news on the day. we discussed policy issues that impact you. coming up saturday morning, a johns hopkins university center for health security talks about the latest developments to combat covid-19. we will look back on the 75th inverse tree of winston churchill's iron curtain speech with america's national churchill museum director. watch c-span's washington journal live at 7:00 eastern saturday morning. be sure to join the discussion with your phone calls, facebook comments, texts, and tweets. , the founder of the security institute at george mason university law. cyber security issues are what we are going to talk about for our next segment. thanks for joining us. guest: thanks for having me. host: remind viewers about the extent of your cybersecurity

experience inside and outside of government. guest: i served in the bush administration and the justice department. we worked on cybersecurity matters including countering threats to our nation including terrorists, states that want to steal intellectual property and harm us. i worked on what was known as the president's competence of cybersecurity initiatives. i worked for chairman mike rogers, worked on the first version of the cyber intelligence protection act that was enacted in 2015. i have had the opportunity of working for general alexander, the founding officer of cybersecurity engaging in efforts to protect some of our biggest companies and agencies from cyber threats from nationstates and organized gangs and get people together to defend collectively. host: we brought you on because

there was an incident this past december involving a firm, cybersecurity at the heart of it. talk about the incident and the nature of it. guest: a lot of discussion about this hack which surfaced in late december of last year was about solar wind. that was the first factor of attack we saw by the russians. it has been made clear that it was the russian government that engaged in this activity. there are multiple methodologies that the russians used to get into our government. first, they got into an update cycle for some software's. solar wind used two protect companies against cybersecurity threat. they put in -- they tested their ability to get in by putting an innocuous update in and then they put in some malware. when the update got taken up by

30,000 customers, they had access. what was interesting is they did not exploit all 18,000 systems. they focused on a few hundred, some key government agencies, civilian and otherwise, and then they focused on some key sectors and they started to look around. they sought to probe around and they started to get deeper access. they were in for almost nine months. they were able to establish a long-term presence and start masquerading as legitimate networks. they could access emails, files and the likes across these systems, almost owning these systems completely. they used other methods. they came into a variety of other providers, microsoft, through a certificate provided. we know other acts they may have used. a cybersecurity company's fire eye.

they were the first ones to call it out. the ceo talking publicly about it and letting us know that this could happen. what is really interesting about this particular activity was they could have done damage. there is no evidence that they have done any damage. but they have collected a lot of information. what it looks like right now is a large-scale very significant russian intelligence collection operation. they have the kind of access that could allow them to do a lot more. host: with the information systems they got into, how many were sensitive, how many involved the federal government? guest: it is hard to know because we do not know the full scope. this effort was aimed at the federal government, in particular, civilian agencies we have heard about. we don't know how much sensitive information was taken because we don't know how deep they were in. assessments are currently

ongoing, they will be going on for a while. they are trying to route these attackers out. think about this like a wolf in a henhouse. these are the wolves that come in and they disguise themselves. they are very adept actors so they look like us or they look like the defenders, they look like civilian agencies, these actors in the private sector systems. rooting them out is going to be a challenge. we know that access in significant ways to office 365, email accounts, servers and beyond that, other email systems and the structure. it is hard to really estimate today the scope of the damage, but it suffices to say that given the length of time they were in, the depth that we believe they got to an their ability to access and become like an owner of the system, we can assess that the damage is

pretty significant in terms of obtaining information. host: our guest is with us until late, if you want to ask him questions, (202) 748-8000 democrats. republicans, (202) 748-8001. independents, (202) 748-8002. guest: they provide tools and capabilities to protect customers from cyber threat. -- protect customers from cyber threats. they were smart to use a known come -- a known company. what is interesting is only 18,000 took the update. talking about our ability to defend ourselves in terms of cyber hygiene. if only 18,000 are taking a legitimate update, it tells us that there are 12,000 not

getting the updates and then you take the fact that 18,000 got a malicious update, i want to emphasize that they are not taking a lot of flak for this. the russians are smart. they went across other supply-chain vectors. this is a long-term operation that demonstrates the challenge of private sector companies, whether security companies or the companies they contract with, have in defending. we are talking about people with unlimited resources virtually, unlimited capabilities in capital to do it. defending this is very difficult. this highlights the need for not just being one company defending yourself, but trying to work across indeces -- across industries to better defend itself and help the government which has been seriously taken advantage of, or defend itself. host: how do we know definitively that this is

connected to the russians? guest: early on in this attack, the federal government and members of congress came out saying, perhaps the head of the executive branch, that it was the russians. we have clear indications from the white house that this was the russians. that has been made clear. we never doubted it. still, there are only so many that have the ability to scale the way this effort was scaled. frankly, the wherewithal and the time and the effort to really focus on the target, go deep, exploit the supply-chain vector and get deep into a system. it was the russians. we know the chinese are actively engaged in mass scale i.t. theft for years and targeted our government for intelligence. governments are capable to up their game. we have serious actors out there who do not have our national

interest at heart and that does not even count all of the criminal gangs out there, terrorist groups, individual activists who have access to a lot of leaks, both american and allied and foreign capabilities also. host: we have a viewer from twitter asks the question, " where do we stand in mitigating the russian access?" guest: that is a great question. one of the difficulties we have with the government and private sector companies is we will spend time looking deep in our networks, we don't have the time. we will put a firewall and defense of things at our perimeter, but we rarely spend time looking deep in our networks. once you are in you are in for nine months and you have the ability to exploit or the ability to create new user accounts and get authorized access across a system, you are

deep in. rooting you out will be difficult. think about that metaphor. if you've got wolves and they look like hens, what you have to do is figure out what is the wolf going to do that a hen would not do. these individuals are acting and we are not very far along. it is going to take months and years. the other alternative is we burn down those systems and throw them away and replace them. that is not a viable option for most corporations. it is not a viable option for government agencies. you have to do deep surveillance, identify things as they moved, as they try to raise privileges and look at how things are behaving like something they should not be. the key to this is doing that deep analysis. host: jamil jaffer joining us for this discussion. our first call comes from georgia. kathy, republican line. caller: thank you for taking my call. my comment is in two parts.

the first is, i don't think the united states has done very well in hardening our infrastructure for the last 25 to 30 years. they have known about the cyber threats and everything that has been going on. we have been on a rinse and repeat cycle. every time there is a threat or institutions have been attacked. as a victim of identity theft, i can tell you that right now, it is not very fun. my late husband was a federal agent and his last two years of life were dedicated to establishing units in agencies. i get really tired of hearing about people like me who's lives, financial and personal, have just been destroyed. i don't like to see it with

companies or the federal government have been attacked. even on a personal level, it is destroying. i had to call law enforcement agency. basically beg -- he was a law enforcement officer who was out on sick leave to take a call and take a record of my identity theft. you cannot even find help. i don't know what the answer is. i sure hope someone figures it out soon. host: kathy in georgia, thanks for the call. guest: kathy makes a great point. a lot of us have had personal experience with the obtaining of our identities, the misuse of our credit cards and the like. i cannot name a person i know where my credit card is not have to been replaced because somebody has conducted fraud. some of that comes from identity theft in the cyber arena. what is really interesting is she is right.

we have known about this for a long time. we have known about chinese theft of american property, taking billions and trillions of dollars out of the american economy for years. our ceo, the former director of nsa, said that when he was director reported a theft of intellectual property as a greatest threat to modern history and he is exactly right and that was years ago. if you think about the experience kathy had, she is exactly right. how -- we have to get ahead of this. how do we do that? how do we protect people like kathy? what we are doing so far has not worked. agencies defending themselves, companies standing up against these threats, it is important but it cannot be effective. you cannot expect, even a large company to target a walmart, to the bank, j.p. morgan to defend against the russians, the chinese.

if they cannot do it, how do you expect a small or medium-size company or an individual at kathy to do it? i worked for chairman mike rogers, we created a lot of permitted sharing of intelligence under the collaboration of the government. we need to incentivize companies and the government to do that. we need to give more authority to the government to do its job and deter the russians, the chinese front engaging in this behavior. host: in florida, this is frank. caller: hi, my name is frank. i am a democrat. it depends on who you have allegiance to. i went to west point. i understand that it depends on how big you are. this is -- this intellectual property theft has been going on many ways in many countries by many people. russia has many groups, so does

america. so does iran. sardis china. -- so does china. the others get stuck in the middle. there is a power struggle with the democratic party as well as the republican party. it will continue to happen. it is not two-sided, it is multiple sides. it is going to happen for eternity, i think. host: frank in florida. guest: an eternity he says -- to live -- host: an eternity, he says. guest: to describe a very real challenge. we are never going to end the threat that we face. that is not realistic. what we can do is buy down the risk. we know today what we are doing

in the government and industry is not effective. we can tell from kathy's description of the threat that she faced in the identity theft, the things we know about and have had happened to us. we have gotten almost jaded to cyber attacks or cyber theft of data, data breaches and the like, you hear about it every who -- every few weeks. the reason why it is so important, we know the chinese have built an entire economy around stealing data from the united states. think about this new trend of artificial intelligence and machine learning and what that enables. if you have data to train your artificial intelligence models on, you win that game. get better models, it get better predictions. you can make decisions based on that. people wonder why did the chinese government steal from anthem and from a credit rating

agency. when you think about it, you combine all that information, you feed it into a machine learning algorithm and active start predicting how people behave, where they are going to travel to, how they're going to spend their money. it can be frightening. the key to this is -- frank made the point about policies. our policies have gotten very difficult. both parties were at each other's throats. the people are very divided. in the coronavirus -- and they coronavirus is not made any easier. a lot of larger problems our nation has at home and abroad, we've got to come together and expect more from our politicians and hold them to account and say, it is your job to make the right policies for the nation, whether in cybersecurity or elsewhere and we are not going to tolerate you arguing. you need to solve america's problems and come together and unite. host: does happened in december.

what did the trump administration do to respond? what will the biden administration do and what is the proper response the government should take? guest: that is a great question. a lot of people early on in this, you remember's of congress say this is an act of war, -- you had members of congress say this is an act of war. in the cyber arena, what conscious act of war has been highly debated. we can say there is a physical effect that people die. that is starting to cross the line for what an act of war would look like. we talk about espionage and what we see in this russian effort looks like espionage. we may learn more later on. what we have learned about is the russians are in our systems stealing information. no actual action was taken. if they destroy data, break systems, manipulate -- if they had gotten into the nda and

modified these results -- if they had gotten into the fda and modified the results of vaccine a physically -- the results of vaccine efficacy, a lot of people would not trust the vaccine. we need to be clear that russia, china, north korea, if you manipulate our data, you destroy our data, you break competitive systems or -- we are going to come back at you hard. that is why i think the trump administration was very aggressive in responding to iran and the attack on american soldiers in the middle east. they drew a clear line and responded. the biden administration has done very similar, they pushed back also. a lot of times they only understand when we actually cause them pain. we've got to do more in the cyber arena. frankly, we have not done enough. one thing i will say, we talk about deterrence.

to deter people, when you punch back, you cannot do it in private. cannot do it the client -- you cannot do it behind closed doors. we hit them back, but we are not going to talk about it. you need to be able to publicly call and say, if you attack us in ways that are destructive, we will respond and you will feel this pain and that is how others no we don't want to do this to the united states. host: jerry from wisconsin, republican line. caller: thank you for taking my call. one of my questions was already answered about china. as far as for the iran deal, is there any way that they can be completely taken out of the picture? and the other question is, these mega billion dollar drug cartels, are they hacking into our systems also?

thank you very much for my call. guest: two great questions. on iran, the iran deal has been gone for a few years. president trump rightly got rid of it. it was not a good deal to start with, to be candid. the obama administration felt like they had to do something. they got into a deal that has a lot of flaws. we took a real close look at it and tried to get some changes made it. ultimately, the administration did not agree and went forward with the deal. looking at it, president biden has a unique opportunity. we are not in the deal today. our allies in europe want to figure out a path forward to constrain the iranians. the biden administration has a lot of leverage. a lot of people have concerns about president trump but he re-created leverage over iran by re-imposing sanctions. there is opportunity for the

biden administration take advantage of that. i wrote an op-ed week and half ago and talked about how it is important that regardless of what you thought about the iran deal, now that you have this leverage, it would be a mistake to squander it and jump right back into the old deal without extracting concessions. they have made clear, you don't want to make any concessions. this is where america has got to stand strong and say, no, you need this more than we do, we are going to hold you to the line. got maximum pressure on you, you've got to come to the table and negotiate. they talked about getting it, they have not done it yet. that is a good sign. i think there is an opportunity for the biden administration to leverage the advantage left to them to get a better deal out of this. on the second question about criminal, gangs and drug cartels, it is fair to say that they are certainly using the

internet and our infrastructure to engage in money laundering and to market and sell their ar es. -- sell their wares. as far as cyber attacks, i am not up to speed. i will get back to you at some point and come back on the show and talk about it. what i can say is this, what i would expect the drug cartels to be doing is looking at the agency's coming after them, try to get access to them. a lot of ways, they do not have the money and skill set to act. if they were looking at the dea and the fbi, understand what is being done, not just against our own agencies, but the agencies of other companies -- of other countries going up against them, mexico. i wouldn't be surprised if the cartels are trying to figure out what they are doing too. host: here is reporting about the former solar wind ceo appear

before congress, kevin thompson, about what happened. "as of congress on and on the fact that they tried to log into a server but it was not clear if it was used in the intrusion that infected." ." many departments have you heard that and what you think of that -- that was used to infect many departments." what do you think of that? guest: it is an interesting tactic. he throws some blame on this in turn who used this easy to guess password. these passwords are across government, across industry. they are not the first to have hazards that were either to get. all the time here about in the media about hacks and how these new capabilities are being

utilized. when you had easy passwords or you have emails start -- that are an easy way in for attackers , they can get in easily and escalate privilege. in this case, with solar winds, the main route of attack appears to have been this password -- does not appear to have been his password, it was an update -- does not appear to have been this password, was an update. they put some code into the update. the first time, it did not do anything just to see if anybody would notice. they did it for couple of months, nobody noticed. again, 18,000 out of 30,000 gets installed and they update -- we saw the update. a really interesting thing. none of our clients got that second payload, the few hundreds of companies that were affected.

we would have seen that and correlated it and identified it across multiple companies. the second round comes in and now, companies have decided to focus on government agencies. they basically have full access. now they have to look around and see what is going on, elevate privileges and now they own the system for nine months. they owned these government agencies. that is what is so deeply troubling. when you have administrative rights across an agency, you can do anything. you can create new user accounts and give them privileges. it is astounding the patients and scale of this attack. it really was a hack more than an attack. no evidence was destroyed, manipulated or modified. one thing we should talk about, what happens if the russians threatened to do that? we are going to potentially do this. to me, that is the point at which the government has to draw

the line and say we are going to come at you as though you attacked us. you cannot hold our systems at risk of serious damage without some consequences. we have not made that clear yet. that would be something for the biden administration to do, to make clear that we have red lines and we are going to enforce them. if they are crossed, actually enforce them. host: samuel, independent line. caller: good morning, mr. jaffer . my concern about the ultimate cyber security threat is can you tell me what our government is doing to harden our grids to protect against an e&p? guest: that is a great question. outside of the cyber arena, which is my focus, i only know a little bit about it from my days back in the government. electric magnetic polls which is often times -- electric fact that it -- electric magnetic

pulse, . it cannot out -- it can knock out telecommunications systems analytes. a lot has been done over the years. do we have enough today? i think the answer is probably no. could we do more? certainly. at the end of the day, what is important is that we make sure our critical infrastructure is well protected. the department of homeland security has that mission to do that. they've got a new leader. we should focus on critical areas of importance and work across multiple agencies which have a lot of knowledge in the cyber arena. they should get with the best capabilities. as far as today, i don't have

that information. host: when it comes to the biden administration, who are the key figures? guest: the biden administration has put together a strong team today. jake sullivan, the national security advisor -- the deputy national security advisor, it is the first time in any administration that we have had at that level a deputy national security advisor. she comes out of the nsa where she ran for recent years, the defensive side of nsaa. she's got a lot of skills there. alongside her is rob joyce, the former cyber advisor in the white house who was sort of pushed out. he is back and running the defensive side of the national security agency. they are going to look for a strong leader so we will see who

gets named for that. there is this national cyber director position that was created as a result of the information. we have not gotten anybody name for that. more to be seen on that front. the director of national intelligence, avril haines and her team. nsaa -- an excellent cyber leader. it lets you lead very much for in defending our nation and pressing against our enemies, doing the right thing. i think this team has a lot of smart capable people in this arena. i am looking forward to them trying to do good work on this going forward. it is a challenging problem. the more that the government can work with industry and collaborate and defend our nation collectively, that will be the key to succeeding. host: our conversation with jamil jaffer, the founder of the national security institute at

george mason university law school. from michigan, philip, go ahead. caller: when people turn apc on or a laptop -- when people turn a pc on or a laptop, can't we stop our internet at the national borders wearing when i turn the computer on, it is the nsa web rather than the world wide web and if i want to go road live i can click something and go worldwide and create a separate server so it is easier for law enforcement and other people to crack down -- track down who these people are that are coming in and creating all of these. thanks for doing a great job. guest: a really interesting question. a lot of nations thought about this and said, we want to firewall or isolate ourselves

from the global internet. china has built the great firewall. iran has a version. i think there are some challenges with trying to wall yourself off from the internet and create a garden around your cyberspace. the u.s. having built the global internet, a lot of the connections transit through the united states and have for the better part of two decades. that is one of the challenges that a lot of data comes through here. one thing americans have always felt about the importance about our society is our ability to access information freely and openly, no matter where it is stored and communicate with others. it is a challenge to think about, like the iranians or the chinese about creating an isolated internet. there have been discussions about creating an internet where

there is a strong encryption and you focus on that for financial transactions. there is talk about that. i don't know if it has taken that much -- most people are starting to think about i'm going to encrypt my data, make sure it is secure. i'm going to encrypt my data locally, not a lot of devices, a lot of times your iphone will encrypt data. that is going to protect it. when somebody gets into your system and they own your phone or they own your laptop because you let them in either because you had a weak password or you clicked on a phishing link,, that is when he gets challenging. -- that is when it gets challenging. creating a secure internet is a real challenge for an open and free society like ours. the other challenge is how do

you define what the borders are. it is hard to know in a highly networked environment, where is the border. it is where the data crosses the imaginary line? data travels the world in a link an eye. it is hard to draw that line between where the border of the u.s. internet might actually be. host: stephen in connecticut. independent line. let me push the button. steven in connecticut, go ahead. caller: it is a really interesting topic. i agree with you. i cannot see us walling the internet off. it is impossible. when i would like to see, instead of a private partnership in the united states, maybe a nato or united nations private partnership or we can aggregate all of these issues through one

central core. for france, we find out what they are doing over there and we are prepped for it or they probe hong kong or taiwan. i don't care where they base it, belgium, new york. is there any legislation to do an international treaty to feed these issues through? guest: it is a great point that stephen makes. as i was saying earlier, we cannot expect private companies individually or government agencies to defend themselves. maybe nations can help, they can work across boundaries. i think stephen is right. it has to be companies with other companies, industries with industries, governments with governments and governments with allied governments. it will be hard to reach a treaty that include copies -- include countries like russia and china. they have a different view of what cybersecurity means.

we mean data and expanding that. when the russian and chinese talk about cybersecurity, they are looking for treaties and agreements with other nations that allow them to focus on their people and to be -- and to oppress their people. when they say cybersecurity as code for something different. we talk about a cyber-nato, that is interesting. when you think about it, the problems that american businesses face, whether they are healthcare providers or u.s. federal agencies, there are the same threat actors that our friends in germany and france, england and canada, new zealand and australia and our friends in south asia, taiwan, 10, singapore -- taiwan, japan, singapore. in eastern europe, you see the

russians coming in aggressively. in the middle east, our friends in saudi arabia are under constant attack from iran. by working with them on technology issues and sharing intelligence with them, they can talk to us about what is happening in their region early on about these threats because they are often testbeds. we are sharing intelligence and collaborating and collectively defending across international boundaries in real time, that can change the game and give allied nations the upper hand in the battle against these nations that do not share our national interest. host: what is the legal obligation for a company to disclose when their systems have been compromised? guest: it varies. if you are a public he traded companies, there are certain reporting requirements. a number of states have data breach notification laws. there is a lot of press commerce around the fact that microsoft, the president of microsoft came

out and said that he supported a federal data recertification law. that is not a surprising change from large corporations because they are facing individual states regulating them. if they are going to have 50 states, they might as well have one key federal law and comply with that one standard rather than 50 individual standards. one of the challenges these companies face is -- we have to figure out what is going on. we might get regulation. we might get lawsuits. we have to make sure we have done this thing the right way. there is this balance between protecting the company and shareholders and customers and disclosing information so the larger ecosystem can be protected. there are a lot of interesting

ideas about this. we have had debate about these things. one of the interesting ideas i have heard is how do we let companies report what is happened to them, but we do not disclose their names and we allow them to be anonymous and we tell them, you are not going to face regulatory liabilities or regulatory action. we want you to report this information for the good of the nation. then other companies can defend themselves and not worry about the heavy hand of the government or the heavy hand of lawsuits. that might be the thing that really incentivizes companies to share rapidly and get the lawyers out of the room and allow the defenders of companies and the government to work together more effectively. that is what we try to do with the information sherry legislation that we worked on and got passed along. now we see that on the breach notification and on the hacking side. that can be potentially game changing. the law could done much -- the law could have done more. i did there is a real opportunity to make some changes in the aftermath of this hack.

host: jeffrey in pennsylvania. good morning. caller: how are you doing? i agree with what you say about the national standard of reporting and being anonymous. it is out of control. what we need to do as a country is when we catch somebody that has hacked or when we catch someone up to nefarious business, we make the penalties so strong that you don't want to do it again. for instance, i recently had my card was hacked at a local sunoco where the card reader got my information and i had to call my bank and do all of that. i think you should find and make an example of the people that are doing that. then the message gets sent across that we have a global problem across nations that america is not going to stand for it. i liken it to robbing a bank. in the pittsburgh region, we had

somebody sitting everybody visa cards to a local credit union to gather the $200 20 effort. those people should be caught, televised, punished. in the next one is going to be like, i don't think i want to do that. your thoughts? guest: jeffrey makes a great point. he is exactly right. if we don't extract costs from those who are hacking us, we are never going to deter them from that behavior. the whole premise of our criminal justice system is deterrence. you know there is a high penalty, and when you get caught, you're going to pay the price and you are not going to want to do that again. we have to apply that in the international realm. part of the challenge with cyberspace is, people say, the terms do not work in -- deterrence does not work in cyberspace. we don't talk about what you might do to us that will cause you pain if you do it to us, we

don't talk about where our redlines are, we don't talk about what we can do to you and our capabilities to respond. in cyberspace, you can punish people in other ways and extract costs outside of the cyber arena. this is the most important thing, we don't actually impose costs when these things happen. that is a problem. when you draw lines or don't draw lines at all, it is no surprise that russia, china, iran and north korea continued to test the boundaries. our kids do it with us every day if we don't set clear lines and don't extract the cost from them, they are going to push the line. the same thing is true with nationstates. if we are going to deter, we have to draw clear lines and impose costs. we have to be serious about it. that is why i am proud of what the prior administration did on iran and the protect against americans in iraq. i'm proud of what the biden administration did on that front. that is what we need to do.

you hit us in real space, we get you back. you hit us in cyber, we are going to hit you back and it may not, in cyberspace. host: jamil jaffer