Did it start with the discovery of that 12story White Building on the outskirts of shanghai. No, in fact, it goes back all the way to the dawn of the internet itself. And in 1967 when the arpa net was about to go up, that was the precursor to the internet, that was, you know, a network where all the contractors at the Defense Department would be able to, you know, talk with one another in their computer programs. There was a man named willis ware. He was a computer pioneer. He was the head of the Computer Department at the rand corporation, and he was also on the Scientific Advisory board at the nsa. And he wrote a paper, it was secret at the time. Its been declassified, its a fascinating document. You can look it up. He said heres the thing, heres the problem. Once you create a Computer Network, once you have access from multiple, unsecured locations, youre going to create inherent vulnerabilities. Youre not going to be able to keep secrets anymore. And so when i was doing my research, i talked with this man, steve lieu kasich, who was the Deputy Director of arpa. I said, did you read willis wares paper . Oh, sure. What did you think of it . I took it to the guys on the team and got the story confirmed, and they read it and said, oh, jesus, dont saddle us with a security requirement too. I mean, look how hard it was to do this. Its like asking the Wright Brothers that their first plane has to fly 20 miles carrying 50 passengers. Just lets do this one step at a time. And besides, the russians arent going to be able to do this for decades. Well, it was decades, two and a half, three decades, but by that time whole systems and networks had grown up with no provisions for security whatsoever. So i see this as kind of, you know, the bitten apple in the digital garden of eden. The situation created warned about and created from the very beginning. Now, all of this was unnoticed until june of 1983 when Ronald Reagan watched the movie war games up at camp david. One of the guys who wrote it not the one whos coming here tomorrow, but the other writer his parents were in hollywood. They were hollywood producers, and so they knew Ronald Reagan. So he got a copy of the film. And he watched it. Its on a saturday night. The following wednesday he is back in the white house, and there was a big meeting to discuss the mx missile, actually. Some of you might remember that. And at one point everybodys there, his National Security adviser, some people on the hill. At one point he puts down his index cards, and he says has anybody seen this movie called war games . And nobody had seen it, it had just come out. He launches into this very lengthy plot description. And people are looking around, wheres this going . He says, general, could Something Like this really happen . Could Somebody Just break into one of our most secure computers . He said, well, ill look into that, mr. President. And he comes back a week later, and he says, mr. President , the problem is much worse than you think. And so one year later there was a National Security decision directive signed by the president about telecommunications and do you cr security. It was the first document of its sort. But it took a strange direction. It was basically written by the nsa, which was the only agency that knew anything about computers. And the way they wrote it, the nsa would control the standards for all computers in the United States. Government, military, personal, business, everything. There were some people on capitol hill who didnt go along with that. And so they rewrote it so that, basically, the nsa would have security over dot. Mil, classified stuff, and the Commerce Department would have everything else. Well, of course, the Commerce Department didnt know anything. They have no ability to do this. The nsa had no interest in securing these channels. They were interested at that time purely in exploiting security gaps, not in filling them. So for about a decade, nothing was done about this problem. And i wont go any further. This is just supposed to be a little introduction. But the point is these two incidents, you know, willis ware writing this paper, the dawn of the internet, and the extremely unlikely coincidence of Ronald Reagan watching war games and asking a question that had everybody in the room rolling their eyeballs like, oh, christ, wheres the old man going now, led to the systems, programs and, more than that, the issues, the policies and the controversies and the tensions that persist to this very day. One more little thing about the war games connection before i go back could down and sit downe have a conversation. This is something i discovered almost by accident i. Turned out that the two writers of war games, you probably have all im assuming that youve all seen or remember war games, but, basically, the kid played by Matthew Broderick gets into the norad computer by, he has something called demon dialing. This was before the age of the internet. He hooks up a system that automatically dials the phone numbers, and when a modem is reached, it records that number. So he breaks into the norad computer like this. He thinks hes just latched on to some new online game, and he almost starts world war iii. But the screen writers were puzzled. They said, god, is this really plausible . Could Somebody Just its got to be a closed system, right . Could somebody from the outside get into norads number . They live inside santa monica and said who can we talk to . They went in and talked to willis ware. Turned out to be a very nice guy. They laid out the problem, and he, you know, i designed the software and, youre right, it is a closed system, but theres always some officer who wants to work from home on the weekend, so he leaves a port so, yeah. If somebody happened to dial that number, he could get in. And he says, you know, the thing is the only secure computer is a computer that nobody can use. So thats sort of the lesson that weve all learned since. And now ill sit and have a conversation. Thank you very much, fred. The other, one of those writers subsequently went on to write another movie called sneakers. They both did. Larry lasko was the cowriter of that as well. We will be talking to him on wednesday so we can see what the direction is. [laughter] but before we get there, youve written a history of cyber war. And traditionally when people write books about war, they write about battlefields, and people tend to study those battles so that they can get a greater sense of how to fight battles in the future, to appreciate strategy. Right. What, what do you think having done your research, written your book are the events between 1983 and now that the student of cyber war should look back on and, you know, instead of walking the battlefield of gettysburg, sort of take as lessons to study for the future . Well, there are no battlefields to walk, unfortunately. I guess a Pivotal Moment came in 1997. There was, the director, the new director of the nsa at the time, a threestar air force general named ken minnehan, he had been commander of the air force war center in san antonio where they were doing a lot of things about cybersecurity and cyber war. He couldnt get any of the other officers interested at all. You know, back then fighting wars was dropping bombs on people from the air force point of view. Computer nobody even knew how to use computers, you know . So he decided couldnt get anybody interested, he knew about the vulnerabilities. So he got permission to do a war game where 25 Red Team Members in the nsa would actually hack into all the networks of the defense county. Now, they had to go through a lot of lawyers to get this done, and one of the conditions was they had to use commerciallyavailable equipment. They couldnt use their top secret signet stuff to mess with domestic networks. And so they did this. And they prepared for it for a few months scoping out the networks, scoping out what they would do. The people who had been victimized were not to know. The only people who knew about it were the people who actually knew about it and the lawyers, like the attorney general and the secretary of defense. So they laid two weeks aside to do this. It turned out within four days they had hacked into all the Defense Department networks including the National Military command center which is, you know, how the president communicates and sends orders to the secretary of defense. All of it, just mercilessly hacked, you know . Sometimes they would just leave a marker, you know, kilroy was here. Sometimes they would intercept messages, send back false messages, mess up orders. Peoples heads were being screwed with like, you know, whats going on here . I dont know whats happening. There was only one guy, there was a marine out in the pacific who knew that something was going on. But see there were no, even if you knew what was going on, there were no protocols. What do you do about this . So he just unplugged the computer from the internet and, which was the smart thing to do. Everybody else, so when the debrief happened and they go through, you know, heres what we found and here are some pass words we dug out of a dumpster here, and heres a tape recording where our guy called up the secretary and said im an i. T. Guy, i need to change passwords, whats the password for everybody, and they told them. And everything like that, and everybody was appalled. And that was when the deputy secretary of defense at the time said, okay, whos in charge . We need to fix this, whos in charge . And nobody was in charge. So, but then they started to set up some Warning Centers and some 24 7 watch centers which was a good thing because within a few months, somebody starts hacking into the u. S. Military systems. And maybe it had been going on longer than that. But the big thing was something called solar sunrise where some serious hacking, it turned out to be two kids in california. And some people, somebody said, oh, whew, just two kids in california. But other people said, wait a minute, two kids in california can to this, what are the nationstates . And a few months later they called solar sunrise, then something happened which was moonlight mayhem which was somebody not just breaking into defense networks, but persisting and kind of looking around for things. They were looking for particular things. And eventually they traced that back to a, there was the russians. It was using a server at the Russian Academy of sciences. And then the chinese started doing it, and then operations concern oh, by the way, one thing very interesting. There was this war game called eligible receiver. When the nsa was inside the Defense Department networks, they noticed some french ips strolling around. So this was already really happening in 1997, okay . So, but then there were other things. There was some sort of [inaudible] cyber war things, a very big deal. Remember when clinton was planning to invade haiti because some warlords had taken over, and they were working up war plans, and one part of it was, well, how do we get into, how do we get haiti had a very rudimentary air Defense System, but a lot of this was flying in people, you didnt want anybody shot down. And this was when this guy minnehan was in san antonio. One of his tech guys said, you know, boss, i found out that the haitian air Defense System is wired into the commercial telephone system, and i know how to make all the phones in haiti busy at the same time. So thats how they were going to deflect, you know, defeat the air Defense System. Okay. Years later use similar ya yugoslavia, clintons war against milosevic. Remember, the bombing went on for months and months. Well, there was a cyber element to this. And again it was phones, but at the time computer were run by phones too. They did some of the same things. They got into the serbian phone system. A cia guy went in and put in a plant, and then the nsa was a able to hone in on this plant. And the air Defense System was wired through the phone system. So they were able to go in there and mess with their radars so that on the screen it would look like there were some planes in the northwest but, actually, they were coming from the west. So they would aim at the wrong spot. They would send messages to milosevics cronies saying, you know, we know you own this copper plant. Were going to turn out the lights in the copper plant if you dont get rid of milosevic. And they said, oh, you know, forget about it. And they would turn out the lights in the copper, in the copper plant. And then, okay, if you keep this up, were going to bomb you tomorrow. So he thats how milosevic lost his cronies. They were threatened by what was called Information Warfare. So this was the first Information Warfare campaign. Some admiral gave a briefing afterwards, okay, this was both a success and a failure. We only used about onetenth of what we could have done, but it was very interesting. And then after that, you know, we know about some of the things, stuxnet, there were some things ill give one more, and then we should maybe move to a different sector. When the israelis bombed the nascent syrian reactor which really was a nascent syrian reactor being they were helped by north korean scientists, what happened, a lot of people even the syrians didnt acknowledge it because it meant the israelis had to go about 150 miles inside of syrian territory without being detected even though they had just installed some new russian surfacetoair missiles and radar. So theyd rather not even acknowledge that it happened. What happened was that they used the program that was developed by the air force here and implemented by something called unit 8200 which is the israeli nsa. It intercepted not the radar and not the radar screens, but a data link between the radar and screens. So that the people looking at the screens saw nothing. The radar was detecting planes and, in fact, the people in the airplanes or were hearing bing, bing, bing, bing, bing. So it took a little nerve to continue. But they also had people, they were able to intercept the signal off the monitor that the radar operators were looking at to make sure that this worked, to make sure that they really were seeing nothing. And they were seeing nothing. So these planes got in, dropped the bomb, destroyed the factory, and people were saying, well, how, what . Be our screens show nothing. So that kind of thing. Actually, i should do one more, and that is the iraq war. I wrote a book called the insurgents David Petraeus and the plot to change the american way of war, where i accepted the idea this is the only thing in this book that ill qualify or retract a little bit that, you know, there was a big turn around in 2007. Basically, the surge and the change of strategy towards counterinsurgency. Well, theres one other thing, and that is the nsa got involved. The nsa actually sent over a few year period 6,000 analysts to iraq. 22 of them were killed out on missions to capture insurgent computers. But they basically captured the computers, they got into the systems, they got into the passwords, they got into the email connections, and they did things like they sent messages to other insurgents saying, okay, lets meet at such and such a place tomorrow at 4 00. And there would be these special Operations Forces waiting there to kill them. Or they detect from drones somebody planting a roadside bomb. Used to be you could follow them and then you had to send the information back to washington, it would take 16 hours. Within one minute they could target these guys. So in 2007 through these techniques they killed 4,000 insurgents which is one reason why things really kind of turned around. I remember the first person i asked about this, and he looked a little alarmed that i knew anything about it, he said, well, yeah. When the histories really get written about this, thisll be the equivalent of, you know, breaking the german submarine codes in world war ii which, of course, budget revealed for decades wasnt revealed for decades after. So this cyber has been a part of these operations and these plans and thinking for quite a long time. Just taking you back to moonlight mayhem, one of the anecdotes you tell, the delegation gets to moscow. First day, very warmly welcomed. Yeah. They started, when they realized that this was russia and, of course, this was clinton yeltsin, postcold war. You know, were all friends. So they decide canned, you know, we should decided, you know, we should maybe send a delegation to moscow. Maybe they dont know this is going on, maybe its not the government. Well present as a criminal investigation for which we are seeking assistance from the russian federation. And there was a controversy whether to do this, but they said, yeah, lets do it. So they sent over this delegation. On the first day, you know, caviar, champagne, welcome our friends. And there was this one general in the military who was helping out. They brought over logs, and the guy brings out his own logs, and hes shocked. This is terrible these bastards in intelligence, this is awful. We will not stand for this were going to clean this up. So then they were going to be there for five or six days. The second day, you know, were going to have a sightseeing tour today. Were going to go around, so they did sightseeing, and then the third day they were going to do some more sightseeing, and then the fourth day, there was nothing. The fifth day, there was nothing. Well, can we talking to this guy . Hes busy now. There was so they left. The embassy is calling, the legal office saying we need to oh, yeah, we will send you a memo on this. Anyway, its over. What they realized when they got back is that this was a government program. This poor general who, god knows what happened to him for helping the United States [laughter] military and intelligence guys coming over, he just didnt know about it. Be and for a while, the hacking did stop. But then it started in again, and the chinese started doing it too. Yeah. Feels very distant in time. Yeah, yeah, yeah. So the story that youve just told is a very militaryheavy story, sort of literally going through one of our most recent wars in iraq. But, and, you know, clearly solar sunrise, moonlight maze, they led to the establishment of a new organization, joint task force of Computer Network defense which becomes Computer Network operations years later. But in the 1990s theres this parallel Development Going on in the white house where people are starting to realize that Critical Infrastructure is vulnerable. Do you want to talk a little bit more about Richard Clark and what he was up to . Well, as all this other tough was going on, eligible receiver and other things, a couple of years before that, the Oklahoma City bombings, led to president clinton signed a directive on, a policy on counterterrorism. And they started setting up a joint task force on which was called the Critical Infrastructure working group because people are thinking, well, you know, they blume a Federal Office Building and blew up a Federal Office Building, and a lot of people were killed. What happens if the next thing they blow up, a power dam or some electrical facilities . Something that could affect the entire economy. We need to set up some policies for this. So the working group, they defined what Critical Infrastructure was, eight sectors of the economy. You know, transportation, banking and finance, water works, dams, you know, so forth. And then hay decided they decided, as most working groups like this, to create a commission, a president iallyappointed commission to look into this. Well, the people who were on this working group and on this commission, theyd had some background in black programs, and they knew about this cyber element. And they thought, well, you know, its pretty obvious how you protect something from physical damage. But theres this other thing going on, this vulnerability to electronic and computer hacking and that sort of thing. So as this report got written, half of it was about and this is where the term was first used they talked about two types of vulnerabilities, fiscal vulnerability and cyber vulnerability. And it said, you know, in the future somebody could do more damage with a keyboard than with a bomb, you know . That sort of thing. They were looking at this as the new nuclear weapon. So that was in 1997. And this analyst named Richard Clark who youve probably heard of since was sort of put in charge of this. And he didnt know anything about computers, nobody did, as i say. And so he decided to go do a road trip with his taffe, and they went out to Silicon Valley, and they went to talk to all the executives. And they learned that, well, you know, microsoft knows a lot about operating systems, and the guys at cisco know a lot about routers x the guys at intel know a lot about chips, but nobody knew about anything else, and they didnt know about the vulnerabilities in the things in between. And so he then i dont know how much you want me to get into this, but he basically meets up through an fbi contact with a hacker, a hacker who goes by the name mudge whos, like, very famous in these kinds of fields. And he met him in harvard square, and his whole group is called the loft. They took him to the loft. It was on the second floor of a warehouse in boston. And they had stuff there, and they were able to do things there like hack into any password, replicate any kind of equipment, hack into anything, get and that changed the whole threat model to clark. He realized, okay, you guys are doing things or are able to do things that we in the white house have said and the Intelligence Community have said only nationstates can do. And clark at the time, he was head of counterterror im. He was chasing Osama Bin Laden all over the place. Not physically, but and he said, oh, thisll be great for part of my portfolio, cyber terrorism. Because if these guys were terrorists, they could do acts of cyber terrorism. So that did expand the whole notion of cyber war and what it might result in. I think thats one thing that hasnt panned out, at least yet. I dont think there are any terrorist groups now that are able to do quite the things that some of the white and gray hat hackers who are getting paid a lot of money to do certain things have actually done against our infrastructure. At the moment we wont get into at the moment why that hasnt happen, but just before we do can, one more iteration where we have the arrival of mike hayden at nsa in 1990 and then 9 11ing where surveillance, for want of a better word, becomes part of the story. Right. Could you tell us a little more about sort of the impact in the changes in technology that takes us pretty much up to snowden and the present day. Right. Well, you know, the nsa are up to about this time weve been talking about, they were still very much wedded to the analog world. Tapping phone circuits, intercepting radio signals, intercepting microwave emissions, that kind of thing. And then in the early 90s, actually a little bit before what we were talking about, they notice that, you know, they have these big listening towers and dishes all over the world. Certain parts of the world nothing is coming in anymore. Theyre not getting any communications. Because theyd gone underground. Theyd gone to fiber optics, or theyve gone to cellular, and they have no ability to do this. And somebody who had been director of the nsa before wrote a paper for a congressional, very kind of classified congressional committee, the paper was called are we going deaf. And the cold war was ending about time too. So, and there was the nsa used to be divided into the a group which were the guys tracking the russians and the b group which was the rest of the world. The a group, should this even be called the a group . Shouldnt this be cut quite a lot . Were not really tracking the russians anymore, or not so much. So they and this is where we get a little bit into the movie sneakers. Do you all remember sneakers . Mike mcconnell, he was a career Navy Intelligence guy. He gets into the nsa. Hes looking around, hes saying what, what does this Big Organization do . The cold war is over. Were not, were not getting these radio signals anymore. What do we dosome and, you know, people would come into his office with these, you know, okay, admiral, you know, heres a map of sea lanes of communication. Okay, now heres the map you really need to look at. And they were maps of fiber optics. Okay, thats very interesting. But he still didnt so then he went to see sneakers. And for those who didnt see it, its a movie about these hackers. This is 1993. I mean, nothing hike this really existed that much. But theres this whole kind ofly dicking louse plot where they get ridiculous plot. They get a call from the nsa, and it turns out the nsa people are really the criminals, and this guy is working for the government, and this is one scene where ben kingsley, this kind of evil mastermind who used to be a College Roommate of the lead good guy hacker whos played by robert redford, theres this whole monologue he has on the roof. He goes, you know, marty, the war now, its not about bullets and bombs, marty, its about the information. It was about 0s and 1s. Its about were in a war, and it talks about who has the most information. So Mike Mcconnell sits up in his chair, and he realizes, this is our Mission Statement now. [laughter] and so he goes back, and he gets the last reel of this film, and he has everybody in the Senior Executive at the nsa watch it. Tells everybody to go watch this movie, even take off the afternoon to go watch this movie. This is what were doing now. He takes one of his best field officers, brings him back to fort meade, creates a job for him called the director of Information Warfare. And then all these kind of nascent cybertype outfits around the bureaucracy and the military all of a sudden call themselves this is when the air force information or warfare they all, Information Warfare is the new thing. Thats where the money is, thats where its happening. But what they really did do, and then when hayden came along, they created something called the tailored access operations office, tao. So these were the guys who figured out thousand get into computers, how to make us not deaf anymore. So the president says i need to get in this guys email. They figure out how to do it. Theyre the ones who break so the new codes, its not phones anymore, its not radio signals, its fiber on the toics optics. Its, oh, they create an air gap where they unplug their computer from the internet. How do we cross over the air gap . And theres something created in the cia which is kind of a joint operation, and they did this in yugoslavia the first time. They would go over and maybe plant a device on the computer or put in a thumb drive, and with that, that would insert some malware, and the nsa can get into it from that. Thats how stuxnet happened, basically. So the tao, i mean, people asked me, they knew that i was doing this book. So is they said what can i do to protect myself . And i i said, well, look, if all youre interested in is keeping out, you know, petty criminals and kids trolling the net, there are things you can do. There are things you can do that are pretty effective. Its like putting a good lock on your door, you know . And its worth doing. But if somebody who really knows what hes doing really wants something that you have and especially be theyre a nationstate, if they have the resources of a nationstate, theres really nothing that you can do. And, in fact, you know, the pentagon this is skipping a ahead a little bit, but a few years ago the defense Science Board had a special panel on cyber warfare. And they concluded that they talked about in one quote the inherent from a jillty of our ark fragility of our architecture. Its the same thing that willis ware had been talking about in 1967. The inherent fragility of our network. All of these things that had been built up over time. They reported, they looked at the records of a lot of Red Team Blue team war games, and the red team was tasked to hack into the command control system, the blue. They always got in. They always got in. So now the buzzwords in pentagon circles for this, they dont talk about prevention really much anymore. I mean, you do, you try to, you know, you dont just leave your doors open, you know . You do lock them. But theyre talking about detection and resilience. The important thing is that you can detect when somebody is hacking you really fast, and resilience, you can kick them out and then repair what damage has been done very quickly. Thats what theyre talking. Theyre saying the game is lost on keeping people out. I mean, yeah, again, you dont want to give up the game, but theyre going to get in. Theyre going to get in. And, in fact, this i learned after i wrote the book, so its not in the book. The navy, for example, is now teaching people how to use sextant to navigate with the stars because they figure the data links to gps might be hacked. And theres a lot of worry about because, you know, our entire Qualitative Advantage in the military is built on things that are networked. And they can hack into that, then, you know, its back to, you know, m1 tanks and m16 rifles. I mean, what are we doing . So thats what people who think about this inside the military are very worried about. To pick up on that resiliency, i mean, one of the, one of the other themes that intersects with it is this dualuse nature of cyberspace. Yeah. And which raises, i think, the important question of what this means for the nature of warfare going forward. If its all about information and the adversary can attack civilian systems just as easily as military systems which may not be as well protected, what, what does this mean for if youre a student of National Security . Is it a game changer . Well, it could be. I mean, you mentioned, you know, there are a lot of vital military networks that are unclassified. Transportation, logistics, you know . Somebody once said logistics is for professionals, strategies for amateurs . Yeah, lo to gistics. How logistics. How do you get supplies over there . How do you get to do, how do you get water . A lot of that is on open op networks. And they played war games where people mess with that, you know, the air task orders, you know . They go over here instead of over there. Or, you know, supposedly a plane is supposed to meet up with a refueling plane, but the refueling plane is way over here, so it crashes into the ocean. You can do a lot of funny business that and in a way that you dont even know that anythings happening. So theres that sort of thing. This terms of the vulnerability of infrastructure which is where all these things blew up about, you know, the idea and i dont know how much i really buy this, but the idea that, you know, theres a she scenario in some war games was with, you know, china is exerting pressure on taiwan or in the south china sea, and they say, okay, you take your aircraft carriers out of here, or were turning off all the lights on the eastern seaboard. And maybe they do. And then what do you do . As china becomes more plugged in, you know, deterrence begins to set in because we can do the same thing to them. A country like north korea, iran, in this kind of thing, they dont have anything to hack so, you know, what is the response in kind . I dont know. But things like that can conceivably happen, and the interesting thing about civilians for a second is over the past few decades as the military has become more aware of this, they have reduced the number of intersections between their own networks and the outside internet to about eight. Used to be 150, now its 8. So the nsa can sit on those intersections. And they can do that legally because they have the legal right to do this with the military installations, military networks. So they can actually see when somebody is coming over. Its pretty good. Civilian, even civiliangovernment, there are hundreds, there are thousands of these intersections. Theres no way that you can even if the nsa had the legal right to do this which they dont, theres no way or the department of Homeland Security which supposedly has, they now have the chew story right and power to do this statutory right and power to do this, but theyre really out to lunch on all this stuff. So theres nobody that can do this. So this is what has led to a policy of cyber offense. Quite a long time ago they came up with these three terms, Computer Network defense, cnd, Computer Network attack, cna, and then theres something in the middle called Computer Network exploitation, cne. This is a twinedged, a dualedged sword. You want to get inside the other guys network, roam around. You can say this is actually, in fact, defense. Its really the only way i can tell whether theyre planning an attack. At the same time, its just one step short of Computer Network hack. Youre in there. All you have to do is push a button, and youre attacking. Okay. Were into their stuff, theyre into our stuff. Its kind of generally accepted that they can do this. And that we can do it to them and they can do it to us. To what extent, how much, i dont know. But one reason theyre able to do it is that for years, ever since back to this reagan plan in 83, this director and then the clinton plan as well, theyve tried to get Critical Infrastructure which is all privately owned to kind of, you know, man up on this and get some security going. The banks have actually done pretty well pause, you know, what are banks into . Theyre into taking your money and making you feel trust you trust that your money wont get lost. So there are actually some very good Information Security departments within banks. And while we hear a lot about hacking into banks, there are thousands of attempts per day on, like, chase manhattan. But not very many get in. But power companies, electrical power grids, you know, dams, things like this, they really still arent paying much attention because first of all, okay, youve given us some advice on whats best practice, and maybe ill spend 10 million getting there, but it seems to me the bad guys will just work some way around that. And besides, you know, the amount of money it costs to do this preventively isnt that much less than the cost to me of cleaning it up afterwards, and maybe i can get you, the government, to pay for in anyway. So they have no incentive to do it. And one thing that dick clark tried to do when he was in the white house was to lay down some mandatory security requirements for Critical Infrastructure. But lobbyists always resisted this. The secretaries of treasury and commerce always resisted it. Because, you know, youre going to impede r r d, youre going to make their servers slower, its going to reduce their competitiveness. All of which is true. I mean, you know, these people arent evil, but they have their own selfinterests, and their selfinterest is contrary to what this kind of interest is. And weve observed over the last few years the regulators have actually gotten more interested in this space. Yeah. It wasnt until i read your book that i appreciated just how far back this tension between yeah, definitely. The dod and the rest of government on exactly how involved right. I mean, for example, president obama yeah. President obama just signed something called the Cybersecurity National action plan which if you read the book, sounds a lot like about eight or nine other commissions that have been formed or planned over the last 20 years. Hes done a few things interesting in this one that havent been done before, but one thing hes done, its half a good idea. He created something called an Information Security a chief Information Security officer for the whole federal government. But the thing is this guy, theres no executive order giving him the power. So this guy, its kind of like the director of national intelligence. Hes supposed to sit atop all of this, but he doesnt have any authority to hire anybody or fire anybody or set budgets. A real guy like this would have the authority to go to an agency which is just flopping off, and they have passwords like 12345 and say, objection, im taking you okay, im taking you off the internet. Your accounts are finished, youre off the internet, and you have a month to fix this. Nobody has the power to do that, you know . You know, one thing that several people told me is that they learned just the executive branch in general, maybe some of you know this, people go into the executive branch and they say im going to set policy, im going to create policy. Welshes about 10 of it is creating policy, and the other 90 is implementing it and then going back time and time and time to make sure its still implemented. And this implementing part is what has, again, except within the defense realm, is what has always been lacking in this. And, again, this is something thats not new. It didnt start with stuxnet. Its something that has been known on a president ial level for more than 30 years. We hope that Michael Daniel and his wife were here a few weeks ago as part of the rollout to, and in fairness to michael, what he would tell you is one reason to set up a commission is to sort of not necessarily create new ideas, but to take ideas that everybody has and build bipartisan when it works, it works, you know . This commission that i talked about, that really did have some impact in the early 90. But sometimes its just a way of sloughing it off, you know . And i think for all of us, were rather hoping but in this case, i mean, its a little late. This thing is going to land on the doorstep of the next administration. I mean, the commission, they mix fixed the commission. The head of the commission a few weeks ago. I dont know if other commissioners have been chosen. They dont have clearances. They have to be vetted. They have to find a space to work. This could take months. So lets say itll land on itll be completed on january 17, 2017, and treated by the next administration the way that everything from the Previous Administration is treated by the next administration which is something to, you know, put your wobbly desk on top of. Once the new administrations gotten into office and theyve readjusted the furniture [laughter] you arrive, present a copy of your book. What lessons should they take from that about how they should go forward . What can they learn from the history that youve just written . Right. You know, i dont write books that have explicit policy direct i haves at the end. Directives at the end. I wrote one book kind of like that. But, yeah, they would look at that. Well, again, i hope some of the lesson is taken from the subtitle. There is a long history of this. This has been going on for a very long time, and read the histories as you would case studies and see why this actually led to something and why this didnt lead to anything, and try to make it seem more like can i think one thing, you do need, i think and just to say just ignore the resistance, Something Like this, you need somebody in the executive branch who does have a lot of power. You need, you know, they now are called czar is one of the most overused words in washington. Hes the energy czar. You need to create a czar who has direct access to the president. And a president who at least is kind of interested in this. I mean, the problem is, of course, i mean, i dont know how these people who work in places like the white house, i mean, i wouldnt be able to stay awake, you know, with this kind of schedule. Youve got 20 crises hitting you every day from 30 different subjects. And so, and then somebody comes and says, you know, we might have a problem with Critical Infrastructure. Its just like [laughter] excuse me, ive got people being kidnapped and killed over here right now. Your 30year plan on cybersecurity, lets its like that scene in all the president s men where theyre at the editorial meeting and one of the editors, man, i think home rule might really have a chance right now. I think we ought to put this on the front page. Yeah, well it still looks very theoretical to a lot of people. And it looks something distant especially, and when you have crises building up where something has to be decided tomorrow, you know, it is very difficult to focus your attention on something as complicated as this and for which there doesnt seem to be an obvious solution. You know, theres something, okay, yeah, lets flick this switch on. If it were that easy, yeah, it would have been done a long time ago, but its not. We have a room full of people who are focused on this issue, so now is an opportunity to take some questions. So please, when i call on you, identify yourself, give your affiliation, keep your question short, end it with a question mark. Gentleman in the maroon sweater. Yeah. Ken [inaudible] a few months back three major Computer Systems wall street, United Airlines and the wall street journal all came down more or less simultaneously. Do you think that was coincidental . I mean, i dont know. Some things really are coincidental, you know . But i think the wall street journal, wasnt that the Syrian Electronic Army or Something Like that . Thats what i remember. I mean, the thing is there are now about 20 nations whose military have explicit cyber units. I mean, some are better than others. I dont know how much cyber the cyber Electronic Army is very good at hacking into the New York Times and the wall tl street journal. Although, you know, some of them, i think the New York Times has now hired fireeye to do their security, so maybe its a little harder to get into now. So, you know, i dont know, and i dont know of anybody who knows, and i dont know you know, another thick about, you know, if somebody launches a Ballistic Missile at you, you can kind of trace the arc. You can see where it came from. Theyre getting much better at tracking cyber, but, you know, youre launching a cyber attack, you can hop from one place to another to another, and you can disguise where you came from, ultimately. Theyre Getting Better at tracing that. But its still not a 100 thing. You want to know the reason why we know that the North Koreans attacked sony . Any yeses . [laughter] yes. Well, basically, they werent doing this in realtime, because there was no reason to. But we are so infiltrated into the north korean Computer Network that going back into the files, the elite nsa hackers could actually watch on their monitors what the north korean hackers were watching on their monitors while they were doing the hack. In that case the fbi said we have extremely high confidence that north korea did this which is unusually certain language in these things. And you remember initially a lot of computer experts said, no, i dont believe it. This looks more like an inside job, can the North Koreans really do this. No, they absolutely knew, and thats how. Gentleman right at the back and then this gentleman here and then over here. So well gentleman back [inaudible] hi. My names ethan berger, im with [inaudible] and im wondering if you looked at the commodities sector in terms of the stock market, the commodities exchanges, etc. , because from my perception since just a bunch of numbers on a screen, youre free to mess up the economy of a country, and if youre a foreign power, do a lot of damage to a countrys economy. Oh, yeah. I was wondering if you looked at it or if you know people or who are. It wasnt the focus of my book but, sure, thats part of it. And, you know, one thing thats interesting, the Intelligence Community knows how to get into every foreign leaders bank account. They know where the money is being kept. They can mess with it. They have made an explicit decision in fact, there have been proposals, you know . Mr. President , we know where milosevics bank account is. Mr. President , we know where putins bank account is. Mr. President , we know where saddam husseins bank account is. And theres been a decision made by the cabinet that, no, listen, we do not want to go down that road, because it can go the other way. Now, they did mess with the Bank Accounts of milosevics cronies. They can do that sort of thing. But theres an explicit decision because of the backlash. They dont want it happening to us. Now, does that mean somebody could do it to us anyway . I mean, look at opm, you know . Office of personnel management. They have everybodys personnel records which were not protected at all. And, you know, that kind of thing, remember, they asked clapper about this. And they said what kind of retaliation are we plotting against china for doing this . Well, you know, this wasnt an attack, it was an intelligence operation, and its similar to certain things that we do sometimes. I dont blame them for getting into this ridiculouslyunprotected network. [laughter] its not like they were attacking anything, they were just getting information. Its like intelligence or but on a grand, grand scale. But in terms of messing with the stock market or voting tabulations or yeah, no. Its all out there and open, and, you know, or we dont know. This has been going on for decades, as i keep saying. And there is only now a defense Science Board panel writing a report on cyber deterrence. And one of the things that theyre trying to do is to define what that means. You know, what are you trying to deter . Is it really the governments responsibility to deter an attack on a bank . Or two banks . Or ten banks . Is it just government facilities . How do you define what you know, with Nuclear Deterrence its pretty clear what deterrence means. Cyber deterrence, so what are you trying to deter, how big an attack . You know, at one point, robert gates asked at one point when he was secretary of defense at what point does an attack like this constitute an act of war . And two years later the lawyers in the Defense Department wrote back, well, yes, under certain circumstances this could be [laughter] they didnt define it because nobody has. Its not, its not an issue for lawyers in the pentagon to define. There has not been and, you know, with Nuclear Weapons theres a very, very thick red line between using Nuclear Weapons and not using them. And thats one reason why nobody has used them in the past 60 years, because you dont know whats going to happen afterwards. But cyber, theres Cyber Attacks going on thousands of times a day. And nobody knows where each individual countrys cyber line or line of attack is. I mean, the first time that a president said we are going to retaliate against this attack that just happened was when the North Koreans attacked sony over a movie. I mean, who would have thunk that, right . So there are many opportunities for misunderstanding, miscommunication, things getting out of hand because one persons nuisance turns out to be another persons Grave National threat. And then what happens on day two . I mean, nobody people i mean, i was interviewing this one guy pretty high up in intelligence. Hes, id interviewed him a few times before. We sit down, he says whats your thinking about cyber deterrence . I said, well, i dont know, ive been trying to find that out, nobody seems to know. Thats a shame. Im on this dsb panel on cyber deterrence, i thought you might want to be on it. I thought, oh, my god, theyre considering i would never do it, of course, because its classified. Theyre so desperate, theyre asking me if im interested in joining this defense Science Board on cyber deterrents. Its something they have just not thought through. And part of the reason is that for decades this has been tied up in the nsa which, you know, the joke used to be that the nsa stood for no such agency and the most classified. And so even when the bomb went off in 1945, certain things about that were classified, but the general workings and certainly the effects were well understood. And from the very beginning, you had civilian strategists thinking about, well, what does it mean . How dud this affect war . How does this affect war . What does deterrence mean in this context . Can we use these weapons in a war . You had serious people who were not wrapped up in highly classified things with the military thinking about this and having influential in cyber until very recently you have to have, like, a top clearance. So theres nobody who can think about this who is really in a position to think about it seriously. In fact, the title of this book, Dark Territory, ill tell you where the title comes from. Its actually a pretty good story. When i write my book with, i always say the title will emerge from my notes. Never does. But this time it did. I was looking over my notes from an interview with robert gates. He was talking with his colleagues, and hes thinking, you know, we need to get together with the oh major other major cyber power toss figure out some rules of the road, you know, what kinds of targets we cant attack. Even the depths, the darkest depths of the cold war there were some rules. You know, like americans and russians, they didnt kill each others spies, you know . Something as simple as that, it just didnt happen. Of theres nothing like this. We need to tell people, you know, were wandering in Dark Territory here. I said, theres the title of my book, Dark Territory. Then i looked it up, i did a google search, what does this mean . I dont want to have some obscenity. [laughter] so it turns out that this is a term of art in the north american railroads to signify a stretch of track that is ungoverned by signals. And im thinking, wow, thats just perfect. Thats a perfect metaphor. So i wrote him an email, i said, did you know this . He said, oh, yeah, my grandfather worked as a station master on the railroad for 50 years. We talked Railroad Terminology around the house all the time. So thats where its a perfect description of whats going on except that, you know, the stretch is much bigger, the engineers are unknown, the consequences of the collision are far more cataclysmic than, you know, two trains running into that is the situation were in. So i have no interest in speaking for the u. S. Government, no right to speak for the u. S. Government, but i think they would say there are beginning to be some elements. The state department is doing some work establishing norms in relation to the chinese theyre talking about, theyre talking about setting up a forum to discuss a process by which they can discuss rules of the road. I mean, its kind of that far out. But now, you know, that was gates said this when he was talking about theres russia, theres israel, theres france, theres china. Now how do you bring north korea and iran and syria . How do you bring these guys into this cooperative back room, you know, the five families meeting, you know, in a back room space to discuss how to conservative i have up the heroin market, you know . Divvy up the heroin market. You know . How do you do this now . Its a tough one. Theres a document, one of the documents that snowden put out something called ppd20 which was Cyber Operations policy. And it had certain things that different departments were going to do. And one of them was precisely this, you know, setting rules of the road kind of thing, state department. Then there was a Progress Report like a year later, you know . Pending. Progress report for this was pending. Its the hardest thing in the world to do because the other thing is we dont, you know, if youre going to say, okay, lets stay out of each others whatever, you know, electrical power plants, that means youve got to stay out of their electrical power plants too, and how can this be verified anyway . How do you know that theyre not the one time, the first discovery of a known intrusion into a classified network happened in 2008. It was an operation called buck shot yankee. And they discovered soviet, russian ips and other things inside a classified network of u. S. Central command. And the way they discovered this was they were pretty correct they had the entrance points blocked. And somebody in the nsa said, well, you know, what if somebodys already in there messing around . We ought to just go look through the networks to see if anybodys in there, and they discovered somebody in there. So if they hadnt gone looking, maybe hed still be in there. So its a very, you know, were talking about things where youve got zillions of lines of code. There might be malware taking up 150 lines of code. So how do you even detect it . How do you detect 150 lines of code within something thats, you know, millions of lines of code . Its very difficult. Should just say buckshot yankee caused a significant if for no other reason than it leads at some level to the establishment of u. S. Cyber command. Within 24 hours they had devised a solution, tested, and put it in motion. So watching this from the pentagon, monday morning people are alerted to this and counting the number of computers that might be infected and saying this is ridiculous. Here i am, this has been going on so he did what people have been urging him to do which is cybercommand and put the director of the nsa in charge. That is when the unity of offense and defense happened. The problem with it, offense and defense, same technology. The only company that knows how to do this everyone else is completely out to lunch. The problem is we now have 7 billion linked with all the commands, they are devising war plans, they have written battle plans, all kinds of attack plans, tens of thousands of people assigned to this. Go to the military academy, it is cyber. Yet as i was saying a few minutes ago no one knows what they are doing. No concept of deterrence or what happens the second day of a cyberwar so this whole machinery is incredibly classified, this machinery growing up, way advanced in the Technology Field before the thinnest layer of policy and strategy have been cemented so that is a dangerous thing. The gentleman in the middle and the gentleman at the end. You answered my question. The gentleman in the white shirt. Dave spencer, georgetown student. What do you propose we do to respond to strategic level cyberattacks . And that was it. What do you mean by strategic level cyberattacks . An actual cyberattack rather than cyber espionage. On what . Strategically, hypothetically in this situation, not energy but another Critical Infrastructure sector, say transportation. If i knew the answer to that one thing that is true about our economy, it is not centralized so if you shut down the subway system in new york it doesnt much affect what goes on in washington or san francisco. Some countries shut down transportation like tokyo, you really mess things up, but electrical power, they are expending the smart grid which is like stupid grid for cyberpurposes, it doesnt take up the entire country. In some ways, you know about data. Everything is hooked up to Computer Networks and this is done for rational reasons, it is cheaper, more economy of scale, you have everything monitored by sensors and it all makes perfect sense. I cant remember what the initial stands for but everything is controlled by Computer Networks. They didnt shut down the centrifuges, they manipulated the control devices governing how fast the centrifuges were spinning. It was a control device, same thing, something controlling the amount of water going in and out of the dam or the amount of voltage flowing through the electrical line so you are dealing with that. In some ways, once these networks are set up it is hard to come up with a way to defend them. The trend in economics and commerce is to make them more and more centralized. A company would want something going on in the entire Southwest Region of the United States controlled by this one set when this was done, it was to go talk to industry heads, what are you doing about security, the head of some train company, they looked at them, what do you mean . Have not even thought about this, so you can make these networks more secure but more secure is not more secure and it may be the barn door has been opened for years and the cows have all escaped. Short of starting all over which nobody is going to do it is like when a company, companies do this, they control sometimes they go to the government. What can you do to help us and they will say well, one thing we could do is have the fbi which means the nsa sitting on your network. Do you want us to do that . And they say no, not really. Or we can give you some ideas. The things obama has set up, information sharing ideas, some things we do, coming to the secret level briefing and here are some tools you can use and here is what we do in the justice department, go do that, but again that might work. This was a tough one. This is not a book with a terribly happy ending. With people talking about that, we havent seen a devastating attack, you might argue there is a deterrence but not deterrence within cyberspace. We have said the government has said we reserve the right to respond to a cyberattack by noncyber means. There is a certain amount of deterrence, russia and china have more of their stuff hooked up to Computer Networks. The more this happens, mutually assured destruction, it is the wandering and Dark Territory part, there is no solid red line and that is where it goes haywire. So lets work our way back. Wait for the people. Frank, question. In many areas the us is the technology leader. Everything i have seen suggests governments slow, as far as you are aware, has the government done anything to create classified, clean room or any safe environment for our Technology Leaders to be talking to them about what they are working on so the government can be aware and leverage that . There has been that sort of thing in some defense industries. There was something created, the Defense Security base there are lots of interchanges, lockheed martin, three Defense Companies left, doesnt require that much but in recent years again, there are information sharing systems, this is what you do, but no, when dick clark was the cyberguy in the white house, he has a Certain Authority you could say, he wanted to control everything and he wanted to lay down mandatory security requirements and create something called the fib net, basically an internet for Critical Infrastructure where their internet would be hooked up to Something Like a Government Agency which would be able to tell when they were being hacked and they can come to the rescue. Private industry didnt want that and the Commerce Department didnt want it and the Treasury Department didnt want it. That idea kind of went by the wayside. It is hard you have to accept the whole package and most people dont want the whole package which is why the nsa by statute is prevented from doing certain things. And the domestic context, unless they have a court order or a letter signed by the attorney general. There are some very good people, i would say the head of private industry in certain respects in the nsa, they cannot show their stuff. Lockheed martin is slow. They are slow. Speak into the mic please. Saying the blockade is very slow. Thinking that the government should make the effort to do what they can to make the fact that Innovative Companies like mine are leading and make them comfortable with what they are doing because it would be an advantage for the us. Again, a big corporation, hard to do that. One of those hackers in my book had to work for dartmouth for 18 months and created numb 1004 projects, the most expensive of which cost numb 100,000, all kinds of Different Things in cyber security, that experiment where the guy hacked into a Jeep Cherokee to show this is vulnerable, you got to do something about this but it i have always thought the obamacare online program, they gave it to an aerospace company, what they should have done is picked the top ten graduates from caltech and mit, given them a couple hundred dollars apiece and put them in a room and said this is the task, work on it. That would have been a much better way to do that. Absolutely right. It is too bureaucratic and it takes a couple years to get a system going and there have been three cycles of upgrading the offense defend cyberarms race. Ashcroft has been in Silicon Valley and announce the establishment of an Advisory Board with the chairman eric schmidt. Yes. Also wednesday at the conference we presented the secretary Suzanne Spalding from dhs, talking about Public Private partnership. Retired physicist, spent a lot of my career at ibm. If i look around in the Defense Department, a very vulnerable place to attack or intercept signals would be the drone program. You would think those signals are somehow going over the air someplace and be subject to fiddling with. Are there any stories about that happening . There have and rumors. The thing about drones is they are very localized in one area. There is a signal that goes from the command post in nevada. Even so they would have to have hacking certain things, they would have to have certain things located where they can get into the signal and in fact there are redundant signals, they change channels and also is it really worth it . Is it worth expending a lot of effort to get to the signal of one drone that is going to attack something, or maybe even signaling a drone that is just doing surveillance. It is a lot of effort to go after one thing that is not going to do much to your own interests. But that is a localized thing. If you are talking within the network, for example i will give you an idea. One of the earlier players, something just created at the time called 690, Information Warfare, they had a little wargame with command and control, the things i was talking about, they mess with the air traffic orders, didnt get the water in time. That could be done. That is very vulnerable. The thing about drones is it is a very narrow bandwidth and they change it a lot to one thing and maybe there if they really wanted they thought there was something we needed for National Security purposes. They could have sent a letter to the nsa, they could have gone to the attorney general. And it did not require the process. They can same time, apple basically what the fbi was trying to do and apple was right about, they are looking for a legal precedent that gives them authority to do this sort of thing. Before encryption and for law enforcement, it is not possible. When this started happening i talked with a number of people. It might have hackers and the Intelligence Agency and i am pretty convinced there is a way apple could have cooperated without having to write a new operating system which they say they were being forced to do and it violates First Amendment rights and commercial energy and everything. The way this works, they dont want it to unlock the phone which apple has done 70 time so the principle of dont want to cooperate is overblown to begin with but there is a security feature if you type in ten passcodes and they are all wrong, what the fbi could do, you create a program, we dont have to be in the same room, it is a race after 1000 tries or 10,000 tries, you could come in, they are commercially available programs, brute force, 5000 passwords a second eventually you get it but we have to have you take away this layer. I am not a computer scientist. I dont know. I am told by people who were very much on apples side of this that there were ways to make that change without finding a new operating system. What they are concerned about is once they succumb to this, that could be the precedent for succumbing to other things, the thing the fbi had you do we want you to do that. The chinese could do that anyway. Dont know why you need the president or the fbi. It is a peculiar case for tim cook to make this, very much on apples de. Talking about no privacy rights, didnt own the phone, San Bernardino county owns the phone, they have proven their concern, doing whatever you want and talking about a guy who shot up a room full of people in touch with isis, for legal reasons, constitutional reasons, practical reasons and political reasons it doesnt look like a great case for apple. Also their bigger brethren in Silicon Valley are writing briefs. Here is the thing. If you have a contract with the government which apple doesnt, you want to sell the operating system, the Security Director of the nsa, the first windows program, 1500 points, they help them patchett. They left a few open they can get into later and microsoft knew that and were fine with that. A few years ago google, their chrome system, was hacked by the chinese. The nsa helped them, there has been a 2 way street. When this came out, liken it to where i am shocked there is gambling going on here, then they bring his winnings for the night. There is a little hypocrisy. Tim cook, partly a commercial brand but he believes in this strongly. Someone at nsa said they often go to the company, talk about some interests and issues of mutual interest, tim cook never had one of these, he is not interested. This industry of libertarians, aiming for purity. They elevated this battle for a principal, the other side, lets say they win the court battle, what im worried about is somebody passes a law, senator feinstein has cowritten a law that would require companies to strip away their encryption and present a lawful warrant. That is going farther than what the fbi wants apple to do. My worry is especially in the climate of terrorism and people worried about elections where they are soft on terrorism, the backlash could be really severe. Not quite sure why he decided to make a big political issue of this. We have a member of the president s review group and michael, both featured in fred kaplans book. Thank you for joining us. Final word, what is the one thing we should take away from your book, the one thing people should understand . It is a lot of fun to read. How many cyber books can you say that about . Thank you very much for coming. [applause] [inaudible conversations] [inaudible conversations] welcome to booktv live coverage of the 21st annual Los Angeles Times festival of books held on campus of the university of Southern California and we will be here all weekend. You will hear from authors discussing National Security, women in politics and much more. Plus there will be several other call in opportunities as well. For complete schedule, booktv. Org, or follow us on twitter at booktv or facebook, facebook. Com booktv. We will be posting festival updates and behindthescenes photos on social media sites. We kick off our coverage with a panel on publishing live from the Los Angeles Times festival of books all weekend on booktv. Hi. I wanted to welcome you to this mornings panel on publishing, the big picture. Thank you for coming. I have a few words from the festival organizers. Please silence all cell phones during the session. Personal recording of sessions is not allowed. My name is betsy amster. Im going to be a model list panelist today, your moderator. I am a publishing life are which is to say i have only wanted to be in publishing my whole life and i have been in publishing pretty much my whole life. I am a west coast agent, started out in publishing as an editor at pantheon. I wanted to introduce our panelists. I will start with tom mayer, Senior Editor and Vice President at www. Norton who publishes literal fiction and nonfiction including history, politics, music,