How are you . How are you . [applause] do you want to watch this program again . Visit booktv. Org to watch anything you see here online. Type the name of the book or author at the top of the page and click on the hour glass. You can share anything on facebook or twitter by clicking on the share box at the bottom of the page. All top authors and books available at booktv. Org. Good afternoon and welcome to sight and sound. I am the associate director of studies here. It is my pleasure to announce a discussion between myself and edward lucas and his book cyberphobia. It hold as great interest for the audience. One is our own personal security of your computer and bank account and other things. The second thing he deals with is the massive Security Issues involved of all that you can imagine and how cyber can affect the nations census, utilities and Security Systems of all kinds and i think we have seen many examples. Mr. Lucas is a Senior Editor at the columnist. He has a long career in russia and eastern europe. One book i am familiar with is the new coal war in 2008 and a revision in 2013 and a third in 2014 which you take a look at it and you will see many of the things he said earlier are even more true or true now that were predicted back then. The subject is cyberphobia and i will have mr. Lucas talk about the book and we will engage you in the audience with questions and we will have a general discussion. We are good here until at least 6 00. With that, mr. Lucas. Thank you very much indeed first of all to having me here and all of the people involved in organizing this. I presented the coal war in 2008 and it was a skeptical audience then. The difficulties in russia were just being questioned. And my message is quite a gritty one. I think we have designed the internet putting convenience and lowcost and innovation and e we have been doing that for 2030 years. As a result we have vulnerabilities in the system. Badly designed networks, disorder, which can be displaceddisplaced any of the numbers of spies, hostile militaries out there and the pranksters and the crooks. It makes sense to divide them up into those passages when looking at them at threat actors but many of the tools they are using are similar. And people did say to me when i first started writing this why are you turning your attention from European Security to Internet Security . And actually, as i started researching this i became more of the parallels that we built up with the European Security at the end of the cold war based on the assumption of good will and trust. We all get on. We have difficulties but we can resolve them and this was based Security Order are a lot of cooperation and dialogue and work into the future. That is the way we setup the internet assuming at the beginning it would be for academic purposes. We never thought about questions of identity and never thought about ecommerce. It was against the rules to use the internet for commercial purposes back in the beginning. If anyone said back then this is going to become the Central Nervous system of lives and he will use it for banking and infrastructure and other things people would say it is not designed for that and are you sure . But we went down it because it worked. It is cheap, convenient, flexible and you can develop it. Now we are stuck. I think the first message is it is going to get worse, a lot worse possibly, before it gets better. We have become accustomed to serious bridges. If i said at t would be hacked and 20 million files would be stole people would say what is hack . But we have breachesi happening all of the time now so it is difficult to determine even. My friends at the ft and other papers say mega core was hacked, maybe the chinese, maybe criminals, we dont know. And most of the organizations say why is that different than the breach from the story we ran last week. So breaches are normal is the idea but they are not. Tens of billions of dollars a year are flowing out of our pockets into the criminal economy. I am skeptical of the Cyber Company numbers. People are talking about 500 billion a year. And that is not just a loss to us but a large chunk of it is going into the pockets of some of the worst people on the planet. People that would like to do us harm. The first thing i think we have to do is start speak enlish, english or russian or any normal language people speak. The most important feature of this book, and maybe what makes it different from any other book, is i didnt use any computer jargon. The word cyber appears twice in the book. Once in the title and once in the gloss. We have simple messages that get across complicated ideas in Public Health and change the ideas. We have simple messages. You dont need to know the difference between a pen and a gasket to be a save driver in a car. We are not there. The solutions for problems we have are not primary or technical. We kind of learn what we need to do and i will get to that in the q a and tell you things like identity insurance, Better Network design. The problem is changing tuned behavior. The packers are humans and we need to determine and get into the criminal economy and disrupt it and raise the cost of doing business. We need to say to people who are hurting and people who are scared should be scared because when people are scared and hurting they change their behavior whether it is individuals, companies, governments or anything else. I will stop there and i look forward to robust questions. If you read the book and think it is rubbish, please tell me. If you havent read the book and still think it is rubbish that is okay. If you want to ask a question about russia that is okay too. We will kick off with questions if i could just have you pursue the issue you mentioned about some of the simple measures that take place and although the gloomy prognosis, are we in a period where we will talk about the wild west, i mean western United States in the 19th century and other wild west . In other words where they are sorting these things out and it will take several years as these things become uncover and based on where we were 510 years ago we were moving in the right direction by government or personal . Or are we really marking time and looking way ahead . The criminal economy is getting more and more sophisticated. When i first started writing this book i was impressed by the idea you could sell malware on the dark web and there was an after sale service. There is a basic help line which is how can where make it work, and second which is help me treat this in a particular way, and the third line is can you help. So i think the threats, the surface number of things that are vulnerable to attack is increasing. The criminal economy is getting far more sophisticated and to use the wild west line we dont have the sheriff or the posse or the visualization. We know there are criminals out there looking to attack but dont know who or what they will attack. I think we have to start at the very basic level of making people feel this is not this is the fundamental thing. Thing is different from any rear world aanalonatur jalnanalogy. This is something the public find hard to visualize. A Million Computers whose owners have no idea that link they clicked on is taking that little bit of memory and then made the computer to do something to spread malware and the person this might be costing five cents a year in terms of cost. Why should they work . You can be a carrier of a disease that is not hurting you but hurting others. If you have a Communicable Disease they will keep you locked up but we have not transferred that to computer. When histonia had that major attack have they taken kne any steps to correct their huge hack . I am a huge fan of this country. I think three things are really important. One is that is the beetles attack. This is a crude cyber attack. The didnt knock them over. It impeded things and a few websites went down. But they didnt succeed in bringing the economy to a halt. It didnt destroy their Banking System or do the things that the people that launched thought they would do. Since then they have gotten a lot better in terms of defending themselves and looking at the infrastructure and not like that is easy in a country with a million people. So i think the most important prevention tool is they have the fundamental idea of identity insurance down. This is the national id card there and your identity is in this chip. You dont share that with other people you need to identify yourself to. You type in a pen code, it clicks with the chip and turns it signal saying this is fine and you give a Digital Signature. That is a legal binding signature. If you have a Digital Signature in this country they sign it with a wet signature and make it effortless and email it back to you. This is something that is supposed to be secured. If you want to rent a microphone system, something i am talking on, you want to write that in britain you hand over our address, date of birth, and a copy of your drivers license or passport. That is enough information to open a bank account. This is actually going to be a breach of personal data because you can you will never get another finger print, retina, or date of birth or mothers maiden name. If you hand that over and it is breached you are in trouble. It is much better to the this cryptographicbased identity. If the funny thing about governments, people are unwilling to trust their own government, but if you say this is a Service Provided by another government you can chose to use it. People have tens of thousands of these since launched. The Australian Embassy is down the road and you can pick them up there for 40 dollars or a smaller amount. This is proving who we are and proving who we are doing business with. Civilization is based on the trustful interaction between people that dont know each other well. We use our senses and have nuances and other queues and safeguards and so on that means we can do business with each other. Facetoface and also virtually. But we dont have a way of doing that on the internet. You cannot prove who i am and the two of us cant get together and say someone else who they say they are. And these sort of systems i think are dangerous. You mentioned at least three different aspects of this the cyber phobia. One is draining the computers and the second is getting intelligence for whatever purposes probably not a financial gain unless they sell it, and third i will use an example, stet net that was the offensive use of this. Are those are we looking at Different Actors . Such as states and criminal individuals in others . Are these separate enterprises or should they be seen as one pure and whole . The easiest way to look at this is say there is something only governments can do. High end National Intelligence services have amazing capability of ceasing up bulk data. And getting stuff into a keyboard with a key lock on it and then getting that back to some command of control server. Acts of low mobile devices, patching stuff on a commuter from a mobile device that is not connected to it, these are pretty sophisticated capabilities and you can voice some bit of them on the internet. You can bound very simple malware and send a text message to where a person opens it it gets in. There is stuff only governments can do. Buying expensive holes in software. These things are 50,000 100,000. The good ones are expense. But you put those capabilities together and you get the stock net which only really could h e have the American Government talked about it so it is not a secret. It is the least of the worries for our american people. I guess everybody has seen the borne identity. They are great films but they are not documentaries. We are being attacked in a much slower way. So many of the vulnerabilities are if i want to get on to the site network, whether i want to get on because i want to steal stuff or find out how you do invoicing or steal data or change my grades so i do a better job all sorts of reason someone wants to get on the network. Mostly they are going to same way. France, who has lots of works, find out they worked with the past 17 emails from gmail and sent an email here are my family pictures; would you like to take a look . And this is very efficient. Links and attachments can be used by anyone of those threat actors. And i think the opm hack started with targeted fishing attack and got them on the network and once they are on the network you may need tools to try get control over the network. There is this it is this very big lump of simple vulnerabilities that everything falls to. Lets go to the audience. We have a microphone. If you raise your hand until the microphone gets to you. Yes, go ahead. Just introduce yourself before you ask the question. Thank you very much for doing this. I am mark pender and i work for German National public radio here in washington. What i am concerned about more than the technical threat of all of those things is the fact that the American Government employed someone who didnt have a college degree, got him into the most sensitive systems, and he could manage to get all of those things out and get away it. Until now i think. So how do you think government or society can protect themselves from those kinds of breaches . The regular things of people actually stealing something. That is a great question. You didnt mention the name Edward Snowden so it could have been another hacker as well. I think the government likes to beat up industry over security. And they are right to do. It is scandelus we dont share information better across industries. We need to do a better job about protecting the data that is entrusted to us whether it is data from suppliers or customers or anybody else. And there should be penalties for people who are careless and reckless. Criminal liability. That is all fine. But if you want to see a badly designed network you are likely to find it in the Public Sector than in the private sector. It is absolutely terrifying how badly protected, out of date systems badly administered by demoralized people. This stuff is happening again and again and again. And i think one can make several points. One is i think this is a very good reason why we should not support any governmentmandated attempts to weaken encryption. If there is going to be government mandated backdoors in commerciallyprovided encryption that will be a fantastic target for criminals and i dont have competence it is like everybody has to give the government a front door key and there cant be any front door the government cant open. And all of these front door keys labeled and kept at the police station. That could be interesting to criminals. So we should be much tougher what we share with governments. And coming back to australia, one of the beauties of the histone system is they have a federation of databases that are connected by something called the xroad which is a simple but robust system. It would be really hard i will sought not say impossible but it will be difficult to do it in australia. You would need the cooperation of lots of people at the same time in different points to make it happen. I think the final point i would make is why do we keep all of this stuff in electronic databas databases anyway . This slipped by mind where we have to go into the mi6 registry and steal the font. Now you have to physically get into the registry and distract the person there to stop you from copying files, you have to get access to the files. If you wanted to steal all of the documents in that registry you would have attack the building with military force and take the stuff away in trucks. And the opm was like that only 2030 years ago the chinese would have needed trucks to take the stuff out and now you can do on a usb stick. One of the big lessons is ask your government why are you keeping this stuff online . You have convenience, absolutely. But is that worth the vulnerability . One of the best stories i have come across in the economist is the system that buys valuable time because in it you can there is a saying i heard you cannot pack a a steam engine. They would survive in a way no other transport would. We have to be prudent about moving away from things cannot be hacked towards things that are more convenient. Thank you, mr. Lucas. I study energy and environment here. But i used to work for the Korean Government Agency doing cybersecurity. I think the recent International Political environment has come to this state that International Norms are very important in cyber space. But hearing from your example on estonia and other nations i feel like it is not only the states that have perceptions on cyber space but the states have different cultural norms they expect from cyber space. I kind of want to hear what you think about is it necessary to do the International Norms . It is even plausible . Or is it more practical and it doesnt make more sense when we have more efforts that are done domestically within the National Boundaries . It is a great question. I think we are developing norms that very different from 1015 years ago. A lot of people use capital letters to show they are angry. And that is acceptable now. There are lows now on how we interact. People used to send long emails and now they send very short emails. It is kind of rude to write a long email. I think that if you look at shipping which is what the folks in the Global Industry and we develop in the Maritime World to get word of emergency and you pick up sea goers because they would do it for you. We developed ways of messages. And days before electronic messages we had flags we would put up to deliver messages. So this stuff does build up on a casebycase bases. But i think the fundamental problem is the internet is a means for doing other things. So you could get the banks of the world getting together saying we will have very tough rules ab