thatcher's 1998 lecture at westminster college as she spoke about the anniversary of churchill's speech and how the world changed in 50 years and the 1991 collapse of the seven union. sunday at 2:00 p.m., a reflection on grandparents winston churchill and harry truman. at 4:00 p.m., and audio recording of winston churchill's march 5, 1946, "iron curtain" speech. exploring the american story. watch american history tv this weekend on c-span3. washington journal continues. host: this is jamil jaffer, the founder of the security institute at george mason university law. cyber security issues are what we are going to talk about for

our next segment. thanks for joining us. guest: thanks for having me. host: remind viewers about the extent of your cybersecurity experience inside and outside of government. guest: i served in the bush administration and the justice department. we worked on cybersecurity matters including countering threats to our nation including terrorists, states that want to steal intellectual property and harm us. i worked on what was known as the president's competence of cybersecurity initiatives. i worked for chairman mike rogers, worked on the first version of the cyber intelligence protection act that was enacted in 2015. i have had the opportunity of working for general alexander, the founding officer of cybersecurity engaging in efforts to protect some of our biggest companies and agencies from cyber threats from

nationstates and organized gangs and get people together to defend collectively. host: we brought you on because there was an incident this past december involving a firm, cybersecurity at the heart of it. talk about the incident and the nature of it. guest: a lot of discussion about this hack which surfaced in late december of last year was about solar wind. that was the first factor of attack we saw by the russians. it has been made clear that it was the russian government that engaged in this activity. there are multiple methodologies that the russians used to get into our government. first, they got into an update cycle for some software's. solar wind used two protect companies against cybersecurity threat. they put in -- they tested their

ability to get in by putting an innocuous update in and then they put in some malware. when the update got taken up by 30,000 customers, they had access. what was interesting is they did not exploit all 18,000 systems. they focused on a few hundred, some key government agencies, civilian and otherwise, and then they focused on some key sectors and they started to look around. they sought to probe around and they started to get deeper access. they were in for almost nine months. they were able to establish a long-term presence and start masquerading as legitimate networks. they could access emails, files and the likes across these systems, almost owning these systems completely. they used other methods. they came into a variety of other providers, microsoft, through a certificate provided.

we know other acts they may have used. a cybersecurity company's fire eye. they were the first ones to call it out. the ceo talking publicly about it and letting us know that this could happen. what is really interesting about this particular activity was they could have done damage. there is no evidence that they have done any damage. but they have collected a lot of information. what it looks like right now is a large-scale very significant russian intelligence collection operation. they have the kind of access that could allow them to do a lot more. host: with the information systems they got into, how many were sensitive, how many involved the federal government? guest: it is hard to know because we do not know the full scope. this effort was aimed at the federal government, in particular, civilian agencies we have heard about.

we don't know how much sensitive information was taken because we don't know how deep they were in. assessments are currently ongoing, they will be going on for a while. they are trying to route these attackers out. think about this like a wolf in a henhouse. these are the wolves that come in and they disguise themselves. they are very adept actors so they look like us or they look like the defenders, they look like civilian agencies, these actors in the private sector systems. rooting them out is going to be a challenge. we know that access in significant ways to office 365, email accounts, servers and beyond that, other email systems and the structure. it is hard to really estimate today the scope of the damage, but it suffices to say that given the length of time they were in, the depth that we believe they got to an their

ability to access and become like an owner of the system, we can assess that the damage is pretty significant in terms of obtaining information. host: our guest is with us until late, if you want to ask him questions, (202) 748-8000 democrats. republicans, (202) 748-8001. independents, (202) 748-8002. guest: they provide tools and capabilities to protect customers from cyber threat. -- protect customers from cyber threats. they were smart to use a known come -- a known company. what is interesting is only 18,000 took the update. talking about our ability to

defend ourselves in terms of cyber hygiene. if only 18,000 are taking a legitimate update, it tells us that there are 12,000 not getting the updates and then you take the fact that 18,000 got a malicious update, i want to emphasize that they are not taking a lot of flak for this. the russians are smart. they went across other supply-chain vectors. this is a long-term operation that demonstrates the challenge of private sector companies, whether security companies or the companies they contract with, have in defending. we are talking about people with unlimited resources virtually, unlimited capabilities in capital to do it. defending this is very difficult. this highlights the need for not just being one company defending yourself, but trying to work across indeces -- across industries to better defend itself and help the government which has been seriously taken

advantage of, or defend itself. host: how do we know definitively that this is connected to the russians? guest: early on in this attack, the federal government and members of congress came out saying, perhaps the head of the executive branch, that it was the russians. we have clear indications from the white house that this was the russians. that has been made clear. we never doubted it. still, there are only so many that have the ability to scale the way this effort was scaled. frankly, the wherewithal and the time and the effort to really focus on the target, go deep, exploit the supply-chain vector and get deep into a system. it was the russians. we know the chinese are actively engaged in mass scale i.t. theft for years and targeted our

government for intelligence. governments are capable to up their game. we have serious actors out there who do not have our national interest at heart and that does not even count all of the criminal gangs out there, terrorist groups, individual activists who have access to a lot of leaks, both american and allied and foreign capabilities also. host: we have a viewer from twitter asks the question, " where do we stand in mitigating the russian access?" guest: that is a great question. one of the difficulties we have with the government and private sector companies is we will spend time looking deep in our networks, we don't have the time. we will put a firewall and defense of things at our perimeter, but we rarely spend time looking deep in our networks. once you are in you are in for

nine months and you have the ability to exploit or the ability to create new user accounts and get authorized access across a system, you are deep in. rooting you out will be difficult. think about that metaphor. if you've got wolves and they look like hens, what you have to do is figure out what is the wolf going to do that a hen would not do. these individuals are acting and we are not very far along. it is going to take months and years. the other alternative is we burn down those systems and throw them away and replace them. that is not a viable option for most corporations. it is not a viable option for government agencies. you have to do deep surveillance, identify things as they moved, as they try to raise privileges and look at how things are behaving like something they should not be. the key to this is doing that deep analysis. host: jamil jaffer joining us

for this discussion. our first call comes from georgia. kathy, republican line. caller: thank you for taking my call. my comment is in two parts. the first is, i don't think the united states has done very well in hardening our infrastructure for the last 25 to 30 years. they have known about the cyber threats and everything that has been going on. we have been on a rinse and repeat cycle. every time there is a threat or institutions have been attacked. as a victim of identity theft, i can tell you that right now, it is not very fun. my late husband was a federal agent and his last two years of life were dedicated to establishing units in agencies. i get really tired of hearing

about people like me who's lives, financial and personal, have just been destroyed. i don't like to see it with companies or the federal government have been attacked. even on a personal level, it is destroying. i had to call law enforcement agency. basically beg -- he was a law enforcement officer who was out on sick leave to take a call and take a record of my identity theft. you cannot even find help. i don't know what the answer is. i sure hope someone figures it out soon. host: kathy in georgia, thanks for the call. guest: kathy makes a great point. a lot of us have had personal experience with the obtaining of our identities, the misuse of our credit cards and the like. i cannot name a person i know where my credit card is not have

to been replaced because somebody has conducted fraud. some of that comes from identity theft in the cyber arena. what is really interesting is she is right. we have known about this for a long time. we have known about chinese theft of american property, taking billions and trillions of dollars out of the american economy for years. our ceo, the former director of nsa, said that when he was director reported a theft of intellectual property as a greatest threat to modern history and he is exactly right and that was years ago. if you think about the experience kathy had, she is exactly right. how -- we have to get ahead of this. how do we do that? how do we protect people like kathy? what we are doing so far has not worked. agencies defending themselves, companies standing up against these threats, it is important but it cannot be effective.

you cannot expect, even a large company to target a walmart, to the bank, j.p. morgan to defend against the russians, the chinese. if they cannot do it, how do you expect a small or medium-size company or an individual at kathy to do it? i worked for chairman mike rogers, we created a lot of permitted sharing of intelligence under the collaboration of the government. we need to incentivize companies and the government to do that. we need to give more authority to the government to do its job and deter the russians, the chinese front engaging in this behavior. host: in florida, this is frank. caller: hi, my name is frank. i am a democrat. it depends on who you have allegiance to. i went to west point. i understand that it depends on how big you are. this is -- this intellectual

property theft has been going on many ways in many countries by many people. russia has many groups, so does america. so does iran. sardis china. -- so does china. the others get stuck in the middle. there is a power struggle with the democratic party as well as the republican party. it will continue to happen. it is not two-sided, it is multiple sides. it is going to happen for eternity, i think. host: frank in florida. guest: an eternity he says -- to live -- host: an eternity, he says. guest: to describe a very real challenge. we are never going to end the threat that we face.

that is not realistic. what we can do is buy down the risk. we know today what we are doing in the government and industry is not effective. we can tell from kathy's description of the threat that she faced in the identity theft, the things we know about and have had happened to us. we have gotten almost jaded to cyber attacks or cyber theft of data, data breaches and the like, you hear about it every who -- every few weeks. the reason why it is so important, we know the chinese have built an entire economy around stealing data from the united states. think about this new trend of artificial intelligence and machine learning and what that enables. if you have data to train your artificial intelligence models on, you win that game. get better models, it get better predictions.

you can make decisions based on that. people wonder why did the chinese government steal from anthem and from a credit rating agency. when you think about it, you combine all that information, you feed it into a machine learning algorithm and active start predicting how people behave, where they are going to travel to, how they're going to spend their money. it can be frightening. the key to this is -- frank made the point about policies. our policies have gotten very difficult. both parties were at each other's throats. the people are very divided. in the coronavirus -- and they coronavirus is not made any easier. a lot of larger problems our nation has at home and abroad, we've got to come together and expect more from our politicians and hold them to account and say, it is your job to make the right policies for the nation, whether in cybersecurity or

elsewhere and we are not going to tolerate you arguing. you need to solve america's problems and come together and unite. host: does happened in december. what did the trump administration do to respond? what will the biden administration do and what is the proper response the government should take? guest: that is a great question. a lot of people early on in this, you remember's of congress say this is an act of war, -- you had members of congress say this is an act of war. in the cyber arena, what conscious act of war has been highly debated. we can say there is a physical effect that people die. that is starting to cross the line for what an act of war would look like. we talk about espionage and what we see in this russian effort looks like espionage. we may learn more later on. what we have learned about is the russians are in our systems stealing information.

no actual action was taken. if they destroy data, break systems, manipulate -- if they had gotten into the nda and modified these results -- if they had gotten into the fda and modified the results of vaccine a physically -- the results of vaccine efficacy, a lot of people would not trust the vaccine. we need to be clear that russia, china, north korea, if you manipulate our data, you destroy our data, you break competitive systems or -- we are going to come back at you hard. that is why i think the trump administration was very aggressive in responding to iran and the attack on american soldiers in the middle east. they drew a clear line and responded. the biden administration has done very similar, they pushed back also. a lot of times they only understand when we actually

cause them pain. we've got to do more in the cyber arena. frankly, we have not done enough. one thing i will say, we talk about deterrence. to deter people, when you punch back, you cannot do it in private. cannot do it the client -- you cannot do it behind closed doors. we hit them back, but we are not going to talk about it. you need to be able to publicly call and say, if you attack us in ways that are destructive, we will respond and you will feel this pain and that is how others no we don't want to do this to the united states. host: jerry from wisconsin, republican line. caller: thank you for taking my call. one of my questions was already answered about china. as far as for the iran deal, is there any way that they can be completely taken out of the picture?

and the other question is, these mega billion dollar drug cartels, are they hacking into our systems also? thank you very much for my call. guest: two great questions. on iran, the iran deal has been gone for a few years. president trump rightly got rid of it. it was not a good deal to start with, to be candid. the obama administration felt like they had to do something. they got into a deal that has a lot of flaws. we took a real close look at it and tried to get some changes made it. ultimately, the administration did not agree and went forward with the deal. looking at it, president biden has a unique opportunity. we are not in the deal today. our allies in europe want to figure out a path forward to constrain the iranians. the biden administration has a

lot of leverage. a lot of people have concerns about president trump but he re-created leverage over iran by re-imposing sanctions. there is opportunity for the biden administration take advantage of that. i wrote an op-ed week and half ago and talked about how it is important that regardless of what you thought about the iran deal, now that you have this leverage, it would be a mistake to squander it and jump right back into the old deal without extracting concessions. they have made clear, you don't want to make any concessions. this is where america has got to stand strong and say, no, you need this more than we do, we are going to hold you to the line. got maximum pressure on you, you've got to come to the table and negotiate. they talked about getting it, they have not done it yet. that is a good sign. i think there is an opportunity for the biden administration to leverage the advantage left to them to get a better deal out of this. on the second question about

criminal, gangs and drug cartels, it is fair to say that they are certainly using the internet and our infrastructure to engage in money laundering and to market and sell their ar es. -- sell their wares. as far as cyber attacks, i am not up to speed. i will get back to you at some point and come back on the show and talk about it. what i can say is this, what i would expect the drug cartels to be doing is looking at the agency's coming after them, try to get access to them. a lot of ways, they do not have the money and skill set to act. if they were looking at the dea and the fbi, understand what is being done, not just against our own agencies, but the agencies of other companies -- of other countries going up against them,

mexico. i wouldn't be surprised if the cartels are trying to figure out what they are doing too. host: here is reporting about the former solar wind ceo appear before congress, kevin thompson, about what happened. "as of congress on and on the fact that they tried to log into a server but it was not clear if it was used in the intrusion that infected." ." many departments have you heard that and what you think of that -- that was used to infect many departments." what do you think of that? guest: it is an interesting tactic. he throws some blame on this in turn who used this easy to guess password. these passwords are across government, across industry. they are not the first to have hazards that were either to get.

all the time here about in the media about hacks and how these new capabilities are being utilized. when you had easy passwords or you have emails start -- that are an easy way in for attackers , they can get in easily and escalate privilege. in this case, with solar winds, the main route of attack appears to have been this password -- does not appear to have been his password, it was an update -- does not appear to have been this password, was an update. they put some code into the update. the first time, it did not do anything just to see if anybody would notice. they did it for couple of months, nobody noticed. again, 18,000 out of 30,000 gets installed and they update -- we saw the update.

a really interesting thing. none of our clients got that second payload, the few hundreds of companies that were affected. we would have seen that and correlated it and identified it across multiple companies. the second round comes in and now, companies have decided to focus on government agencies. they basically have full access. now they have to look around and see what is going on, elevate privileges and now they own the system for nine months. they owned these government agencies. that is what is so deeply troubling. when you have administrative rights across an agency, you can do anything. you can create new user accounts and give them privileges. it is astounding the patients and scale of this attack. it really was a hack more than an attack. no evidence was destroyed, manipulated or modified. one thing we should talk about,

what happens if the russians threatened to do that? we are going to potentially do this. to me, that is the point at which the government has to draw the line and say we are going to come at you as though you attacked us. you cannot hold our systems at risk of serious damage without some consequences. we have not made that clear yet. that would be something for the biden administration to do, to make clear that we have red lines and we are going to enforce them. if they are crossed, actually enforce them. host: samuel, independent line. caller: good morning, mr. jaffer . my concern about the ultimate cyber security threat is can you tell me what our government is doing to harden our grids to protect against an e&p? guest: that is a great question. outside of the cyber arena, which is my focus, i only know a little bit about it from my days back in the government.

electric magnetic polls which is often times -- electric fact that it -- electric magnetic pulse, . it cannot out -- it can knock out telecommunications systems analytes. a lot has been done over the years. do we have enough today? i think the answer is probably no. could we do more? certainly. at the end of the day, what is important is that we make sure our critical infrastructure is well protected. the department of homeland security has that mission to do that. they've got a new leader. we should focus on critical areas of importance and work across multiple agencies which have a lot of knowledge in the

cyber arena. they should get with the best capabilities. as far as today, i don't have that information. host: when it comes to the biden administration, who are the key figures? guest: the biden administration has put together a strong team today. jake sullivan, the national security advisor -- the deputy national security advisor, it is the first time in any administration that we have had at that level a deputy national security advisor. she comes out of the nsa where she ran for recent years, the defensive side of nsaa. she's got a lot of skills there. alongside her is rob joyce, the former cyber advisor in the white house who was sort of

pushed out. he is back and running the defensive side of the national security agency. they are going to look for a strong leader so we will see who gets named for that. there is this national cyber director position that was created as a result of the information. we have not gotten anybody name for that. more to be seen on that front. the director of national intelligence, avril haines and her team. nsaa -- an excellent cyber leader. it lets you lead very much for in defending our nation and pressing against our enemies, doing the right thing. i think this team has a lot of smart capable people in this arena. i am looking forward to them trying to do good work on this going forward. it is a challenging problem. the more that the government can work with industry and collaborate and defend our

nation collectively, that will be the key to succeeding. host: our conversation with jamil jaffer, the founder of the national security institute at george mason university law school. from michigan, philip, go ahead. caller: when people turn apc on or a laptop -- when people turn a pc on or a laptop, can't we stop our internet at the national borders wearing when i turn the computer on, it is the nsa web rather than the world wide web and if i want to go road live i can click something and go worldwide and create a separate server so it is easier for law enforcement and other people to crack down -- track down who these people are that are coming in and creating all of these. thanks for doing a great job.

guest: a really interesting question. a lot of nations thought about this and said, we want to firewall or isolate ourselves from the global internet. china has built the great firewall. iran has a version. i think there are some challenges with trying to wall yourself off from the internet and create a garden around your cyberspace. the u.s. having built the global internet, a lot of the connections transit through the united states and have for the better part of two decades. that is one of the challenges that a lot of data comes through here. one thing americans have always felt about the importance about our society is our ability to access information freely and openly, no matter where it is stored and communicate with others. it is a challenge to think about, like the iranians or the

chinese about creating an isolated internet. there have been discussions about creating an internet where there is a strong encryption and you focus on that for financial transactions. there is talk about that. i don't know if it has taken that much -- most people are starting to think about i'm going to encrypt my data, make sure it is secure.

creating a secure internet is a real challenge for an open and free society like ours. the other challenge is how do you define what the borders are. it is hard to know in a highly networked environment, where is the border. it is where the data crosses the imaginary line? data travels the world in a link an eye. it is hard to draw that line between where the border of the u.s. internet might actually be. host: stephen in connecticut. independent line. let me push the button. steven in connecticut, go ahead. caller: it is a really interesting topic. i agree with you. i cannot see us walling the internet off. it is impossible. when i would like to see, instead of a private partnership in the united states, maybe a

nato or united nations private partnership or we can aggregate all of these issues through one central core. for france, we find out what they are doing over there and we are prepped for it or they probe hong kong or taiwan. i don't care where they base it, belgium, new york. is there any legislation to do an international treaty to feed these issues through? guest: it is a great point that stephen makes. as i was saying >> we will leave the last few minutes of the segment for them you can finish watching it on our website, c-span.org. we will take it to the house appropriations subcommittee. rep. wasserman schultz: today's meeting may mute