Skip to main content

Assessing The Threat of Cyberterrorism.

The cyber attack at Google's Chinese headquarters in December highlighted vulnerabilities in US network security. James Lewis, author of Securing Cyberspace in the 44th Presidency explains why terrorists see the Internet as the next frontier and how the Obama administration is responding.

49:45

Transcript

*** TRANSCRIPTION COMPANY BOUNDARY ***
..DATE:
20100210
..PGRM:
Fresh Air
..TIME:
12:00-13:00 PM
..NIEL:
N/A
..NTWK:
NPR
..SGMT:
Assessing The Threat of Cyberterrorism

TERRY GROSS, host:

This is FRESH AIR. I'm Terry Gross. The recent cyberattack against Google was a
wake-up call about how vulnerable we are. I recently read in the New York Times
that Internet-based attacks on government and corporate computer systems have
multiplied to thousands a day, and that hackers have compromised Pentagon
computers, stolen industrial secrets and temporarily jammed government and
corporate Web sites.

The White House director of National Intelligence, Dennis Blair, recently
warned that terrorist groups are interested in using cyber-means to target the
U.S. and its citizens.

We're going to talk about cyberattacks with James Lewis. He directs the
Technology and Public Policy Program at the Center for Strategic and
International Studies. He was the project director for the Commission on
Cybersecurity for the 44th Presidency, a project started in 2007 to make
recommendations to the next president about cybersecurity.

James Lewis, welcome to FRESH AIR. Now, Dennis Blair, the director of national
intelligence, has warned that al-Qaida and its affiliates have made it a
priority to stage a large-scale attack on American soil within the next six
months, and there's a growing threat of a crippling attack on
telecommunications and other computer networks. What do you think the odds are
of a major cyberattack in the near future?

Mr. JAMES LEWIS (Director, Technology and Public Policy Program at the Center
for Strategic and International Studies): I still think they're pretty low. Al-
Qaida doesn't yet have the capabilities to pull off the kind of big, disruptive
attack that they really want. So, unfortunately for us, they'll be focused on
explosives and kinetic weapons and the traditional attacks.

But, you know, let's not kid ourselves. Over the next few years, they will
develop these cyber-capabilities. We might become a little more vulnerable, and
we ought to expect something big to happen, certainly in less than a decade.

GROSS: So the crippling cyber-threats that Dennis Blair's referring to, what do
you think they are?

Mr. LEWIS: They exist, and anyplace that is dependent on a computer network
that is connected to the Internet, which is almost every place, is vulnerable
to some kind of attack. But the biggest one that I worry about is the
electrical grid.

It would be possible to disrupt it remotely from another continent, and we know
that foreign militaries have done the reconnaissance they need to do to plan
for these attacks. So I'm not so worried about terrorists. I'm more worried
about us getting into a spat over Taiwan or Georgia and having the Russian or
Chinese military do something bad.

GROSS: Do you think that they already have software embedded in our system that
they could just activate when they want to?

Mr. LEWIS: Probably not, because the way that networks are configured changes
relatively rapidly. The way that people connect things to them or the software
they use changes. So if you put something in place, it wouldn't be any good six
months from now.

What I do think they have is they have the capability to rapidly implant
something or to rapidly identify vulnerabilities that they could exploit to
cripple one of these systems.

GROSS: Now, from what I've been reading, it sounds like Russia largely has
cyber-criminals who do a lot of hacking, whereas China might have governmental
hacking goes on. Is that your reading of it?

Mr. LEWIS: No. I think that both of them are using more or less the same model.
They have very strong, very capable intelligence services, and in China's case,
also the military. And these very capable government services are buttressed by
mercenaries, irregular forces, you know, proxies, cyber-criminals who will act
at the behest of the state. And that's relatively common.

You know, it's attractive because you can deny responsibility. It wasn't me. It
was some patriotic hacker. So I see them doing the same thing - very capable
government agencies supported by strong cyber-criminal communities.

GROSS: What's the closest we've come to what is often described as a cyber-
Pearl Harbor?

Mr. LEWIS: I don't think we have come close to one yet. People have worried
about it for a long time. Time had the cover story in 1993 on cyber-Pearl
Harbors. People have talked about it. They wondered if the 2003 blackout was a
cyber-Pearl Harbor.

You know, if you were going to talk about Pearl Harbor, an intelligence Pearl
Harbor might be more accurate in terms of foreign agencies, maybe the Russians,
maybe the Chinese, maybe somebody else, breaking into DOD computers, breaking
into government computers and making off with a treasure trove of secrets.

That's probably happened a couple times, but that's not a Pearl Harbor. That's
- I don't know what you describe it as - anyhow, a huge incident that was very
damaging to national security.

GROSS: But what you're describing, breaking into a lot of government computer
databanks and getting information, that happened in 2007, didn't it?

Mr. LEWIS: That's true.

GROSS: Would you describe it?

Mr. LEWIS: It also happened in '98, if you were going to be fair, and probably
in 2003.

GROSS: Can you describe the worst of those attacks?

Mr. LEWIS: Well, the Department of Defense, the Department of State, the
Department of Commerce, NASA, the Department of Energy all had significant
penetrations. In the case of the Department of State, I was told...

GROSS: Which - this was in 2007?

Mr. LEWIS: Yes, 2007. In the case of the Department of State, I was told that
the unknown foreign intruders - who they suspected were the Chinese - the
unknown foreign intruders had made off with terabytes of information. One way
to put that in perspective is the Library of Congress, you know, with its
millions of volumes, that's probably about 12 terabytes of information. And so
somebody made off with the equivalent of a quarter or a third of the Library of
Congress - incredible.

Similar episodes at DOD. The secretary of defense's unclassified email was
hacked...

GROSS: Robert Gates' email was hacked?

Mr. LEWIS: Yeah. NASA - I kept hoping they would steal the plans for the
Shuttle because that would - whoever it was, that would put their space program
behind.

(Soundbite of laughter)

Mr. LEWIS: But unfortunately - you know, well, it was worth a try. The -
unfortunately, they stole the most-recent rocket designs, it is alleged. You
know, agencies have not very often come forward and confirmed this - State,
Commerce, DOD to some extent.

You know, there was a more-significant problem in late 2008. In December of
2008, another unknown foreign intruder - but a very sophisticated one, so that
narrows the suspects - was able to break into DOD's classified networks, so the
networks that run CENTCOM, the command that's fighting our two wars. And they
were able to sit there for a few days, and what they did we aren't quite sure,
but that was probably a good example of a really damaging cyber-intrusion.

Some foreign government broke into the classified networks of our war-fighting
commands, and we were unable to get them off for a few days. That's what the
future holds for us.

GROSS: And we have no idea who broke in.

Mr. LEWIS: On an unclassified level, they haven't said anything. You know, on a
classified level, we always have our two favorite suspects. One of my rules of
thumb in Washington is if your dog is sick, blame China. So, you know, go
ahead, blame the Chinese. But we don't know, is the short answer.

GROSS: Now, you wrote a study called - for the Commission on Cybersecurity for
the 44th President. And this was a group of more than 50 information technology
experts in government, industry and academia. What are the main talking points
from this study that you gave to President Obama after he was inaugurated?

Mr. LEWIS: That this is a serious problem for national security, that we are
not organized to deal with it, and the U.S. needs to both organize itself and
come up with a coherent and functional strategy if we're going to beat this
problem down to a level that we can tolerate it.

GROSS: What progress do you think President Obama has made in that direction?

Mr. LEWIS: You know, the progress has been mixed. Overall, we're better off
than we were a year ago, right? And some departments have done very well: the
Department of Defense, the Department of Homeland Security, FBI, even the State
Department. It's kind of amazing.

Where we've had a little bit of problem is at the White House itself, because
there's been some internal disputes over how important this problem is, what
priority it should take, what the philosophy behind our Internet policy should
be. And there's a strong community in the White House that believes that we
don't want more security because it could hurt innovation, or something like
that.

GROSS: Well, there's a privacy question, too.

Mr. LEWIS: You know, the privacy issue is - hasn't come up as much as the
innovation issue. But I think privacy, it always lurks there. You have the
unfortunate heritage of the Bush administration that makes it difficult to fix
some of these problems.

You can't say, well, it's a crisis, so I'm going to suspend the Constitution
and then have people trust you as much as they once did. Even though it's a new
administration, the Obama folks have inherited, as with so many other things,
the problems that the previous administration created.

GROSS: What problems did the Bush administration create in the world of
cybersecurity?

Mr. LEWIS: Number one was the warrantless surveillance program. You can't spy
on Americans in what appeared to me to be contravention of the law and then
say, oh, by the way, now we want to do monitoring for cybersecurity. Trust us.
We aren't going to be looking at our content. It's a good line. I happen to
believe it myself, but you can see how many would be skeptical.

Second, there just wasn't a lot of progress. The Bush administration didn't do
anything on cybersecurity for its first six years in office. In 2007, there
were major penetrations. It launched a program in response, but, of course,
launching a program in the final months of your administration just doesn't
help.

Finally, a big emphasis on the private sector and on voluntary initiatives and
on doing things that would lead people to all join hands and work together
against these problems - and we've been trying that now for more than a decade,
and it just doesn't work.

So the inheritance that Obama got was pretty bad. When he was elected, both the
director of national intelligence and the chairman of the Joint Chiefs of Staff
told him that cybersecurity was one of his top five national security problems.

GROSS: Now, President Obama has appointed a new chief of cybersecurity, Howard
Schmidt, and I believe the military has a new cybersecurity command. So does
that get us any closer to moving towards cybersecurity?

Mr. LEWIS: If you were going to enumerate the positive developments, first,
Secretary Clinton's speech a couple weeks ago on what we want the Internet to
look like, that it should be open and free for speech and that nations should
be able to connect and that there should be consequences for misbehavior in
cyberspace, that was a great speech and that really helped.

The president's own speech on May 29th, where he identified cybersecurity as a
critical national asset that we would use all means to defend, that was
fabulous.

So two very important steps have been taken in declaring to other nations, hey,
this is a serious problem, and we're going to act seriously.

DOD has done an immense amount of work, partially because they're the big
target. Someone at DOD told me that their efforts to penetrate DOD networks
total about 300 million times a day, right. So they are constantly being probed
by foreigners to see if there's a way in. And setting up cyber-command is
useful. It might be a little more efficient. It brings the offenders and
defenders together. But we haven't worked out the legal framework that would
let us use these new military capabilities for defensive purposes, and that's
going to be a hard struggle.

GROSS: My guest is James Lewis. He's a senior fellow at the Center for
Strategic and International Studies, where he directs its Technology and Public
Policy Program. He also wrote the report for the Commission on Cybersecurity
for the 44th President. Let's take a short break here, and then we'll talk some
more. This is FRESH AIR.

(Soundbite of music)

GROSS: We're talking about cybersecurity and cyber-war with my guest, James
Lewis. He's a senior fellow at the Center for Strategic and International
Studies, where he directs its Technology and Public Policy Program.

Let's talk a little bit about the kinds of attacks we really need to be worried
about. You mentioned the power grid, that our power grid is vulnerable. What
about downing the whole Internet? Do you envision the possibility of a
cyberattack where, like, the whole Internet would be disabled?

Mr. LEWIS: You know, people have talked about that. I think there's probably
been at least one probe by somebody - again, we don't know who - to see, you
know, what they could do to degrade the Internet. So, clearly, somebody out
there's thinking about it. But I don't worry about it too much, for a couple
reasons.

First, the Internet, it's pretty robust, a lot of attention to security. It was
designed to survive nuclear war, right. So it's not a tender flower here when
it comes to this attack stuff.

Second, if you are a cybercriminal or a foreign nation that is getting so much
huge benefit from the Internet by being able to steal America's secrets every
week, why would you bring it down?

The same is true for terrorists. It's a tremendous recruitment tool,
fundraising, training, command and control. It's given them a global presence
that they didn't have 30 years ago. They're not going to bring it down. It's
just too useful to them.

So the possibility's there. People have looked at it, but I think everyone's
going to go through the tradeoffs and say, you know, I'm better off keeping
this thing so I can hit the Americans over the head with it than I am in
bringing it down.

GROSS: Okay. What about cell-phone networks? Is there a way...

Mr. LEWIS: You know, it sounded much more diplomatic, but yeah. And the same is
true for everyone else. It's the - if we can use the old cliche, the goose that
laid the golden egg. Why would you turn off a system when you're able to
extract money and value out of it? Could someone else get that capability?

When you think of groups like the jihadis, al-Qaida, Hamas, Hezbollah, none of
them yet have this capability. If I was going to bet on one, I would bet on
Hezbollah. You know, so at some point...

GROSS: Why Hezbollah, as opposed to al-Qaida?

Mr. LEWIS: Because they're more like a state. Because they have immense
resources. They have a powerful state sponsor, Iran. They control a large
amount of territory, and we know they're very advanced. They're technologically
sophisticated. The Israelis found that out the hard way.

So Hezbollah's my favorite here for the terrorist sweepstakes. That doesn't
mean, though, that some bunch of kids that's going to become disaffected and
they're sitting in a room in London or in Pakistan or, for that matter, in the
United States and decide hey, let's see if we can bring down the electrical
grid or bring down the financial system in the name of jihad.

GROSS: If you're just joining us, my guest is James Lewis. He's a senior fellow
at the Center for Strategic and International Studies, where he directs the
Technology and Public Policy Program. And he wrote the report for the
Commission on Cybersecurity for the 44th President, which was given to
President Obama after he was inaugurated.

How did you get into this business?

Mr. LEWIS: When I was in graduate school, you had a choice. You could either
learn two languages - and I wasn't very good at languages - or you could learn
a language and a computer program. And one of my professors was - one of my
readers was very insistent that I learn how to program a computer.

So I learned how to program a computer, and not very good at it, you know,
fairly basic skills, certainly out of date. But when I got to the State
Department, the fact that I even knew which end of the computer was up made me
their leading expert. So that was how I got into it.

GROSS: Now, you worked with Richard Clarke, didn't you?

Mr. LEWIS: I did. I was just about to say I worked for a fellow named Richard
Clarke, who is the godfather of cybersecurity, you know, the fellow who - if we
had done what Dick Clarke had proposed 12 years ago, we would be much better
off. But he saw me walking down the hall one day - I worked for him. And he
said, you know how to program computers, don't you? And I said, yeah, why?

And he said, well, I want you to go out to NSA and work on this project called
DES, which is D-E-S, Digital Encryption Standard. But at the time, I thought it
was D-E-Z, DEZ, like the candy dispensers. I'm like, what the heck are they
doing with Pez - that doesn't make any - so that was how I got into it.

GROSS: So this was in the Clinton administration?

Mr. LEWIS: This was actually in Bush 41, in the first Bush administration,
right at the end, in 1992.

GROSS: And what do you think - you said if Richard Clarke had done then what he
wanted to, that we would be in a different situation. What was he proposing to
do then?

Mr. LEWIS: Well, he was kind of a visionary, and he was one of the people who
recognized, in the mid-'90s, that cybersecurity was going to be a big national
problem, and we needed to think more about securing.

And he had a vision for the role of government that was more energetic than the
Clinton administration and certainly the Bush administration was willing to
tolerate. So he wanted a White House emphasis. He wanted White House
leadership. He wanted more direction for the business community. So, all these
are things that we still need to do 12 years later.

GROSS: We're going to continue our conversation about cybersecurity in the
second half of the show. My guest is Jim Lewis. He's a senior fellow at the
Center for Strategic and International Studies, where he directs its Technology
and Public Policy Program. I'm Terry Gross, and this is FRESH AIR.

(Soundbite of music)

GROSS: This is FRESH AIR. I’m Terry Gross. We're talking about cyber attacks
and cyber security with James Lewis. He directs the Technology and Public
Policy Program at the Center for Strategic and International Studies, and he
was the project director for the Commission on Cyber Security for the 44th
Presidency. He first started working on cyber security with Richard Clarke in
the George H.W. Bush administration.

You’ve seen the Internet change so much in the years that you’ve been working
on cyber security. One of the things that makes the Internet so valuable to us
- so functional - is its interconnectivity. On the other hand, that's exactly
what makes it so vulnerable. So are there parts of the Internet that you think
no longer work that need to be redesigned for security?

Mr. LEWIS: You know, that's a good question. We don’t want to monkey with it.
It's been a fabulous tool. Look at how people have adopted it. I mean the
uptake rate - even starting in the '90s. You know, people love the Internet and
people love being able to go on their computers. It's reshaping business. It's
reshaping warfare, right? So it's worked pretty well. But there's some
problems. When it was originally designed, it was designed, as you said, for
easy connectivity, right? And it was designed for use by a group of military
officials and scientists all of whom pretty knew each other, at least they knew
where they worked. So it’s very bad at identifying who was actually on the
Internet. So you’ve got a system that is easy connectivity, bad at identifying
who's who and you create endless opportunities for mischief. So we might have
to go back and rethink some of the protocols, some of the rules as they apply
to identity, as they apply to what happens when one computer tries to connect
to another - difficult to do, might require some investment in research.

One of the problems is that, you know, 10 years ago America dominated this
field. We were the ones who could come up with the rules. We were the ones who
could say this is what the architecture will look like. Now it's a shared
platform. If we come up with new rules, we're going to have to persuade the
Europeans, the Chinese, the Japanese, the Indians, the Brazilians that it's a
good idea and they should go along and we haven't been so good at that. So,
yeah, there needs to be change but it's going to be harder to get than it
would've been a decade ago.

GROSS: Have you personally investigated any cyber crimes, cyber attacks?

Mr. LEWIS: Well, I looked at one once that happened to a place I was working at
and they, you know, you could - it was one of these denial service attacks. And
it was really interesting to me because I was able to track back on where these
attacks were coming from and, you know, one was a travel agency in Puerto Rico,
one was a small manufacturing company in Michigan, and one was an optical
equipment maker in Germany. Does that mean that we'd annoyed travel agents in
Puerto Rico? No. What it meant is that whoever was actually attacking us had
figured out how to capture these people's computers and was using them as a
weapon. So once I got back that far, I kind of stopped because to go further I
would've had to, myself, hack into the Puerto Rican or Michigan or German
computers and I would've had to, myself, commit a crime, and at that particular
moment I thought that wasn’t a good idea.

GROSS: So, this means basically turning somebody else's computer into your
robot to attack another computer.

Mr. LEWIS: Botnets, there's zillions of them. You can rent them. You can rent
them by the hour, the week, the month. They're relatively cheap. The price has
been falling. You know, you...

GROSS: Explain what you mean by botnets and renting them.

Mr. LEWIS: Robot network.

GROSS: Mm-hmm.

Mr. LEWIS: Which is a network of computers where the individual computer has,
unknown to the owner, had some kind of malware implanted on it - malicious
software - that allows someone else to remotely command it to do things. So the
botmaster, as it's called, can send out a command saying everyone send CSIS an
e-mail and 10,000 computers will send CSIS an e-mail.

GROSS: And that will disable your system because it will be overwhelmed.

Mr. LEWIS: If they do enough. That's what happened to Estonia. People talk
about Estonia being brought to its knees and crippled and blah, blah, blah.
None of it's true. The Estonians actually did a pretty good job in responding
but they were under a lot of pressure and the pressure came from botnets that
were launching hundreds of thousands of packets of Internet data against their
networks. So, yeah, that's the - it’s the platform du jour, botnets. That will
change but right now botnets are everybody's favorite.

GROSS: What are other favorite ways of attacking companies or individuals?

Mr. LEWIS: The high-end attacks will be more sophisticated and some of it
involves what we call social engineering, right? So social engineering is, I
get your e-mail address, I get some data about you, or maybe I find out your
wife's name or your birthday or something and I send an e-mail - I get your
contact list and I send an e-mail to all your friends. It looks like it’s from
you and the header is: My birthday is coming up or something and it has the
date. Inside that e-mail there might be embedded or contained some malicious
package. The friend sees the e-mail, thinks it's from you, they click on they
click on it and open it, hey presto, I've got him, right?

Works great and that's been used - that's, you know, it's a more labor
intensive effort but it's used against high-value targets. The other one people
know about now, I'm sort of upset it because it was so - it was such a
wonderful technique that I'm upset it's become public now and people stopped
doing it: Put some bad software on a thumb drive, you know, in three or four
thumb drives, drive to the parking lot of the place you’re targeting - DOD,
some company, a bank - and scatter the thumb drives in the parking lot, right?
Now, a good citizen picks up the thumb drive and...

GROSS: These are like little portable...

Mr. LEWIS: Yeah, the memory sticks.

GROSS: Portable memory sticks that you just plug into your computer.

Mr. LEWIS: Yeah.

GROSS: Right.

Mr. LEWIS: Throw - how much - it's not going to cost you that much. Throw four
or five of them in the parking lot, someone will pick it up and plug it into
their computer. And at that second, if they haven't taken certain precautions,
and most people haven't, at that second you will implant your malicious
software that will allow you to either take control or to exfiltrate data. So
that's a good one too. People are learning about that one. That's how DOD got
hacked last year. That's how CentCom classified networks got hacked so...

GROSS: That's how CentCom got hacked - that somebody picked up something from
the parking lot and plugged it into their computer?

Mr. LEWIS: The other one I heard about is, of course...

GROSS: Wait, wait, is that true? T0hat's how CentCom got hacked?

Mr. LEWIS: Yeah. It was a memory stick. It was funny for me because I gave a
talk once to one of these defense contractor groups about cyber security and at
the end they gave me a present for talking. It was a memory stick.

(Soundbite of laughter)

Mr. LEWIS: Made in China. I said you clearly haven't been listening.

(Soundbite of laughter)

Mr. LEWIS: I've heard the same things happened at Justice where somebody
scattered them in the men's rooms and Justice was smart enough to figure out
that - whoever found it was smart enough to figure out not to fall for the
trap. But, you know, look, you’ve got intelligence agencies with 10,000
employees and multi, hundreds, million dollar budgets who spend every day
trying to figure out some way around your defenses. You’re going to come up
with something.

GROSS: Jim, let's take a short break here and then we'll talk some more.

My guest is James Lewis. He's a senior fellow at the Center for Strategic and
International Studies where he directs its Technology and Public Policy
Program. We'll be back after a break. This is FRESH AIR.

(Soundbite of music)

GROSS: My guest is James Lewis. We're talking about cyber security. He's a
senior fellow at the Center for Strategic and International Studies where he
directs its Technology and Public Policy Program. He wrote a report for the
Commission on Cyber Security for the 44th President. This was a report on cyber
security that was given to President Obama after he was inaugurated.

Let's look at the story of what happened to Google recently - how it was hacked
and see what we can learn from that. Google was one of I think about 34
companies that was recently hacked, mostly in the Silicon Valley...

Mr. LEWIS: Mm-hmm.

GROSS: ...companies in the Silicon Valley. Google's the one that stepped
forward and said we were hacked. So did the others – the other companies aren't
talking. Describe what you know of the damage cost to Google and what the
intention behind the hacking was.

Mr. LEWIS: There's always two motives. There's an economic motive, right, which
is maybe Google has some neat technology, maybe I can steal that technology.
The same is true for the 30 other companies. In this case, there's also a
political motive. Maybe if I can get into Gmail and I can find certain people's
Gmail account I can find out what they're plotting for Tibet or what they're
thinking about other things. So in Google's case it was both economic espionage
and traditional political espionage. Not the first time we’ve seen this.

GROSS: Do you suspect the possibility that China was behind the hacking of
Google?

Mr. LEWIS: I've had this discussion with Chinese experts where I've told them
that, you know, one of the problems with deniability is you have to be able to
name another country that cares a lot about Tibet and, you know, I mean go
through the list, Botswana, you know, Venezuela. Sorry, only one country in the
world spies on human rights activists in Tibet. And when you see that, it's
hard not to leap to the conclusion that that government was responsible.

GROSS: Why are you making that Tibet connection?

Mr. LEWIS: Because in this case, and in at least two earlier cases, part of the
hacking involved ferreting out data on human activists - human rights activists
in Tibet who the Chinese government had an interest in tracking, detaining and
in blocking their actions.

GROSS: Now, why do you think Google went public when most companies don’t?

Mr. LEWIS: Well, I mean Google is an unusual company and so I give them a lot
credit for doing this. I mean some of it is they have - what's their slogan: Do
no evil. Do no harm. Do no whatever, you know. They apparently take it
seriously, right? So I think they were probably a little shocked. Second,
Google, you know, has a very high regard for itself. They are among the most
technologically advanced and innovative companies in the world but they were no
match for a foreign intelligence service, right? And I think that shock helped
prompt them to talk to - we keep hoping that some big company is going to be
able to beat the SVR or the PLA and it's just never going to happen, but I
think it’s a shock to people when they get whacked.

GROSS: Now you’ve raised the question about something like Google, where is the
line between a company that's private, corporate or a public concern? So many
people have Gmail, Google's e-mail service, so many people use Google. Google
is now working with the National Security Agency...

Mr. LEWIS: Mm-hmm.

GROSS: ...to kind of investigate what happened. They're also working with the
FBI. What does it say to you that Google's working with the National Security
Agency?

Mr. LEWIS: I'm impressed that they made the decision. They probably wished that
it hadn't gone public and I'm still not quite sure how it got out into the
public. You know, this isn't the first time that a company has gone to NSA and
said to them: Could you do me a favor? Could you look at my code? Could you
look at my network architecture? Could you look at my programs and see if there
are any vulnerabilities that I should be worried about. This is not espionage.
The NSA has two functions: they have a spying function. Sure we all know about
that (unintelligible) intelligence. But they also have a security function and
I think if you talk to General Alexander, who's the head of NSA, he'd tell you
he has two hats. He has his spy hat but he also has another hat that says he's
the head of the Central Security Service of the United States, which is the
security service that tries to make our networks less open to foreign
attackers.

So when Google went, I thought to myself, not a bad idea. Now, with the FBI,
I'm sure they're actually doing the investigation of who was responsible, how
far they can track it back. One of the things that's improved in the last
couple years is the FBI's gotten some really good capabilities at
investigation. It's still very difficult because at some point you will need
foreign government cooperation - be interesting to see if we get it this time.
I'd be happy to take bets with anyone on that. But between the FBI doing the
investigation and NSA helping rethink Google's defenses a little bit, it's a
reasonable choice for a big company.

GROSS: What does it mean to somebody who has Gmail or somebody who googles a
lot that Google was attacked?

Mr. LEWIS: Well, you know, we tend to use this infrastructure and we have an
assumption of privacy that it's like the telephone system where if you pick up
the phone and call someone, you’re pretty sure that with only a few exceptions
no one else is listening in, right? But if you do that by e-mail, then you
should not assume you have the same level of privacy. You don’t have the same
level of protection. So I think that's the main thing people need to think
about is we’ve seen this – we've seen it with Facebook, with Twitter. You have
assumptions about privacy based on the physical world and they do not apply in
the digital world. You need to change how you think about privacy.

GROSS: If you’re just joining us, my guest is James Lewis. He's a senior fellow
at the Center for Strategic and International Studies where he directs its
Technology and Public Policy Program.

Jim, let's take a short break here and then we'll come back and talk more about
cyber security.

This is FRESH AIR.

(Soundbite of music)

GROSS: If you’re just joining us, my guest is James Lewis. We're talking about
cyber security. He's a senior fellow at the Center for Strategic and
International Studies where he directs its Technology and Public Policy
Program. He also wrote the report for the Commission on Cyber Security for the
44th President. This was a report from more than 50 information technology
experts and government industry and academia - a report that was given to
President Obama after he was inaugurated.

Jim, one of the things you’ve been doing now is looking at the history of the
Internet. And you were telling me before the interview started that the history
that you’re doing is actually connecting in interesting ways to the
counterculture and the anti-war movement. What are the connections?

Mr. LEWIS: One of the things you hear a lot of times is that government should
only have a...

GROSS: I should say, counterculture of the 60s anti-war movement - anti-Vietnam
War movement.

(Soundbite of laughter)

Mr. LEWIS: Yeah, that's right. Yeah...

GROSS: Better be specific. Yeah.

Mr. LEWIS: One of the things that's interesting is a lot of the times we hear
these claims that there's no sovereignty in cyberspace, that the government
should have a limited role. And I was wondering, where did these ideas come
from, because there's clearly sovereignty. And the notion that government
should have a limited role sure, in some places that's right, but in other
places, you know, like highways, if there weren't traffic cops and stop signs
and stop lights it would be a mess. So how do we get to this place? And in
looking at some of the original thinkers of the Internet - some of the original
designers and architects - a lot of them were out there in Northern California
and a lot of them had links to the anti-war movement or to the counterculture
movement or to - one of them was a songwriter for the Grateful Dead.

I mean that's just, who would've thought it? And they had this vision of the
Internet becoming a global commons that was open and free, that it was non-
hierarchical, that everyone could participate, and that government would not be
there. Right? That it would be kind of like Woodstock, I guess. And that was
their vision. And, you know, it works in some places and when you look at the
Open Source Movement or when you look at the Internet Engineering Taskforce -
very open, non-hierarchical, great communities. But a self-organizing community
is not the way to go for a global infrastructure that's become critical to
business and critical to national security. And the fact that we approached the
Internet thinking of it as a self-organizing global commune has put us at a bit
of a disadvantage in coming up with solutions.

GROSS: In what way?

Mr. LEWIS: Well, one way is that the - and it's funny, you know, so you have
the sort of the Libertarians - the Cyber Libertarians becoming allies,
wittingly or not, with the business community. Because the business community
also like small government, they don’t want regulation, they don’t want
liability. And I'm afraid if we don’t regulate companies and hold them to some
standard we will never be secure when it comes to cyberspace. That doesn’t mean
heavy-handed regulation, but it's like saying we can get rid of the FAA because
the airlines will take care of aircraft safety themselves. It's in their market
interest. And that's not true. FDA, FTC, any of the regulatory agencies, we
need to have some minimal regulations to get companies to do the right thing. A
lot of companies do the right thing anyhow but not everybody.

The second problem is, then you get this question of well, where is
sovereignty? What should the government actually do? And we’ve tended to say
the government should just sit back and lead by example and exhortation. I call
it a faith-based strategy because we have faith that it will somehow work out
and we’ve been doing that now for about 10 years and it hasn’t played out quite
as we expected. So you’ve got an initial impulse towards this communal
structure - a global community that is okay for some things but it's not the
way to organize for infrastructure and national security.

GROSS: Didn’t you have like two competing influences in the early days of the
Internet, because the Internet's created by the Defense Department and they...

Mr. LEWIS: They had the...

GROSS: And then you have this more kind of Utopian strain when people from the
counterculture start designing things.

Mr. LEWIS: It - DOD had very different goals at that point. And DOD, although
they had the foresight to see that networks would be useful, they didn’t
realize - I'm not sure anyone realized what this would become. But, you know,
DOD's problem was I want to make a phone call from Washington to Los Angeles
and the lines run through Chicago and now there's been a strategic nuclear
exchange and Chicago isn't there anymore. That was always very upsetting to me
because I lived in Chicago at the time. And so how do I build a network that
will automatically correct for these things that will insure continuous
connectivity even in the most horrific of circumstances?

That's what they wanted. And they weren't worried about some of these other
problems. So you had this strange confluence of events that led us to this
notion that we're in a self organizing community. And to some extent there's
truth to it. But now we have to ask: Is it time to bring law to the Wild West?
The movie I always tell people to watch to understand the Internet is "The Man
Who Shot Liberty Valence," right?

(Soundbite of laughter)

Mr. LEWIS: Because you have the bad guys and you have good ol' John Wayne but
who does the stuff that you would need to get the bad guys under control. But
at the end of the day, it's the wimpy lawyer, Jimmy Stewart, who brings law and
order to the West. And that's what we got to do now. Good-bye John Wayne. Hello
Jimmy Stewart.

(Soundbite of laughter)

GROSS: Have you heard a proposal that people should have some kind of license
in order to be on the Internet?

Mr. LEWIS: Yeah. This gets to two of the issues we had talked about earlier:
authentication of identity, how do you prove who you are? How do you enable
someone to trust it when you say I'm Jim Lewis? The old cartoon about on the
Internet, no one knows your dog, still applies, right? The other problem it
gets to is civil liberties, right, which is there are governments in the world
that would like to constrain free speech. And if you are firmly identified,
that might help them in their ability to do this.

So we’ve got this tension between the need for greater authentication for
security purposes and the need for preserving anonymity for some political
speech. One solution has been a driver's license or some sort of permit or
digital credential. A driver's license is just a credential, right? And you
would use that for transactions that you cared about. You know, like the e-mail
you didn’t want everyone to read or your bank statement. And then you wouldn’t
use it for other transactions. You know, when you wanted to go that blog site
and make fun of Dick Cheney or something.

GROSS: So do you support this kind of licensing?

Mr. LEWIS: No. I don’t think it's a good metaphor because, of course, when you
talk about driver's license, you immediately think of test right? And I see a
different future for this. I see the computers becoming like telephones. You
don’t have to program your telephone; you don’t have to think about your
telephone. You pick up your telephone and you push some buttons and it works.
And we're just going to have to move consumers to devices that are that
reliable and that secure.

Asking them how to learn how to do things, all the stuff you have to do now to
reduce risk, it's just too hard for most people, right? And it's not because
it's intrinsically difficult but it’s how many people want to spend three hours
reprogramming their computers so it's a little safer, right? I don’t think that
we need to be testing people. I think we need to be giving them equipment that
let’s them get out of being their own defenders. Frankly, just as a footnote,
I'd like that for cars too. I can't wait for the days when they’ll be a smart
device on car or a computer on a car and the car will do the driving, and that
way when you have snowy days like this, there won't be so many maniacs doing
it.

(Soundbite of laughter)

Mr. LEWIS: So, yeah, I want, fix this problem for me. Get the consumer out of
the middle and driver's license as a credential, it’s a good idea. But as a
test or a permit, a bad idea.

GROSS: But you'd like the idea of identification and authentication?

Mr. LEWIS: We have to do that. You already do it now when you go on to your
online bank. They ask you, you know, what was your dog's favorite dessert along
with your password and your user name? It kind of works. It doesn’t work
perfectly, but we need better ways to say that a bunch of packets arriving over
the Internet that say, I am Jim Lewis really are true. There are some
technologies that will let us do that but there are privacy and civil liberties
concerns overblown, in my opinion. But we will need for high-value transactions
to come up with a better way to authenticate identity.

GROSS: Okay.

Mr. LEWIS: Otherwise, you could be a dog. Not you personally, but I meant one,
one...

(Soundbite of laughter)

Mr. LEWIS: You know, we got to get - the dog cartoon, when was that, in 1995?
We got to get past the dog cartoon.

GROSS: James Lewis, thanks so much for talking with us.

Mr. LEWIS: Sure. This was fun.

GROSS: James Lewis directs the Technology and Public Policy Program at the
Center for Strategic and International Studies. You can download podcast of our
show on our Web site, freshair.npr.org. And you can follow us on Twitter and
friend us on Facebook at nprfreshair.

I'm Terry Gross.

We'll close with a song that we dedicate to everyone who has been snowed in
this week. This is a song by Dave Frishberg which he performs here with Rebecca
Kilgore.

(Soundbite of music)

GROSS: On the next FRESH AIR, the story of the surgeon who developed the hernia
repair, the radical mastectomy, the use of sterile rubber gloves and the
medical residency system. But, through experimenting with cocaine as an
anesthetic, he became an addict. We'll talk with Gerald Imber about is new book
"Genius on the Edge."

Join us.

(Soundbite of music)
..COST:
$00.00
..INDX:
123531188

Transcripts are created on a rush deadline, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of Fresh Air interviews and reviews are the audio recordings of each segment.

You May Also like

Did you know you can create a shareable playlist?

Advertisement

Recently on Fresh Air Available to Play on NPR

52:30

Daughter of Warhol star looks back on a bohemian childhood in the Chelsea Hotel

Alexandra Auder's mother, Viva, was one of Andy Warhol's muses. Growing up in Warhol's orbit meant Auder's childhood was an unusual one. For several years, Viva, Auder and Auder's younger half-sister, Gaby Hoffmann, lived in the Chelsea Hotel in Manhattan. It was was famous for having been home to Leonard Cohen, Dylan Thomas, Virgil Thomson, and Bob Dylan, among others.

43:04

This fake 'Jury Duty' really put James Marsden's improv chops on trial

In the series Jury Duty, a solar contractor named Ronald Gladden has agreed to participate in what he believes is a documentary about the experience of being a juror--but what Ronald doesn't know is that the whole thing is fake.

There are more than 22,000 Fresh Air segments.

Let us help you find exactly what you want to hear.
Just play me something
Your Queue

Would you like to make a playlist based on your queue?

Generate & Share View/Edit Your Queue