is getting more and more sophisticated. when i first started writing this book i was impressed by the idea you could sell malware on the dark web and there was an after sale service. there is a basic help line which is how can where make it work,

and second which is help me treat this in a particular way, and the third line is can you help. so i think the threats, the surface number of things that are vulnerable to attack is increasing. the criminal economy is getting far more sophisticated and to use the wild west line we don't have the sheriff or the posse or the visualization. we know there are criminals out there looking to attack but don't know who or what they will attack. i think we have to start at the very basic level of making people feel this is not -- this is the fundamental thing. thing is different from any rear world aanalonatur jalnanalogy.

this is something the public find hard to visualize. a million computers whose owners have no idea that link they clicked on is taking that little bit of memory and then made the computer to do something to spread malware and the person this might be costing five cents a year in terms of cost. why should they work? you can be a carrier of a disease that is not hurting you

but hurting others. if you have a communicable disease they will keep you locked up but we have not transferred that to computer. >> when histonia had that major attack have they taken kne -- any steps to correct their huge hack? >> i am a huge fan of this country. i think three things are really important. one is that is the beetles attack. this is a crude cyber attack. the didn't knock them over. it impeded things and a few websites went down. but they didn't succeed in bringing the economy to a halt.

it didn't destroy their banking system or do the things that the people that launched thought they would do. since then they have gotten a lot better in terms of defending themselves and looking at the infrastructure and not like that is easy in a country with a million people. so i think the most important prevention tool is they have the fundamental idea of identity insurance down. this is the national id card there and your identity is in this chip. you don't share that with other people you need to identify yourself to. you type in a pen code, it clicks with the chip and turns

it signal saying this is fine and you give a digital signature. that is a legal binding signature. if you have a digital signature in this country they sign it with a wet signature and make it effortless and e-mail it back to you. this is something that is supposed to be secured. if you want to rent a microphone system, something i am talking on, you want to write that in britain you hand over our address, date of birth, and a copy of your driver's license or passport. that is enough information to open a bank account. this is actually going to be a breach of personal data because you can you will never get another finger print, retina, or

date of birth or mother's maiden name. if you hand that over and it is breached you are in trouble. it is much better to the this cryptographic-based identity. if -- the funny thing about governments, people are unwilling to trust their own government, but if you say this is a service provided by another government you can chose to use it. people have tens of thousands of these since launched. the australian embassy is down the road and you can pick them up there for 40 dollars or a smaller amount. this is proving who we are and proving who we are doing business with. civilization is based on the

trustful interaction between people that don't know each other well. we use our senses and have nuances and other queues and safeguards and so on that means we can do business with each other. face-to-face and also virtually. but we don't have a way of doing that on the internet. you cannot prove who i am and the two of us can't get together and say someone else who they say they are. and these sort of systems i think are dangerous. >> you mentioned at least three different aspects of this the cyber phobia. one is draining the computers and the second is getting intelligence for whatever

purposes probably not a financial gain unless they sell it, and third i will use an example, stet net that was the offensive use of this. are those -- are we looking at different actors? such as states and criminal individuals in others? are these separate enterprises or should they be seen as one pure and whole? >> the easiest way to look at this is say there is something only governments can do. high end national intelligence services have amazing capability of ceasing up bulk data. and getting stuff into a keyboard with a key lock on it and then getting that back to some command of control server.

acts of low mobile devices, patching stuff on a commuter from a mobile device that is not connected to it, these are pretty sophisticated capabilities and you can voice some bit of them on the internet. you can bound very simple malware and send a text message to where a person opens it it gets in. there is stuff only governments can do. buying expensive -- holes in software. these things are $50,000-$100,000. the good ones are expense. but you put those capabilities together and you get the stock net which only really could h e have -- the american government talked about it so it is not a secret. it is the least of the worries

for our american people. i guess everybody has seen the borne identity. they are great films but they are not documentaries. we are being attacked in a much slower way. so many of the vulnerabilities are -- if i want to get on to the site network, whether i want to get on because i want to steal stuff or find out how you do invoicing or steal data or change my grades so i do a better job -- all sorts of reason someone wants to get on the network. mostly they are going to same way. france, who has lots of works, find out they worked with the past 17 e-mails from gmail and

sent an e-mail here are my family pictures; would you like to take a look? and this is very efficient. links and attachments can be used by anyone of those threat actors. and i think the opm hack started with targeted fishing attack and got them on the network and once they are on the network you may need tools to try get control over the network. there is this -- it is this very big lump of simple vulnerabilities that everything falls to. >> let's go to the audience. we have a microphone. if you raise your hand until the microphone gets to you. yes, go ahead. just introduce yourself before you ask the question.

>> thank you very much for doing this. i am mark pender and i work for german national public radio here in washington. what i am concerned about more than the technical threat of all of those things is the fact that the american government employed someone who didn't have a college degree, got him into the most sensitive systems, and he could manage to get all of those things out and get away it. until now i think. so how do you think government or society can protect themselves from those kinds of breaches? the regular things of people actually stealing something. >> that is a great question. you didn't mention the name

edward snowden so it could have been another hacker as well. i think the government likes to beat up industry over security. and they are right to do. it is scandelus we don't share information better across industries. we need to do a better job about protecting the data that is entrusted to us whether it is data from suppliers or customers or anybody else. and there should be penalties for people who are careless and reckless. criminal liability. that is all fine. but if you want to see a badly designed network you are likely to find it in the public sector than in the private sector. it is absolutely terrifying how badly protected, out of date systems badly administered by demoralized people. this stuff is happening again and again and again. and i think one can make several

points. one is i think this is a very good reason why we should not support any government-mandated attempts to weaken encryption. if there is going to be government mandated backdoors in commercially-provided encryption that will be a fantastic target for criminals and i don't have competence -- it is like everybody has to give the government a front door key and there can't be any front door the government can't open. and all of these front door keys labeled and kept at the police station. that could be interesting to criminals. so we should be much tougher what we share with governments. and coming back to australia, one of the beauties of the

histone system is they have a federation of databases that are connected by something called the x-road which is a simple but robust system. it would be really hard -- i will sought not say impossible but it will be difficult to do it in australia. you would need the cooperation of lots of people at the same time in different points to make it happen. i think the final point i would make is why do we keep all of this stuff in electronic databas databases anyway? this slipped by mind where we have to go into the mi-6 registry and steal the font. now you have to physically get into the registry and distract the person there to stop you

from copying files, you have to get access to the files. if you wanted to steal all of the documents in that registry you would have attack the building with military force and take the stuff away in trucks. and the opm was like that only 20-30 years ago the chinese would have needed trucks to take the stuff out and now you can do on a usb stick. one of the big lessons is ask your government why are you keeping this stuff online? you have convenience, absolutely. but is that worth the vulnerability? one of the best stories i have come across in the economist is the system that buys valuable time because in it you can -- there is a saying i heard you cannot pack a a steam engine.

they would survive in a way no other transport would. we have to be prudent about moving away from things cannot be hacked towards things that are more convenient. >> thank you, mr. lucas. i study energy and environment here. but i used to work for the korean government agency doing cybersecurity. i think the recent international political environment has come to this state that international norms are very important in cyber space. but hearing from your example on estonia and other nations i feel like it is not only the states that have perceptions on cyber

space but the states have different cultural norms they expect from cyber space. i kind of want to hear what you think about is it necessary to do the international norms? it is even plausible? or is it more practical and it doesn't make more sense when we have more efforts that are done domestically within the national boundaries? >> it is a great question. i think we are developing norms that very different from 10-15 years ago. a lot of people use capital letters to show they are angry. and that is acceptable now. there are lows now on how we interact. people used to send long e-mails

and now they send very short e-mails. it is kind of rude to write a long e-mail. i think that if you look at shipping which is what the folks in the global industry and we develop in the maritime world to get word of emergency and you pick up sea goers because they would do it for you. we developed ways of messages. and days before electronic messages we had flags we would put up to deliver messages. so this stuff does build up on a

case-by-case bases. but i think the fundamental problem is the internet is a means for doing other things. so you could get the banks of the world getting together saying we will have very tough rules about preventing people from cashing out the proceeds. you get into someone's internet banking and get them to do something stupid and steal their money. that money doesn't appear in your pocket. you transfer it to another bank and another bank and at each point you do the transfer there is a point of vulnerability because someone had to open that account. at some point, a physical person went to a banker and opened the account so a lot of reputable banks are saying we will set-up forms for transfers that makes it much easier to trace stolen

money as it hops country to country and if you don't play by our rules we may stop transferring money to you and you will have reputable banks in russia and china and everywhere else in the world saying we want to be in on that. what is much harder is things like the use of information. if you look at the -- and there has been a big push in russia and china to bring the internet under the control of the national communication access and that makes sense why not have a un agency in charge? it might work better than the things we have at the moment. but the problem is one of the things that russia and china want to do is what they call information weapons. that is what we call news. we are not going to wage a conc

etchings freae conc concensen -- consensus on that. we say that is totally unacceptable. and they say how can you track child pornography? we say that is totally acceptable. countries have radically different ideas of what is offensive. what one country says a terrorism isn't in another country. you can have a global ban on terrorist but not on the internet. and the chinese comes to the tibetans and says take down this extremism on your computers. where there is no common interest, we have to accept it will happen. we will make progress where

there is common interest, i believe. >> i am a student here studying finance and i wanted to talk about the question regarding the prevention of cybersecuri-secur atta attacks. i am not sure you are familiar with the information sharing act. this is a measure proposed for financial institutions and other businesses and i would like your comments on how likely it will be passed and why these technology companies kind of oppose the cybersecurity information sharing act? >> yes, this is what economist call the line of really exciting and really boring.

once you get into this it is important. it has been sitting there buzzing around in the senate and house for five years. it has reached momentum and this is a time where people put aside their differences and pull out things that work. i was talking to ibm the other day and they really support this. not everybody is happy but there seems to be broad agreement across industry that people are worried about the anti-trust side. you get every major company in industry in the same room and the first thing they say is should we all be here? we don't want to go to jail and if you are talking about stuff that could be seen from an anti-trust point of view as problematic you want bait-proof

legal protection on there. i think those fears are probably overstated and companies say we can't do this for anti-trust region but i think we have already got quite a lot of information sharing. i want to see mandtory breach reporting. if they had a disease they would not say what level would cause us to get have panic they would say how can we prevent it all together? we do the same thing with malware. sometimes we don't know where it is coming from, sometimes it is targeted, sometimes it is what it actually did.

there is a collection action problem there that is worth it to make everybody report malware the same way. the other problem is that it is always going to be in the interest of individual companies to keep quite during an attack because they don't want their sha shareholders to know and the prices to go down. but if everybody is doing it it you can be brave together. i am not sure legislation is necessary. so i am agnostic but i am glad to see there is attention to this because it is coming five years after basically nothing. >> hi, my name is jane and i have been in the security industry for a while. my question was around your

thoughts on the role of the private sector, particularly security companies with threat intel teams, that expose and point fingers? in my experience there is a divide within the community on the appropriateness of that and the effectiveness of that because often with these you can out them and share indicators and point fingers but it really only causes a tactical disruption rather than a strategal change. so curious on exposing the indicators and if you think in the long term this will do anything or if they are glorified marketing slaughters? >> it is in the interest of cybersecurity companies to show they can do stuff. for many that would be a challenge. there is an amazing amount of cybersecurity that is basically

useless and bought by people that don't understand the problem they need to do something and they say this has a big, famous companies name on it and i will not get fired. would it actually defend it? very likely not. so i am not a big sort of booster to the cybersecurity industry. and if they are, like any company, they will sort of talk up what they do. but i think what the real question is how do we raise the cost of doing business in the criminal economy? and i think certainly many people -- because if you are someone on the other side of the world and you go by an alias or are selling malware or developed it and you are making money in bitcoin and cash it out and suddenly you realize i can never

go to a civilized country. i can never go to the european union or any g-20 country. you are suddenly thinking this wasn't a smart idea. we can start building up profiles of that those kind of people. i think the ken dot com case and i am not talking about it specifically they thought they were not vulnerable but found out they were and were taken away to face criminal charges. i think the real question is when it comes to hacking honey pots and hacking back and i guess everybody is familiar with this but this is where you put stuff on your network which isn't the real secret it is just labelled tempting secret and the bad guys go steal it and take it back on to their network but there is malware you put in the

file that takes their network and maybe opens up their network to your scrutiny. the georgia government did this when they realized they were being hacked by russia. they put a file on the network called secret later war plans to attack russia and of course the russians stole it, opened it, it was leaked with malware that was supplied to georgia by an ally who has never been named so i cannot imagine who that would be. and it sent everything on the russian network back it the georgian's. it turns on the webcam as cam. and you saw the guys in t-shirts laughing we have this great stuff from the georgians.

that is not legal. the intelligence agencies are much more deliberate. that is what they are there for. as a private person you cannot do that. if you hack into my computer and you put something on it i just manipulated your computer without my consent and i can be prosecuted. we need to think about the cyber self defense legal point. we understand this well in a criminal world. we have the stand your ground law. there is a defense of he hit me, i hit him back. he hit me first and i can prove that. so we haven't yet worked out the cyber version of that and in particular can you out source that capability for a security company. if you come hit me, and i pay

him to hit you because you hit me, in the kinetic world that is not allowed. i have to do the hitting myself. i cannot get my buddy to beat you up. but are we going to say in the cyber world that is okay? it is probably is. we are at the early stage to thinking this on through. can we take questions from this side of the room? go ahead. >> i will be going now. just one question to continue to pull that thread. has it been in party discussions about what kind of attacks could be considered acts of war? >> that is a really interesting questions. you have two problems. one is the attribution. the soviets knew this was

american files in turkey. we had no doubt working out the problem who did it. in the digital world you can be tough about who did it in the past. secondly, it can be hard to work what out what was this attack? you run russia's missile defense computer network. the defense and equipment that tells russia are we being attacked by another country. and you are -- someone breached your network. someone was in there. espionage, trying to figure hoot how it works. reconnaissan reconnaissan reconnaissan reconnaissance, something trying to figure out how to make it work. now imagine you are america and you have no idea, maybe your

spies or another service, has been on the russia computer. they turn off their computer and go ghost. why are they doing that? i have to do something so you raise your level a little. now go back and imagine the russians. you think the americans attacked your computer network and they pulled their forces now. you have to do something. we have a very dangerous position here when we don't know what the attack is and who is doing it. this is a far more difficult problem than coding during the cold war. you can't say what you have got. if you say what you have got the other side would work out how to stop it. you don't know if your digital deterrent will work at all.

so you have a double threat that makes it more difficult. >> question over there. >> hi, i am catherine and an administrator at specializing contact management. this is new territory for me. i am very interested in the role of the law in this. my sense is it currently lapse for these kind of criminals. do you think the problem at the moment is there are laws but they are not being applied as they should? or do you think the legal systems have to play catch up in which case can hackers be seen as opportunist? and also, if you do think the legal system needs to play catch up, where are you -- do you want

to see the international community doing more to deal with the problem if it is transnational? >> the last part you made is probably the most important. we are dealing with -- most of the actors we are dealing with are working across national borders and our criminal justice systems are very national. so, yes, that is a problem. there are mechanisms of cooperation but they take days, weeks and months. if you are dealing with a live case of cyber crime you have minutes to catch it before it disappears off in bitcoin land. so we have a level of bureaucratic operations that we have to get our peace forces out of their comfort zone.

a lot don't understand the digital side. that is all about to change though. the question of whether the laws need to be -- i think we have gone the wrong way of acting with hackers. our approach is hackers are criminals. someone comes to spray graffiti on the windows that is criminal damage and they could go to jail. we should think about the individual hackers as a social problem. it doesn't make sense to take them up and lock them up without computers for ten years. we need to do a better job of finding people not in formal education, maybe coming from a troubled background and find their self-realization through the keyboard and drifting into this dark world wanting to make a little money, a little

personal score settling. we need to prove who these guys are and say you could have a nice job with lots of money and be are respected member of community if you turn your skills from going that way to that way. so criminalizing hackers is a mistake. while the problems with the law enforcement is they say our job is to catch criminals. we -- the other parts of criminal law, we have got to get what really constitutes a breach. we have seen this revenge court which is a kind of cyber attack and didn't exist before the internet and now it is a serious problem. it is coming in in britain out of the sharing of an image without consent of the person

with malicious intent is now a crime. and finally, i think we need to think about the civil side because these people are more worried about being sued than going to jail. they are not natural crim new mexico -- criminals. so there i think we need to look and in this country, data protection. class action lawsuits just started coming about. if someone says i gave you my personal data, you lost it, and i will sue you. we will get a range of case law and this will scare people. we need legal standards as well.

if you are not a christian you don't say i have this neat idea of saving money and that is making the insulation on the bills. you don't need it. there are legal standards and i think we need to have basic standards. or if you want a company you have to file an account for the company. so the cyber aspect of running a company, i think, you should say you have to have a qualified information and insurance person working out of the general counsel's office. it is a compliance issues. you have to have regular testing, encrypt data, and you have to have authentication. that is not a magic bullet but it would stop things.

>> can i ask a pair of questions about information on news and get your impression of it. first of all, how successful do you think countries such as russia or china can be in restricting news that is so much available to the internet? and the second part is on the subject of wikileaks, in other words, a system that is looking for the complete openness of information and exposing the government. how do you come down on those issues? >> on the news i am depressed. ten years ago people thought we were in the golden age of information and government

couldn't hide anything and everyone would be a great journalist and we have amazing amounts of information and the chinese and russians and others would have to get used to living in a free, open world of information. that really hasn't happened. we have seen the -- this kind of works. there is a percentage of curious people setting up dpn but for others it is a hassle for what is reasonably interesting. i am quite depressed about that. we are seeing a business model and collapse in public radio.

the second question which i gust forgot -- wikileaks leak sleaks feel governments have the right to keep a secret. i think even during a surge -- and you have lawmakers and elected representatives here and that is better than other

countries. a lot of people don't think it is enough. but once you get into the debate of oversociety, people lose interest. you can kill a party by trying to get the conversation on that. but talking about the borne identity is interesting on the other hand. wikileaks, we have a senior state official in the room, but i would say this anyway, two things. one is one; these guys can write. there is one guy who wrote a telegraph who was written to and said if you ever want to lease wikileaks leaks you can have a job at the "economist". and i felt there is a lot of buried talent in the state

department. maybe people were saying our diplomats wouldn't get invited to chechen weddings if they write about it. but i thought there is a massive problem in this country of overclassification. most of wikileaks is so boring nobody wants to read it. just because it is classified or restricts doesn't mean it is interesting. people have helped the american government because they believe in what america stands for on the bases of their identity not being known and now it is known. there are parts of the world where retrobution for that is pretty severe and there is funds set aside to free people who are prosecuted for this in their

country. nobody thought about that. the wikileaks' people were so excited and didn't think about what was behind this. we interviewed the "columnist" about this but the press is hard on what happened to the afghans who were helping americans against the taliban. what is it like to be there? and he said they are collaborators. i think that is reckless. i cannot understand how you can make a justification for doing that. our time is up. i think to thank you, mr. lucas. >> thank you very much.

[applause] >> here is a look at books published this week. peter burgan reports on home-grown terrorism. michael dyson writes in the --

>> sindicated radio host bill press argues president obama failed to deliver on his campai campai campaign promise in buyers remorse. and we look at the 1979 iranian revolution. and a look at teddy roosevelt and his son. look for these titles in bookstores and watch for the authors in the near future on booktv. >> you are watching booktv on c-span2. television for serious readers. we will kick off tonight with the recount of george washington's journey through 13

states in hopes of reuniting the country. and then at 7:30 a look at the making of washington, d.c. as the capital. and then at 9:0 a look at how the presidential nominating process has changed since 1968. and we set down the national urban league president to discuss the state of black america. we finks finish up at 11:00 who with craig who talks about shadow work and the work done within organizations we don't see.