Of four books, the new book as some people might imagine. A surprise winning journalist with his days at the boston globe. In a while he s will give a few minutes describing the book and whats in it. Some of the themes and what we might contribute from that and then i will open up to the floor give you the opportunity to ask some questions and we will wrap upqu at 1 45. [applause] ing didnt know what the title s going to be for a while but how long the history is it because most people think that it started with the outskirts of shanghai and no but now in prace goes back all the way to the dawn of the internet itself. This was the network where they would talk with one another in their Computer Program an into there was a computer pioneer who was also on the Scientific Advisory board and wrote a paper that has been declassified since but he said heres the problem once you have accessed from multiple locations. He wont be able to keep secrets anymore. When i was doing my research i talked with this man and asked if they read the paper. I took it to the guys on the team with. Lets just do this one step at a time. They wont be able to do this for decades. Two and a half, three decades the whole systems and networks have grown upe with no provisios for security whatsoever. P so i see this situation created from the very beginning. All of this went on noticed until june of 93 when Ronald Reagan watched a movie about camp david. One of the guys that wrote it, not when coming here tomorrow, his parents were hollywood producers and on the following sunday hes in the white house to discuss the missile. And everybody there were nationalem security advisers. He puts down his index cards and asked has anybody seen this movie. So he turns to the chairman of the joint chiefs of staff and says code Something Like this really happened can someone break into our computers. He comes back and says it is much worse than you think. So, one year later there was a National Security about the Telecommunications Security that went in a strange direction basically written by the nsa. The way they wrote it controlled the standards for all in the United States. Government, military. So they reloaded so they wouldt have security and the Commerce Department would have Everything Else. Of course they had no ability to do this. They had no interest in securing the peace channels. O app that time they were exploiting security gaps. So, for about a decade nothing was done about this problem and i wont go any further but the point is these incidents at the dawn of the internet were extremely unlikely. It led to the systems and programs and the issues and policies and controversies in the decision to persist to this day. This is something that i discovered almost by accident. It turnedy out that im assuming you remember basically they get into the norad computer to something called human dialing, he sets up a system and they dial the phone numbers and when the modem is reached they go back into the computer and its just on some online game. Is this possible. Can somebody from the outside get in. So they called the corporation. He leaves the port open and if somebody happened to dial the number to get in, the only secure computer is the computer that nobody can use so that is the lesson we all learned a. We will be talking to him about for the next movie is going to bedn about. Before we get there, youve written a history of cyber war and when people write about th this, people tend to study so they can get a sense of how to fight battles in the future. What do you think having done your research and writing the book on the offensive team 1983 and now students of the cyber war should look back on and instead of working the battlefield of gettysburg to study for the future. I guess a Pivotal Moment came in 1997. Hed beeshe then the commander f something called san antonio where they were doing things about cybersecurity. He couldnt get any of the other officerse interested at all. Of 25 team members would hack into the departments and would have to use commercial available equipment. So they prepared scoping out the networks and what they would do. People who were victimized, the only people that knew about it for the people doing it and the lawyers. It turned out that within four days they hacked into all of the defensefoac department networks including the command center which is how the president communicate. Sometimes they would just leave as marker and sometimes they would intercept messages like what going on here i dont know whats happening. There was a marine in the pacific who knew something was going on but even if you knew something was going on, what do you do about this they unplugged the computer from the internet. Heres what we found an in heres some passwords we dug out and heres the tape recorder, we just changed passwords. They said whos in charge but nobody was in charge so they set up and within a few months, somebody starts hacking into the u. S. Military. Other people set of data minute, if two kids in california can do this, what other nation states can do this. Then there were the Defense Networks looking around for particular things and they traced it back. Then the chinese started doing it and one thing very interesting when the nsa was in spite of the Defense Department networks they noticed them strolling around so this was already really happening. In 1997. But then there were other thing. Remember when they were planning to invade haiti into favor looking up plans into there was a very rudimentary system. This is when they said i found out that its wired into the commercial telephone system and i know how to. Years later a member played on for weeks and weeks and months. They did some of the same things. They got into the phone system and then they were able to hone in on the plan and the Defense System was why youre afraid of. So it would look like there were planes coming from the northwe northwest. So they would send messages saying we know you own this copper plant we are going to get rid of most such and they would turn out the lights and if you keep this up we are going to bomb you tomorrow. Soso thats how because they wee it threatened by Information Warfare so this is the firsthe Information Warfare. Its about one tenth of what we could have done but after that, we know about some of the thin things. I will give one more en and thae should probablygs move on. When they bombed the syrian reactors they were helped by the north korean scientists they didnt acknowledge it a it is dd to about 150 miles from the territory without being detected even though they just installed the missiles and radar. What happened is they used the program developed by the air force and implemented by nsa to the people looking at the screen for nothing. The radar was protecting so it took a little nerve to continue. They were able to intercept to make sure this worked, to make sure they really were saying nothing, and they were saying nothing. Our screens show nothing. We accepted the idea and this is the only thing i will retractcta bit. It was the change of strategy. Basically they capture and get t into the systems and did things saying lets meet at such and such place by 4 00 and there will be some force is waiting there to kill them or they would detect somebody planting a roadside bomb but then you have to send the data back to washington. Within one minute theyas could target through the techniques they killed 4,000. I remember the first person i asked he looked a little alarmed that i knew anything about it. When the history gets written about this if the equivalent of breaking the code, so its been part of the operation plans for quite some time. [inaudible] they decided they should send a delegation to moscow. Maybe they didnt know that this was going on and it was presented as a criminal investigation seeking assistance from the russian federation. So they sent over thishe delegation into there was a general in the military helping out. We will not stand for this. So they were going to be there for five or six days. We woulde go around sightseeing and then on the fourth day, there is nothing. Can we talk to this guy, hes busy now. We will send you a memo on this. But they realized when they got back from those that happened to him for helping the United States, the military h intelligences coming over and he just didnt know about it. The story that you just pull livlist to the establishment ofe new organizations of the Network Defense and computer operations butna there was a parallel Development Going on in the white house where people started to realize the Critical Infrastructure is vulnerable. Can you talk more about what he was upuc to . As all of this other stuff was going on, a couple years before the Oklahoma City bombings, it led to the policy and they started setting up a joint task force on the Critical Infrastructure working group. So then theres some electrical facilities into something that could affect the entire economy. So transportation, banking and finance and then they decided most working groups like this. They thought its pretty obvious if you protect something from physical damage, but there is this other thing going on, vulnerability to electronic and computer hacking and that sort of thing. So as the report is written, half of it and this is where the term was used, they talked about the two types of vulnerabilities, fiscal and cyber and this i assessing futue somebodyne could do more damage with a keyboard and with a bomb. They were looking at it as a new nuclear weapon. In 97, this analyst named Richard Clarke was put in charge of this and he didnt know anything about computers. They would go to talk to executives and microsoft has a lot ofiv operating systems. But nobodyps knew about anything else and they didnt know about vulnerabilities and the things in between. I dont know how much you want me to get into this but he met them in the square and this whole group is called the law on the second floor of the warehouse in boston and they have stuff and they were able to do things their, replicate any kind of equipment, hack into anything and got changed the whole model. He realized okay you are getting things word you are able to do things that in the white house we have said on th many nationstates can do and clark at the time was chasing Osama Bin Laden and said this will be great for part of my portfolio, cyber terrorism. If they were terrorists they could do acts, so this was the whole cyber war and what it might result in. This one thing thatn. Has not panned out yet. I dont think there are any terrorist groups out there that are able to do things as the hackers are getting paid to do things in theey infrastructure. Is there yet one more iteration where the surveillance becomes a part of the story . Can you talk about the impact of the changes and the technology that takes us up that . Up to about this time, they were intercepting radio signals into that kind of thing. Then they noticed the hippies listening towers over the world and certain parts of the world nothing is coming in anymore. They are not getting any communications because theyve gone to fiber optics and they have no to do this. Somebody that has been a director before wrote a paper for that classified Congressional Committee that was called are we a going to. The cold war was ending about this time, too. The nsa used the divide in the group tracking the russians and the rest of the group. Shouldnt this becomes quite a lot, and this is where we get into the movie sneakers. So, Mike Mcconnell gets into the nsa looking around saying what does this organization to . We are not getting the radio signals anymore. What c do we do . Here is a map of the communication and that you need to look at and the only maps of fiber optics. Okay thats interesting. So for those who didnt see it, its about hackers. Nothing like this existed so there was a kind of ridiculous plots where they get a call from the nsa with a decrypting code and it turns out the nsa people were the criminals and he was working for the government to try to get back. Its one thing where ben kingsley who is kind of an evil mastermind who used to be a College Roommate and theres this whole monologue is about the information. So he sits up in his chair and said this is our Mission Statement now. Since goes back and gets the last reel of the film and has everybody at the nsa watching. He tells everybody to go watch this movie and to even take off the afternoon to go watch the movie. He takes one of the best field offices, brings him back to fore meade, creates a child called the director of Information Warfare and all these kind of may send outfits around the military and this is the Information Warfare center. But what they really did is create the access operation so they figured out how to get into the computers and so they said i need to get into thisis guys email. So we designed the phon where tr the radio signal anymore. It now they created an air gap. How do we cross over to air gap and then theres the information n. Center. They look over and planto a device and with that i would inserts some malware and kept him from that. He said what can i do to protect myself and i said if all youre interested is keeping out petty criminals, there are things you can y do. But somebody that really knows what hes doing and want some that you have the resources of the nationstate. The pentagon, this is skipping ahead a little bit, but they had a special panel on the cyber warfare c and concluded the inherent fragility of thee infrastructure. The inherent fragility. They report it and looked at the record and the red team was tasked to hack into the command control system. So now they dont talk about prevention much. You dont just leave your door open. Y they are talking about detection and resilience. You can detect when somebody is coming and resilience you can repair the damages. You dont want to give up the game, the day are going to get in. The advantage is built on things that are networked and its back to the tang and rifles. So thats what people are very worried about. One of the other things raises the important question of what it means for the nature of warfare going forward. Ithats a lot of information and the attack on the civilian system that may not be as well protected, what does this mean for a student of National Security . There are a lot of networks that are not classified. How do you get supplies, a lot of that is on the open networks. They play the games that people mess with that on the air task orders are supposed to play this up is to meet up with a refueling plane. You can do a lot of funny business with that and not even know that it happened. So, that sort of thing. In terms of the vulnerability of infrastructure, the idea is in the South China Sea turning off the lights of the eastern seaboard of independent becomes more plugged in. The interesting thing about the civilian infrastructure, the military has become more aware ofil this. Theyveav reduced the number of intersections between their own network and the internet to about eight. They can do that so they can actually see when somebody is comingng over. Civilian governments there are hundreds and thousands. Even if they had the right, the department of Homeland Security that supposedly are out to lunch so thats what this led to a good computer Network Defense and attack and exploitation. This is a double edged sword. The only way that i can tel do t they are planning an attack at the same time it is just one step short all you have to do is push a button. Its kind of generally accepted that they can do this. Theres this directive they tried to get the Critical Infrastructures to get some security going that you trust that youwith your money wont g. While we hear a lot about the banks, there are thousands of attempts a day but not very many get in. Youve given some advice on the best practices and th the amount costs to do this is to pay for it anyway. Its for the Critical Infrastructure the secretarys treasury and commerce said you were going to impede to make the servers slover and reduce the competitiveness all of which is true they have their own selfinterestnt they appreciate just how far back. For example president obama on the Cybersecurity National action plan which if you read the book sounds like eight or nine other commissions that have been formed or planned. There is no other executive order giving themti the power. Then you have a month to fix this. Nobody has the power to do that. One thing several people told me that they learned about the executive branch and maybe some of you know this, people go to the executive branch and say im going to create policy. About 10 is creating policy and the other is implemented. They are going back time and time to make sure that its still implemented. It is what has always been lackingg and its always been known on a president ial level for more than 30 years. With reason not necessarily to create new ideas but [inaudible] it is a little late its going to land on the doorstep of the next administration. The other commissioners have a been chosen and they have to find a space to work. Treated by the next administration which is something to put your desk on. What lesson should be taken from that books have explici the boot policy directives at the end. They would look at that and i hope some of them have a history going on for a long time to see how this led to something to make it seem we need somebody in the executive branch that has a lot of power. You need to create a bizarre and its kind of interesting in this. I dont know how these people that work in p