with the biden administration now leading the federal response to the coronavirus pandemic follow the latest at c-span.org/coronavirus. search c-span's coverage of news conferences as well as remarks from members of congress. use the interactive gallery of maps to follow cases in the u.s. and worldwide. go to c-span.org/coronavirus. coming up this afternoon, house speaker nancy pelosi and several of the nation's mayors will be speaking at a national leaving city's conference. live coverage starts at 12 350k eastern here on c-span 3 and also online at c-span.org or you can also listen with your free c-span radio app. we can nights this month we're featuring american history tv programs as a preview of what's available every weekend on c-span3. tonight, david wilkins looks at 18th and 19th century u.s. policy towards native americans. mr. wilkins is a university of

richmond professor and a citizen of the lumbee nation of north carolina. watch tonight beginning at 8:00 p.m. eastern and enjoy american history tv every weekend on c-span3. this is the founder of the national security institute at george mason institute law school and also vice president of ironette cyber security and cyber security issues is what we're going to talk about for our next segment. thanks for joining us. >> thanks for having me, peter. >> remind viewers about the extent of your cyber security experience inside and outside of government. >> sure. so i -- i served in the bush administration at the justice department and the national security decision. we worked on a large range of cyber security matters including countering threats to our nation, including terrorists, nation states that wanted to steal our intellectual property and harm us. i worked in the bush white house on what what is known as the president's comprehensive

national cyber security initiative. i had a chance a few years later to work with chairman mike rogers of the house intelligence committee and worked on the intelligence protection act which was then enacted into law in 2018 and i've had the amazing opportunity to work for general keith alexander, the founding commander of cyber command engaging in efforts to protect some of our biggest companies and some of our key government agencies from cyber threats and nation states and organized criminal gangs and get people together to defend as one entity and collectively across multiple industries. >> we brought you on because there was an incident this past december of involving a firm called solar winds. cyber security at the heart of it. talk about the incident and the widespread nature of it. >> yeah. you know, a lot of discussion about this hack which sort of first surfaced in late december of last year was about calling

it solar winds. thattings was first investigator of attack we saw by the russians. it's now been made fairly clear by the government that it was the russian government that engaged in this activity but there were multiple methodologies that they used to get into our private sector systems. they got into an update cycle of software, software used to protect companies from the cyber security threat, got in the update for the software and initially tested their ability to get in by putting in an innocuous update and then put in the malware and when the update got take inn by 18,000 of solar wind's 30,000 customers they had access to the system. what is interesting about the russians they didn't exploit all 18,000 systems, they focused on a key government agencies, civilian and otherwise and then focused in on key private sector networks and started to probe around and started to get

deepered and deeper access and they were in for nine months, they were able to form -- they obtained access to files, e-mails and the like across all of these systems almost owning them nearly completely. they used other methods of attack, too. then also came into a variety of other provider systems, microsoft through a certificate provider. we've now heard of other hacks that russians may have used so there were a number of providers they got into. a cyber security fire eye. because solar winds was affected they were the first ones to talk about it and the ceo letting us know that it happened. what's interesting i would say about this particular activity, they could have done a lot of damage. the depth to which they had the access and the like. there's no evidence that they have done a lot of dam but they

have gotten in deep and collected a lot of information and it's a large-scale very significant russian collect activity that could allow them to do a lot more. >> with the information systems that they into, how much were sensitive in nature, and how many involved the federal government? >> you know, it's really hard to know because we don't know the full scope. what we do know is the bulk of of this effort was aimed at the u.s. federal government and in particular a number of civilian agencies that we've heard about, but we don't know how much sensitive information was taken because we don't know how deep they were in, right? i think the damage assessments are currently ongoing, and i think they will be going on for a while and the other things that's going on is they are trying to root the attackers out. you have to think about this like a wolf in a hen house. these are the wolves that have come in and they have disguised themselves to look like hens, so they look like us, look like these actors within the private

sector system. footer so rooting them out is going to be a challenge. we know they had access to office 365, email accounts and recall other email systems to the like and, you know, it's really harmed to estimate today the scope of the damage but given the length of time that they were in and their be ability to -- becoming a privileged owner of the system, i think we can assess by obtaining information. democrats. republicans, (202) 748-8001. text us at 202-7463-800 about. specifically what solar winds in

relation to the other companies? >> solar winds, a cyber security company, provide tools and capabilities to protect their companies from, you know, cyber threats and so, you know, in a lot of ways the russians were very smart to use sort of a known quantity, a trusted company. they have got a huge set of customers, 30,000, you know. i think what's interesting is by the way only 18,000 took this update. tells us something about our ability to defend ourselves in terms of cyber hygiene. if only 18,000 of 0,000 are taking, which should help protect it better. it tells you there's 1,800 that doesn't get an update and solar wind. . they want to cross other -- this demonstrate the real challenge of private secretary have

companies, whether security companies or the companies contracted with. they have been defending against the nation state, basically unlimited unit in, and that sort of highlight theized for -- really trying to figure out how to work across the sector and the government in order to petter help the government which was seriously taken advantage of it, help it better defend it level. >> you mentioned it at the beginning but how do we know definitively that this is connected to the russians? >> look, early on in this attack the federal government briefed members of congress. members of congress came out saying perhaps -- perhaps that of the executive branch that it was the russians. we now have clear indications from the white house, from the director of national intelligence that this was the issues. that's been made fear now.

>> frankly the wherewithal and the willing to recall go deep and explore are sly advantage investigator and they are not only attackers coming after us frms we to many -- they are for years are. they have significantly upped their game. we have a list of actors out there who don't have our interests at heart. all the individual hactivasts, there's been a lot of leans of american and allied and foreign capabilities. mlb from fromitivitier says

where we recall -- that's a good yes. one of the difficulties is we don't spend a tremendous tamt of time big of at you're -- we lfn put fire walls and things on our perimeter but rare -- in you're -- you'll able to. -- recall to get ought rights, rrmgs think about what you've got to do. think about the wolves in the hen house. if you've got wolves in the hen house and they look like hence, you've got to figure out what is a wolf going to do that a hen wouldn't do? got to look at behaviors and look at how the individual networks are acting and so we're not very far aloen long, i feel, and i fear it will take months

and years and the other thing is we port of break down the -- that's not a. -- it's note about washington government aircraftsy. do xwrerorrier are are. i think the keep to this is doing the deep look and deep analysis. >> jamil jaffer joining us for this discussion. the kathy on the republican line, good morning. thank you and go ahead. >> thanks for take my camp my comment is kind of in two parts. the first is i don't think the united states has done very well in hard eng our infrastructure. for the last 20, 30 years they have known about the cyber threats and everything that's been going on and yet it's been like we've been on a rinse and repeat cycle here.

every time there's a threat or our institutions have been attacked and as a victim of identity theft i can tell you it's not very fun. my husband was a federal agent and his last two years of life were dedicating to establish a unit in one of these agencies. you know what. i get really tired of hearing about people like me of people's lives, financial and personal, have been destroyed. i don't like to see it when companies or the federal government have been attacked but even on a personal level it's just destroying. i had to call law enforcement agency and basically beg an signature who was -- a law enforcement officer out on sick league to just take a call and take a record of my identify

theft. you can't even find help. the i don't know what the answer is. i sure hopes somebody figures it out soon. >> kate in georgia, thanks for the call. >> yeah, ma'am. kathy makes great points. you know, a lot of us americans have had very direct personal experience with the obtaining of our identities, the misuse of our credit cards and the like. i mean, i can't name a person i know, me personally even, where my credit card hase hasn't had to be replaced a couple, three times and some that have comes from identity theft in the cyber arena. what's really interesting about kathy's point, she's exactly right. we've known about this threat for a long time. we've known about chinese theft of american intellectual property taking billions and trillions of dollars out of the american economy for years. my boss today, my ceo, former director of nsa, keith alexander, army general, said when he was back of nsa referred to the threat of intellectual property in the united states as

the greatest transfer of wealth in modern human history, and they's exactly right, and that was years ago. you think of the personal experience of kathy and we've got to get ahead of that and the question is how do we create an institution to defend against the national level threats and protect people like cat? one of the answers has to be we're doing so far has not helped with individual agent significance standing up against the threat. you can't imagine a large company, a target, a walmart, a citibank, a jpmorgan to defend the russians, chinese and iranians and if they can't do it how can you expect a small or medium-sized company or an individual like kathy to do it? i worked for chairman mike rogers and we created a lot of permitting of the sharing of intelligence and collaboration amongst companies and the government and more needs to be do. we need to insennivize the governments to do that and give

more authorities for the governments to do its job and deter the iranians, north koreans and others from pursuing that agenda. >> frank? >> hi, my name is frank. i'm a democrat. it depends on who you have an allegiance to. i'm a burmese-american and went to west point. i'm no longer commissioned but i understand it depends on your village and how big you are. the the -- we get other small -- other small powers get stuck in the middle and right now there's a mother struggle in the democratic party and the republican party. this theft will continue to help on many side. it's not two-sided.

it's multiple side, and it is just going to happen for eternity i think. >> okay. frank in florida. mr. jaffer, he said an eternity this will always happen. >> frank, thanks for your question and thanks for your service and i have an uncle from burma so i totally get it. look, i think he's described a very real challenge that we face. we're never going to sort of end the threat that we face in cyber space. that's not realistic. what we can do i think is buy down the risk and what i mean by that is we know today what we're doing in the government and industry is not effective. we can tell that from kathy's description of the threat that she faced personally in terms of the identity threat, the things that you and i all know about and had happen to us. what we see happening in companies. we've gotten almost jaded to cyber attacks, or cyber thefts, at least of cyber data, you know, data breaches and the like you hear about it every few