changing nature of cyber attacks on america, offensive sy welcome to "this week in defense news," i'm vago muradian. hardly a day goes by that doesn't include a headline about a spectacular cyber

attack against the u.s. government, the pentagon, top defense companies or industrial giants. the issue is among the top national security challenges facing the united states and its allies. the successful sputnet attack against iran last year in which a sophisticated computer virus was injected into iran's nuclear production. it's unclear who launched the attack. america and israel have been accused, but both have declined comment. what's clear is a militia software code can cause major industrial components to self- destruct. cyber theft is also on the rise. according to a u.s. intelligence report issued earlier this month, the top cyber threat comes from sophisticated and relentless chinese and russian cyber operations that are stealing american intellectual property. this week we're devoting our entire threat to the risks posed by this new domain of warfare with a panel of distinguished experts. joining me are air force major retired air force major general dale myrose, vice president at harris corporations, integrated network solutions. alan pauler, the director of research at thesons institute,

the largest cyber security training organization. phyllis schnek the chief technology officer for the public sector division of mcí afee and larry castro, the managing director of the chertoff group consultcy who served for decades at the national security agency. gentlemen and lady welcome to the show. >> thank you. >> for years we've been hearing the vast majority of the cyber attacks that happen are hackers are the guys who are doing it and that it's very hard to attribute states to any nefarious activity. how is that threat evolving now? >> i think it's changing in two fundamental ways. first of all, the target is not just the united states military, governments in general or institutions like that, they are virtually everybody, industry, individuals and so who is being threatened has expanded greatly. they've become more complex, they've become more insidious. the second thing is that instead of breaking and entering as a concept in disrupting, they're finding

more and value to certificate ip tishesly infill straighting and stealing. so oftentimes in today's environment hacking is, in fact, another word for steal. >> larry, let me go to you. you spent decades doing some of this. how do you attribute what is an actual hacker who may be quite benign or who is actually a state sponsor who's getting into your systems to do something malicious or leave something malicious behind? >> again, what really is the concern is the ones that you can't even attribute or know about. this is the term that has become very popular called the advanced persistent threat. the application is that the adversary comes in low and slow, stays below all your sensor levels and then waits there to actually exploit a time when he can exfill trait data. the answer to your question is i would be looking at what is going out of my system as opposed to to what was coming into my system and looking to

see where that data exfilltrated was going and was it going to a legitimate place. >> are we as good as we should be knowing what's coming in and out of our systems and tracking them? >> clearly not. >> alan. >> we are far behind the attackers on skill sets right now, head ofdarpa has talked about spending an enormous amount of money and still 'x#xn being able to solve the problems. >> exactly. regina deugon has said that on many occasions. >> darpa is doing a great job of turning that around, better than others. when she gets done, most of her people are focused on technologies that are going to solve the problem. you mentioned the stuxnet attack. that was a lot of very smart people doing a lot of very smart people work. and once it's done, it ocan't used again practically. >> right. >> so it's not like a weapons system where you can put all that intelligence into creating something that you can use over

and over again, now we've got an environment where the tanks in the next war are actually going to be the people because if you don't have better people handling your information controls than the other guys does, you lose. >> is that the fundamental change that we need, phyllis, is to fundamentally change how we think about the problem in order to be able to fix it? >> i think we have to look at our adversary. our adversary is fast, they have no intellectual property boundaries, no legal boundaries, often state funding and they simply execute. we -- >> with vast armies that are auxiliary support the half a million free lance hackers and the cyber army they have. >> typically it's large groups of information that share information, have public/private partnerships, everything we say we need to do with our how do we beat that enemy and the one thing is the good guys can do and the enemies cannot and that's the cyber situational awareness, understanding where certain

actions, just like a weather map, where certain actions and certain dispositions are happening and how do we protect ourselves, much like your body's immune system. >> are we going about protecting networks in the right way? we have a tendency of looking at network security, to protect the wall that goes around the information, believe the -- which has left the information among those walls relatively unsecured. do we need to say these are the important things that really need high fences around them, not at the expense of the network, but to actually have more layered defense? >> clearly. and the emphasis there, just as you say, is on a data cent rick approach, knowing -- centric,, knowing the critical information you have and making sure that access to that information is controlled and that you establish norms of that access knowing that user x may be accessing this information once a week, but if you see his account accessing it three times a day, then you know that norm has been

exceeded. >> dale. >> go ahead. >> in reality, the work force has moved outside of the network that we built in the '90s. not only that, the expectation of universal access to information means that you're not going to be confined by the network, and so we have to get more mature in our ability to think of how do we create those trusted environments out there in cyber space beyond our own network boundaries. >> you were going to say something, phyllis. >> data in motion, data at rest and data in use. what that takes to protect that upfront investment and knowing the cyber risk being able to run while resilient like the military needs to, we need to decide that data at each point and what we need to do to protect that. >> the question i have is historically we think about the data and the protection issue, again, as a government or military issue, or an industrial-based issue. the pentagon is drawing, and there are a lot of good technologies being developed by the commercial industrial base. as we've seen in the latest

task force report in saying, okay, a lot of this is intellectual property theft, what do you have to do in order to drive this point home to a lot of companies who are being stolen blind that don't have a lot of these situational awareness tools that you have in government. i mean, do you have to have like almost fire safety laws that apply to everybody? you know, you guys have to have an x amount of technology to protect yourself at all levels even if you're a smaller company? >> so one of the biggest risks we see today to the point made before is the mass exfiltration to intellectual properties. it's not regulation. i think regulation is dangerous. regulation would stifle the innovation across the world of creating science minds to make the next great technologies. what you need is incentives up front to incentivize public and private sectors to invest in cyber security, good risk assessments and protect those data at all points of the network all the way to the chip, understanding how the

silicon works in preventing an attack, even at the memory level. >> if i could come back, i want to bring back the discussion about they're getting inside, they've infiltrated the systems, we can't assume that we can stop them at the edges, that's called operating in -- what do people say? >> under attack? >> when you do not have control of your computers. very dangerous situation if you're in a command and control situation and you don't know you control the command and control or you don't know if you control the communication sector. >> or somebody else is controlling it when you think you have control. >> so active rúcdefense is a t that's being used a lot of ways. but the best way i've heard lately is from the air force folks where they mean making sure that we have multiple routes and making sure that we can find out -- find the bad guys who are inside and that's the hardest job i think we have in security.

>> up next, offensive cyber weapons, the risks alright everybody, get your heads up. now when i was in the military, i learned that if you stand together, you can stand up to anything! no matter where i was deployed, i always knew that somebody had my back! you boys are your own band of brothers! you have each other! just like i had navy federal credit union... 24/7... live customer support! let's go! let's go! 3 1/2 million members. 3 1/2 million stories. navy federal credit union.

we're back with our roundtable of cyber experts. we're going to go and talk about offensive cyber in just a moment, but i feel i have to tackle this regulation question and i think that larry wants to jump in on this as well. what are the insites that you can possibly get? my view if you don't have regulations or standards, there's no reason somebody would want to adopt protective technologies that are going to end up costing them more money.

larry. >> again, whreas needed is a minimum -- again, what's needed is a minimum level of standard as to what those who are particularly part as what we designate as the critical infrastructure have to adhere to. >> power plants, water. >> but not even within those categories everybody. there would be a metric as for how you would ascertain which ones that should be applicable to. an analogy i've heard is we have an interstate highway system. that interstate highway system has basic standards so that when i drive from annapolis, maryland, to cocoa, florida, as i do a couple of times a year, i know that there'll be a reasonable set of speed limits that my car will not go off one road. >> quality of the road, on ramps, everything is consistent >> that's what i would say is needed. >> fully agreed, larry, we need to do everything we need to protect those critical infrastructure. i would contemplate global

structures and not have those national standards. and make the point from a cyber computer company's perspective, if we pushed for aúwe'd draw more money in the short term. the problem with that is that longer term two things, the bad guy, first of all, knows what's outside that box and that's what they'll target. secondly, your creativity and your incentive to be creative and find the next great technology goes away because everyone is just focused on what they know is going to get purchased. so what i push for is global standards that protect this without some heavy-handed national regulation that could stifle that innovation. >> let's talk briefly then about the market. everybody, all defense contractors, the programs, large, sort of hardware brick and mortar programs say they'll be in danger and say, but i have cyber. if you're lockheed martin and you lose that stryker, what is the market here when we talk

about cyber? >> i absolutely believe it's much smaller than the stockholders of those big companies are being told. there's a huge market, but it's huge relative to what it used to be and it's not the same kind of market that they were strong in, so the competition that they -- they never had much competition for missile systems. but the competition for cyber skills -- >> is huge. >> is huge. so even if there is a lot more money there, and there is, it's not enough to even begin to fill the needs that you saw being emptied by the defense budget. >> dale, you're vice president of a major defense company. >> i very much agree with alan's comments in general. i also believe that we're going to different types of technology in the information technology business, things like virt eventualization and those kinds of things. those will redefine some of the industries that used to build the networks in our organization. >> so do we know whether it's a $10 billion a year, $50 billion a year business or do we just not know yet? >> it happens in every growth

industry as people rename other things in that name. not an unanswerable question because they keep changing. >> let's go to offensive cyber which i find absolutely and totally fascinating. so increasingly in the news, what is offensive cyber, what is it used for and what are some of the other uses of offensive cyber aside from being destructive? >> i think there are three things that are important to point out. the first is that cyber gives you an asem et rick capability. it allows a small guy with a -- to poke a big guy with a stick and not get his nose bloodied immediately. you can be more aggressive in cyber space because of that. the next thing is that there is not much precision in cyber space. so there's lots of cyber. i may intend for my cyber insert to target somebody, but it will target every other computer, every other kind of

i.p. address that -- >> it's hard for it to be a presession weapon like a dart. >> it is very hard to be a precision weapon like a dart. >> what's the third one? >> the third one is cyber will be use inside conjunction with other parts of national military )pypower or with crim elements. it won't be used necessarily in and of itself. it'll be in conjunction with diplomatic, economic, military or trade type of negotiations or other events in the world. >> but as you were saying earlier, it's very hard to have something that is useable repeatedly. it's a one-time device for a specific thing, for example, to take out seman's centrifuge controls or something like that. >> that's why the skills have become so important. one thing people don't know about china is every p.l.a. district in china runs competitions every spring where they take all the people they've caught hacking and all the people that are interested in hacking and they compete and then they go with the -- the ones who win go to a 30-day, 16- hour a day workshop.

it's great. >> that's an incentive to get nailed for a cyber crime in china. >> in china it's a capital offense. so they have yjw÷a lot of lever on whether you want to join the competition. >> we point out that there are defensive uses of offense, remembering that you might categorize offense as computer network attack and computer network exploitation. that same computer network exploitation capability that our nation has can be used to glean information about what that cyber environment is. on a more local level, many, many institutions, both public and private operate red teams that are, in fact, the perpetrators of offensive acts or purposes of including one's defense. >> more with

we're back with dale myroses of the harris corporation, phyllis schnek of

mcí afee, paul and larry castro of the chertoff group. alan, let me talk to you and ask you a little bit about who the critics of spuxnet say it should never have been developed, it can cross other platforms, very hard to target. but on that same right, we developed the aircraft, the submarine, the atom bomb and tools that were ultimately used against you us in part of the proceedings of warfare. how can we live in a world and have viruses that can destroy hardware? >> we're going to live with it. much more in the united states, we are much more dependent on technology than any other nation right now, and the ability of software to destroy hardware was discovered a few years ago when it was covered on cnn the world changed. so spuxnet was the use of something that probably shouldn't have ever gotten out, but it's out. we are going tc!to have to buil defenses, especially in the critical infrastructure we have

not yet built. >> for example? >> for example, making sure that the communications into the control systems are not open communications, they're just another business system. those control systems cannot be replaced, meaning those rotating things that make power, we only have one extra, one in the whole united states, you take out four of them, life in this century goes back 20 or 30 years. >> well, let me ask you, dale, i mean, this whole idea of, you know, there are those who say there are the cyber pearl harbors, how big is the risk from a cyber pearl harbor or would it be something localized but still with very, very bad ramifications? >> i think the actual damage from a cyber pearl harbor is quite minimal, and i think the probability of having what we think of pearl harbor is quite minimal. what will be quite maximum is the cyber his hysteria that will result from the implications and the possibility. so the real danger then is our reaction to a perception that something has happened and how

we subsequently treat everything around it. >> one of the things, larry, if i can go to you, in terms of finding a solution generally the blame is always laid at the feet of congress, ultimately. and there are those who say there are 50 pieces of very important cyber legislation up on the hill that is not going anywhere. what are the most important pieces of legislation, where are they and why are they not progressing? >> first, as you point out, there are several. and any of them have common features, some of them take out individual pieces. the problem, of course, is that there are multiple jurisdictions in the congressional committees who believe that they are the ones that should be up front. my understanding, though, is that at least on the senate side there is going to be a movement at the beginning of the year to if not take one piece of legislation and if you were asking me personally, i would say that the collins lieberman or lieberman collins bill comes closest to that, for taking key portions and trying to combine them. that still leaves how you deal with the house who's already

gone public with what their approach would be. the biggest issue is the one that we were talking about before and that is how far should regulation go versus incentive and who should be regulated. >> we've got about a minute left. phyllis, i'd like to go to you. very people involved in cyber crime appear to be caught and prosecuted. why is that and do we need some form of international crime prevention when it comes to cyber? >> i think we have good news. in the past two years, i believe the fbi and the law enforcement national cooperation along with the public/private sector coalition, my colleagues around the table and the training alliance up in pittsburgh, their work has led to the arrest of a few hundred cyber criminals around the world. i othink that's very important it shows the work that's done through public private collaboratation internationally and it also shows when you can actually put cyber criminal and those doing harm to our uu(!wa life in orange jumpsuits. it does two things, it shows the rest of the world it won't be tolerated and secondly, to

alan's point, the cyber gets weaponnized and can do far more destruction now, whether it's markets and money or intellectual property or things like spuxnet to critical infrastructure. we want to add jumpsuits to that equation as well. >> which is a good chinese recruiting tool. alan, let me give you the last word. you told me you think there's still some upside here. >> the united states is doing a phenomenal job in beginning to turn the tide. we have upgraded the skills to our high school and college kids. the defense department is leading the way, leading by example. so i don't think we want to end this on a negative note. >> guys, thanks very much for joining us. we really appreciate it. coming up in my notebook, why the super

all eyes are on the so-

called congressional super committee that has until november 23rd, to determine how to cut $1.2 trillion of federal spending over the coming decade. if they fail, half of the cuts, about $600 billion will come automatically from national security in a process called see questerration. defense hawks, defense secretary leon panetta and military leaders have sounded the alarm, saying cutting another $600 billion of defense object top of $450 billion in cuts already ordered by president obama would be devastating. defense spending can be cut further, but sequestration won't allow for thoughtful cuts and forms. instead, $57 billion more would be hacked from d.o.d.'s budget in the first year alone. that means expedient cuts that will prove costly in the long- term. panetta has said saving so much money so fast would kill the joint strike fighter and other key modernization efforts, costing future skily -- highly skilled jobs. cutting people takes longer and costs more money, while cutting

operations is hard with troops still engaged in afghanistan and elsewhere. national security cuts must always be naid with a scal pell, not a chain saw. the super committee must strike a deal raising revenues to cut debt without hurting a fragile economy that is the critical element of america's national security. thanks for joining us for "this week in defense news." i'm vago muradian. you can watch this program online at defensenewstv.com or you can e-mail me at vago@defensenewstv.com. i'll be back next week at the

from washington, "the mclaughlin group," the american original. for over two decades, the sharpest minds, best sources, hardest talk.