>> this week on "the communicators," a discussion on how protected u.s. computer systems are against u.s. cyber attacks. our guest is james lewis of the center for strategic and international studies. >> james lewis has been studying the issue of how to protect the internet and making recommendations. he has briefed intelligence agencies on how to provide cyber security, and he is our guest this week on "the communicators." also with us thissiobhan. >> if you could explain to us what happened this past week. >> this week was not a big deal really in many ways. this is a fairly basic attack. someone in fax thousands of computers, turns them into a zombie network, and then has them launch packets at targets.

when the target computer gets hit with these thousands of packets, is overwhelmed, and crashes. there are easy fixes to this, and what was interesting to me is that most agencies knew had to fend off this kind of attack, but a few of them did it. that is what is worrisome. this was a no-brainer. >> is it fair to say that this was a spam attack? >> it was like spam, but different in that span has a message and content and they want you to read it. spam is the twin of this kind of attack. >> how do we know it came from north korea? >> we do not know for sure that it came from north korea. if the trail of bread crumbs leads up to a particular doorstep, you should be suspicious, because a smart attacker would make it look like it was someone else. it could have been the russians. could have been any number of countries. >> what are you hearing at this

point about who the culprit might be, other than north korea? >> some has said left-wing hackers. you see this in taiwan and south korea. it could have been the russians. the russians did this in georgia and estonia. when i first read about it, i thought it was the russians, because when obama was there, they call them patriotic hackers. maybe a patriotic hacker got their nose out of joint over something he said. >> how many people does it take to mount such an attack? >> 1. >> how many computers? >> to write the malicious code, you really only need one person and one computer, but that malicious code goes out and in fact thousands of computers.

the numbers of computers involved in the attack are about 50,000 or 60,000. if you are hooked up to a cable network, it is always on. the malicious code will come to your computer and take over your computer. you will never know it, and it will turn you into a zombie. this was a bot net of thousands of computers used for the attack. one or two people and one computer -- >> one thing i have heard is that the code itself is not very sophisticated. it is an older version of a well-known coach. is your view that the people were not being all that imaginatively or that it was not really that good? >> i have mixed feelings. they probably got it off of a cyber website. some of them have rankings.

the attack is the most primitive kind of attack, but there were some sophisticated parts to it. they adjusted the target set for each way. the change the zombie for each attack. at first i thought a basic attack, a kid could do it. now looking at it, there must have been some brains behind it. >> you make anything of the reports out of south korea that there have been hard drives that were erased as well? does that seem like a separate, unrelated issue? >> that would be more damaging kind of attack. we did see that in the u.s., at least it has been reported. it makes you wonder if it was a different set of attacks. you could easily have multiple attacks occurring at the same time from multiple countries with multiple targets. it could have happened in south korea. >> you said zombi computers. could that one code have infected u.s. computers to make

those part of the attack also? >> many of the computers involved in the attack were located in the u.s. when you look at maps of for the attacks came from, there were a lot in california and new york. i thought that was in northern california. one of the problems with this kind of attack is that a shrewd attacker will use computer scattered all over the world. you can find germany, japan, and the u.s. when people talk about shooting back against the attackers, we would be shooting back against california and berlin. >> you also said that we should have been able to defend against this. why were not able to? >> the good news is that many agencies were able to defend against it. if you went to the white house, which was one of the targets, they were completely unaffected. some of it has to do with preparation. some of it has to do with

architecture, how the system was built. some agencies went down when you click on their website, you could not get to it. they should have been prepared. this is not a hard one to defeat. >> the state department was still feeling the effects yesterday. you would think the state department's defense is -- they obviously have a lot of national security responsibility, so you would think they would pay more attention to that kind of thing. >> it means we have more work to do. if you have treasury, state, secret service, all damaged by this, while other agencies as they did, it means somebody knows the right thing to do, and we have to make sure that becomes the common standard across the government. we are not there now. the effort is on hold while they scrounge around looking for a cyber court mary. it could appear before the end of the month -- a cyber coordinator.

we do not have czars in the u.s. government. think of it more as someone to conduct an orchestra, when you have state, the treasury, dhs, who can lead the orchestra? we need a conductor in there. one of the things that have to do is say that performance was mixed. let's all get on the same page. >> what is the holdup? i know you are keeping a count of how long it has been at the white house has been working on this issue and has not quite yet produced this official to show the way. >> my guess now is that they have actually picked someone. i did not know who it is. it is an outsider, and they have to go through the vetting process. they are very cautious, so my bet is currently it is the excruciatingly thorough vetting

processed at the white house does. before that there were turf battles and disputes over substance. it has been a messy process, but it looks like we are coming to the end of it. >> is the ftc currently responsible for its own server security and state and defense all individually responsible? >> at one level, that is the right answer. at one level we have had a tribal approach to cyber security, which is each tribe gets to decide to do with something. that was probably a good way to do this in the stone ages, but now it is time to move on. it is the service provider who is responsible. the white house also does its own stock. >> you mean the internet service provider. >> whoever is hosting or providing hosting services for the website. what i have heard, and i do not know this for fact, but i have

heard that the agencies who had problems or the ones who tend to try to do it more in house. one of the answers here is, how do we get this done at a level where you have professionals doing it? how do you get it done on a level whose -- of people whose job is security and not communicating with the citizens. >> what is your estimate of how much is being spent on server security? but she would know that better than me. it is in the billions. >> they got $17 billion over five years from the bush administration proposal. they had asked for $30 billion. i have heard industry estimates that go up to $50 billion over five years, but i think that maybe beyond as federal spending. >> the federal government is the single biggest i t customer in the world, so they spend billions every year. in the past, cyber security just at a fraction of that. that is one reason we are having these problems now. it was not a priority.

that started to change at the end of the bush administration and has clearly changed now. >> what keeps you awake at night when you think about a cyber attack? >> if i was going to be worried about it, this has always been an intelligence problem and an espy announced problem. as a nation, we have suffered mightily from the ability of our foreign opponents to access sensitive or classified information and take it for their own use. what worries me the most is that we have had a counterintelligence disaster in the u.s., and we are just now starting to fix it. >> what about the financial side? what i hear from intelligence officials is that their most worried about the impact this is having on the financial side. >> i would call it the economic side. your company -- it is your

company, and you invent a new wonder thing, and you have a plan for it, but before you can get on the market, some competitor has a very similar product. or you are a company and you are trying to buy another company in china. when you go to do the negotiations, it is like the people on the other side of the table know you are talking points and your bottom line. they know all your positions. how did this -- how does that happen? these are not hypothetical. that is where we see a drag on u.s. competitiveness and economic performance. >> and financial crimes, also. >> i do not put them together, because the potential crimes are separate. >> stealing money versus information. >> is not a national security threat. the loss of technology and secrets is a national security threat. but have we lost military secrets and intelligence for cyber attacks? >> there is no doubt.

has been going on for about a decade. >> frequently from military contractors. the pentagon has been hit so many times. cyber thieves or spice tin to focus on the contractors because their defenses are down just a little less than the pentagon frequently. >> these are smart opponents. these are foreign states with intelligence agencies. three or four of them are as good as ours, and they look for the weak spot. they have been very successful. dod is the best agency when it comes to this stuff, but but that does not mean they have not been hacked. >> they have been hit many times. they have been more open about it than a lot of other agencies. >> the best one was probably late last year. the classified networks for syncom were penetrated by an unknown foreign party. -- classified networks for

centcom. they could not get the other party of the networks for several weeks. >> our guest this week is james lewis, with the center for strategic and international studies. cyber security is the topic. we have talked a little bit about the private sector, but what is their role in protecting the infrastructure of the u.s. government? >> this is a very difficult issue. part of it is because for the last few years we have been wedded to an ideology that said the market would lead, that regulation was bad. most business events are things the market should lead, but when it comes to national security, the market will not deliver. we are wrestling with this as a nation, and we are handicapped. you do not see this in places

in europe or asia where the role of government is more accepted. people are not as worried about the government intruding into the industry. that gives them the edge. >> a number of government officials have called it a market failure. i was wondering whether you agree with that, and how to fix it? >> it is an area of deep shame for meat personally. -- for me personally. i wrote a paper that was not released the said we do not have to worry about things about -- about things like security because the markets would deliver. the market has failed. what does failure mean? it means that in some cases, some companies to a great job. even companies that do a great job get hacked once in awhile. some companies do not do a great job. there are places in the electrical grid where we should be nervous. we know what everyone is doing?

they held to a common standard? if you go on the web, if you can see -- there was a series of hearings on what the electrical industry was doing. those hearings can best be described as shocking. he might see some legislation, if we are lucky. >> there are three bills just dealing with the electrical issue for cyber security. >> there are, but they are not making any progress. >> let's walk through some of the congressional proposals to enhance cyber security. what are some of those proposals? >> the most comprehensive one is a bill put forward by senators rockefeller and snow. it is quite a good bill. many people dislike it because it creates a very powerful white house office. it talks about setting standards for products and for training. it talks about certify professionals and has other components in it as well. it has what we call the big red switch. it would be that the president

has the authority to turn off a network when it is infected. it is startling, and i am not quite sure it is constitutional. the bill is being revised. the initial draft attracted a lot of criticism, but i am told that they hope to have a new version that reflects these comments out in a couple of weeks. that bill has become the centerpiece of a set of other efforts. senator lieberman and senator collins are looking at an authorization bill that would give dhs more authority. there is a bill regarding international security. the federal information security act has been sort of a paper test. how well did you live up to your plan? >> most of them failed, the vast majority, right? >> you could still get a high score and still be secure.

center carver has a bill to adjust it so that it actually reflects reality. that would be a departure for the government, but the package of the legislation -- there are other bills for privacy legislation. senator feinstein is thinking about legislation. there is a lot of activity. >> what are some of the privacy concerns with these bills? >> the most important is that one of the best ways to defend against cyber attacks is something called deepak inspection. it means looking inside the message traffic -- it is called deep packet inspection. the way to think about it is, think of a letter coming to you in an envelope. i want to open the envelope and read the letter to see if there is malicious code in it. that makes people nervous, and they should be nervous after the

experience of the last seven years. >> what should be done to address it? >> we do not recognize that technology has changed. most of our laws are written in the '80s we still had dial phones and copper wires. they are out of date. there is a difference now between reading a message for content and reading it just for malicious code. the way to think about it is to go back to the letter example. suppose i do not speak or read german. suppose i opened the envelope and there is a letter written in german. i could read the letter in the sense of going through it and looking for the malicious code pattern, but i would not understand the content. we have the technology to do that, but our laws do not permitted. >> what is the likelihood that the laws will change? >> this year, zero. people are being driven to the fact that there are technological solutions that our laws currently blog. >> in terms of the discussion about what should be done versus the privacy concerns that would

make it hard, it seems like a little bit of the overlay is the whole previous warrantless server -- surveillance debate. the technology is similar, but the purpose is quite different. can you talk about the political dynamic there? >> your tempting me to make fun of the previous administration, and i will resist. it is hard to tell people to trust us would have clearly violated the law and ignored the spirit of the constitution. people tend to not always make the switch, that is a different administration. i think you can trust nsa under the current administration, and trust them just in general. people are nervous, and you cannot blame them for that.

you cannot have a program that was probably illegally run for years and then say we have fixed it, trust us. we are inheriting a political environment where trust in government has been damaged. >> james lewis, has the growth in the wireless industry contributed more to the lack of security? >> it has, because when you get a wireless router, and you can do this at home if you want, the password is password and user name is adman. that is probably true for all systems. -- the user name is admin. you can drive around neighborhoods with your laptop or a wireless device and look for open networks. most people are beginning to figure out that at a minimum they need to secure their network with wireless encryption. the problem is that any signal that travels through the air can be captured.

if i can capture the signal, i can probably break the encryption. as you go up the food chain, can i do it? no, i cannot do it. can a cyber criminal do it? for easy stuff, yes. can the soviet intelligence agency break it? absolutely. if you are doing higher up -- if you are doing high-end stuff over wireless -- criminals drove around to chain stores and went to a parking lot where they found one with a glitch in the security, and download it everyone's credit card data. you are counting on having thousands of systems and each one of them is secure. if there are 10,000 systems, 15 or 20 of them will not be secure. my job as a criminal or spy is to find those in secure systems. >> how big a concern is the wireless issue as they tried to get their arms around and secure a just government networks?

obviously government employees are using wireless with their laptops and things like that. >> they are thinking about requiring encryption in some cases. many national security agencies ban the use of wireless devices. there are limits on what you can do with wireless routers, where you can install them. i think the government and places like dod have done a good job of moving the issue under control. i do not know about other agencies. as you point out, somebody is going to stop in at starbucks and use their right -- use their wireless router. most countries have figured out that you can tap into wireless networks, and if you go to china or russia or even some european countries and take your laptop at or blackberry, they will hack it. people ask if it is bad if they take their laptop to china. i say it depends on how you feel

about sharing. >> bilbray was talking about -- built brenner was talking about knowing someone who had a fresh pda device and by the top he got to his hotel it already had spyware on it. it does seem like a big problem. i wonder how much of a problem that kind of thing is here. people have talked about things like bluetooth slurping and other techniques that are being used in the wireless environment that would be a big concern for the government as well as the private sector. >> the dilemma here, and i do not blame the chinese for doing this, because that is what governments are supposed to do, we have restrictions on our ability to do it. you have to have a court order and a warrant. almost no other country has as many strictures as we do, but i do not blame them. that is their job.

for us, the benefits to productivity are so great that people want to be connected, and they put that ahead of being secure. frankly, that is a tough trade. we may gain a lot from being connected, but we lose a lot from not being secure. fixing that is where we are stuck. >> are other countries were protected because they have a national plan? >> in some ways, most countries are not even aware this is an issue. i was talking to someone from the u.n. this morning. he could identify entire contents where they are not aware this is a problem. the more sophisticated countries, yes. one of the things that is irritating is when you look at some european countries who saw that the u.s. was going to come out with the strategy and decided they would have their own strategy. they have actually finished, although we started before them. i am talking about france in

particular, but also the u.k. i was talking to the french cyber coordinator, and he was telling me what they have done to require electrical companies to be more secure. i told him we could not have gotten away with that here. he said the government role is more intrusive in france, and people do not object to that. that might have partial ownership, and that gives them some leverage to say you have to go in and secure your network. >> does the government have that leverage in the financial industry right now? >> no. why would you think that? >> it is a big investor in a lot of banks and companies now, and i was wondering if that gives them leverage. >> part of that is just getting -- coming up with a coordinated strategy, which hopefully we will do in the next year. the financial sector has done pretty well. they have been pushed to think about security.

what i heard from a senior white house official was that financial crimes have quadrupled in the last year, because this is a risk free environment. if you can break in, you can make a lot of money in just a couple of seconds. the odds of getting caught if you live in another country are zero. if you can sit in st. petersburg in pro 100 u.s. banks and maybe get into one and make $1 million, it is a beautiful crime. >> we have talked a little bit about russia and north korea and china. are there any other countries that seem to be the source of these attacks? >> when we say country, it is important to know that i do it as sort of a shorthand. for example, china. you could have multiple agencies competing with each other, multiple ministries in china. you could have private citizens who are involved in this.

on a day when they are mad at the u.s., they could launch thousands of attacks like this. there are lots of players in this. you could have cyber criminals who are hired by the government. when we look at places, you can find them in europe. you can find a couple in the middle east, and a lot in asia. and even in the u.s. in the u.s. is a little more difficult because we have strong law enforcement. if you commit this kind of crime, eventually you will be caught, but in russia or china, your chances of being caught, as long as you attack places outside, are very small. >> how strong is the international effort on the law enforcement front to crack down on these kinds of things? recently there was a case where a bunch of phone systems had been broken into. it was mostly broken up in italy. it seemed like that was an interesting law enforcement cooperation effort between the

italians, the u.s., and the philippines. i am wondering if that is uncommon for if that is a recently, and -- have a is that cooperation? >> if you talk to the fbi, they would tell you that things getting better. in countries like russia, they can get cooperation on some issues. the problem is that most places do not have the laws. the classic example was the love bug in the philippines where you could basically give someone the equivalent of a traffic citation. when you look at the broad effort of effective laws, that has come to a standstill. when you look at case by case cooperation, that is going better. >> james lewis, center for strategic and international studies, thank you very much. the report that you did, the commission on cyber security for the 44th president, is available online at our web site, c-

span.org/communicators. thank you very much. >> book tv continues on c-span2. financial editor david smick says the financial crisis was preventable. a panel of authors talks about the current economic crisis and what to do about it. then congressman henry waxman on his 35 years in the u.s. house. on afterwords, joe scarborough on the bush administration, the republican party, and obama presidency. he is interviewed by peggy noonan. there are a lot more books and authors on "book tv." >> sunday