On the heels of Canadian Prime Minister Stephen Harper’s visit to the United States, Energy & Environment Program Associate Director Mihaela Carstei joins CTV to discuss the Keystone Pipeline project that would transport tar sands oil from Canada and the northern United States to refineries in the Gulf coast of Texas.
The Atlantic Council of the United States
Cyber Statecraft Initiative
“Lessons From Our Cyber Past: The First Cyber Cops”
Director, Cyber Statecraft Initiative
The Atlantic Council
Christopher M. Painter,
Coordinator for Cyber Issues,
U.S. State Department
Deputy Assistant Director, Cyber Division,
Federal Bureau of Investigations (FBI)
Location: The Atlantic Council of the United States, Washington, D.C.
Date: May 16, 2012
Federal News Service
JASON HEALEY: Welcome, ladies and gentlemen. This is the second of our series of events on the history of cyber conflict. The first one we held a month or two ago with some of the very first cyber commanders from the mid-to-late 1990s. I see some of the same faces.
Today, we’re doing the lessons from the first cyber cops, to hear about early cybercrime. Specifically, what lessons from those days are still applicable today is going to be one of the themes in particular that we’re going to want to keep hearing about.
Today’s event is one in a series that the Atlantic Council is having with the Cyber Conflict Studies Association where we try and look at these past conflicts, and ask which of these past lessons is most applicable today. The end result is going to be a cyber conflict history book, which will hopefully be out in 2013, based on funding that we’ve received through the Cyber Conflict Studies Association.
As part of that, we’ve been doing a number of things, including looking to past cyber exercises and lessons from that, and many, many other events. The next event we’re going to have is likely to be late June, and it’s going to be titled, the first cyber espionage. Special Agent Retired Jim Christy is going to come and talk about “Cuckoo’s Egg,” and hopefully we’ll get a few other of the early people that were involved in that very first cyber espionage case from 1986.
Today we have a wonderfully distinguished audience, but also a wonderfully distinguished panel to tell us about the first incidence of cyber crime, how they got into the field, how they’ve seen the field grow, and what lessons are applicable today. I won’t cover their biographies so that we can have more time for questions and answers, but hopefully you have picked up a copy of their bios outside.
I’m going to start to my right with Chris Painter. And I’m very curious. Chris, what got you started in cybercrime?
CHRISTOPHER PAINTER: Well, first of all, I don’t think I actually committed cybercrime. (Laughter.) Or if I did, I’m not going to admit it here.
MR. HEALEY: It’s a fine line. (Laughter.)
MR. PAINTER: It’s a fine line.
I’d always been interested in technology when I was in college and in law school. And then I went, in 1991to the U.S. Attorney’s Office out in Southern California.
And this was the time when we had an agrarian economy and we used abacuses to do things. . The Internet kind of existed. The Web didn’t really exist yet. So this is very early. However, a lot of companies used computer systems and relied on them, as did governments. Certainly the military did, and others.
And because I was interested in the technology, I sort of gravitated to this idea of cyber crime, which was just then getting more of a profile, and working some with Scott Charney, who was here in D.C., who had just started the computer crime – then I think it was a unit, which was part of a larger group of people who were starting to look at these issues.
Then in the U.S. Attorney’s Office, after you deal with the little things like bank robberies to get yourself acclimated to how to prosecute cases, we started seeing these intrusions into various companies and theft of various kinds of source code. And there were various companies – cellular phone companies, some of the other provider companies that we were seeing in the Los Angeles area in our district – and then also the University of Southern California was being hit and it looked like people were storing information there.
And that turned out, after a lengthy investigation, to be Kevin Mitnick who was doing this.
MR. HEALEY: And what year was it?
MR. PAINTER: So this was ’92 through ’95, when we finally caught up with him. It was very interesting because no one really wanted to work on these cases because they were technical. They didn’t really understand them, but they were interesting cases and I wanted to take them on. We had great FBI agents in the Los Angeles Field Division, some who were still working in this area, such as Ken McGuire and others,– who were really interested in following up on these cases.
We started tracking these and they started snowballing into this huge case on Kevin Mitnick, while he was a fugitive from a prior federal conviction, hacking into companies around the world. And in the course of that I learned Linux, and learned how to look at all these things. We were planning to do sting operations.
That was just one of a number of cases, and I have to say, I really was extraordinarily lucky and partly in the right place at the right time with the right interests, to get to do that case. I can tell stories for hours about that case alone, but I also ended up working on the first couple of stock manipulation cases involving the Internet, the first eBay case, the big denial of service case in 2000, which was the “Mafiaboy” case. That was actually when Shawn and I started working together.
So I was able to do all of these really fascinating cases and saw the change in this from this niche issue, where a lot of people would root for the computer hackers.
MR. HEALEY: “Free Kevin.”
MR. PAINTER: During Mitnick’s sentencing there was a plane – this wouldn’t happen today because of all the problems, but there was a plane circling the courthouse with a “Free Kevin” banner. Now people rely so much on these technologies, and have actually had this happen to them, so they better understand the importance of this issue. . Now it really is something that people understand much more than they ever did – and certainly not enough, but – how serious these crimes are and how they can really impact us.
MR. HEALEY: Interesting. Steve?
STEVEN CHABINSKY: The way I got into this is similar to how a lot of young people get into computers in our profession now. It started out with games.
MR. HEALEY: Games. It started out with games.
MR. CHABINSKY: So, it was 1979 or ’80. I had a cousin who had a TRS-80, and I was over at his house –
MR. HEALEY: That was an early computer, for those of you who –
MR. CHABINSKY: And Radio Shack Tandy.
MR. PAINTER: I thought it was a satellite. (Laughter.)
MR. CHABINSKY: And he was extremely generous. He was signing into a service called The Source, which was extremely expensive – by the minute I’m sure they charged – and he allowed me to play a game called “Adventure.”
And it was one of those where there was no graphics, of course, back in these days. You had to type out directions to turn right. And then it says: A nasty elf has come at you; what do you do? And you say: Fight elf. And it says: Elf killed you. (Laughter.) And I just thought this was remarkable. It was, to me, artificial intelligence.
I then decided I wanted to program just like that. So I was in high school at the time. I was the kid who worked every day after school not to buy a car but to buy an Apple II Plus, in those days about 1,200 bucks, and it didn’t come with a floppy drive. That was another 400 buck for a five-and-a-quarter-inch drive, but it came with 48K. I had to buy another 16K just to be able to program, I think in FORTRAN at the time, Pascal. So that’s the early way to get into this.
I ended up joining the FBI – fast forward – and in 1998, something happened, which was that President Clinton had the presidential decision Directive 63. The FBI was put as the lead of a group that no longer exists, the National Infrastructure Protection Center. It was an incredible concept then, and today that strategy is still sound.
The concept was that multiple government agencies and the private sector have to work together to combat cyber. They needed another lawyer, so I raised my hand immediately because I saw it had to do with cyber. I was very fortunate to be selected. And the first project I was given – this was – in the PDD it said that this National Infrastructure Protection Center had to create its own relationship with the private sector.
We didn’t know how to do that, and we recognized that in 1996 one of our field offices had created something called InfraGard. And InfraGard was probably about 200 people. Cleveland, Columbus and Indianapolis were there. And there was a lawyer already at the NIPC. He would leave me standing there by myself a few months into it because he got promoted.
As soon as I walked in the door he said, what I could really use your help on is this project that I – it would just mean a lot to me if you did it – which was his way of saying, this is a real ugly bear. (Laughter.) And what it was is, how do you nationalize this program with the private sector for mutual protection?
So the idea that we see now, when we’re talking about learning from our past, is that you can’t do this without the private sector. This is not a new idea. So we took this group of a couple of hundred people, and today InfraGard has over 50,000 people throughout the United States. I never dreamt I would be part of helping to grow an organization larger than the one I’m part of. The FBI only has about 35,000 people.
And it’s for this combined protection, both on the cyber side and really after September 11th moved much more to be inclusive of physical. And in that time, of course I started giving legal advice on our intrusion cases. And enters in – I think a good transition – Shawn Henry as the unit chief of our Computer Intrusions Unit.
SHAWN HENRY: Well, first, I’m honored to be with two of my closest friends, interestingly enough. And I think our relationships developed because we were on the front lines in this space back in 1999, 2000, working in a very collaborative way in an area that was really emerging. There were not a lot of precedents set.
And one of the things – I don’t do a lot of really good things all the time right, but one of the things I was able to do was latch on to two really good attorneys who understood the space and were, most importantly, innovative. So, I appreciate both of them being here because they’re very close friends.
My start was not unlike Steve’s actually, beginning in high school as well. Except instead of playing with the elf,– it was actually “Star Trek” – (laughter) – when it was “Klingon ship, turn right”. So that was my interest back as probably a freshman in high school.
And I took some classes, and I was interested. So when I went into the bureau there were some courses, UNIX courses and some cyber investigation courses that were available, which I eagerly took and participated in.
When I saw that there was an opportunity in the bureau – there was a vacancy as the chief of the Computer Investigations Unit, and I had just spent a couple of years at headquarters as a supervisor. This position was a natural route for me to take.
What I wanted to do – because I’d talked to some people who were in the cyber space – what I wanted to do was to bring many of the things that we had done in the physical world successfully against organized crime groups and against terrorist organizations – white collar crime, public corruption cases – I wanted to take some of those investigative tactics and I wanted to apply them in the cyber realm.
Because I’ve always seen that there are actually more similarities between the physical space and cyber space than there are differences, and I can relate many things in the physical world to the cyber world, and vice versa. And I had a lot of experience working undercover operations and using authorized digital intercepts, using informants and the like.
MR. HEALEY: What year was that?
MR. HENRY: This was 1999. It was actually just prior to Y2K. I was sitting with Steve – I don’t think Chris had arrived from L.A. yet. Marty Stansell-Gamm was there at the time.
But we were sitting in the command post at 11:59 p.m. – (laughter) – when this countdown started – 10, 9, 8, 7, right, for the beginning of the New Year. It’s going to be the year 2000. When it hit zero, the lights went out, because someone had flipped the switch off – (laughter) – to mess with everybody. Then they turned it back on, so – just kidding. (Laughter.) In any event, we –
MR. HEALEY: It wasn’t Mitnick, right?
MR. HENRY: It was not, not that I’m aware of.
But Steve and I actually started working on the very first undercover case in the computer intrusion environment. We’d never done it before. And we had hundreds of cases at the time. We’d never used that technique, the covert technique. And it was incredibly complex because there was a lot of potential liability.
There were a lot of concerns by the Department of Justice and others. And it was the first time that Steven and I had actually met. I said we needed to chat about some of these legal implications, and here’s what I’d like to see us do and then kind of move into this environment.
To make a long story short, it actually became a very successful case where we had an undercover agent who actually joined a hacking group covertly and was actually engaged in some hacking. It was segmented and it was all legally done, legally authorized. But it allowed us to collect a lot of intelligence about a particular group that up to that point we did not have a deep understanding of what they were doing.
But because we utilized this technique, it kind of paved the way for us going forward, and it’s something that I think is common practice for us now, a way to infiltrate some of these organizations.
MR. HEALEY: And – I’m sorry to keep asking the question – what year was that? And can you say what group?
MR. HENRY: Yeah, so that would have been 2000, right when – when I got there it probably would have been February or March of 2000 at that point.
MR. HEALEY: And can you say what group, and did you get a prosecution?
MR. HENRY: No – yes. And no, I can’t, but yes we did.
MR. HEALEY: Good; congratulations. Congratulations.
MR. PAINTER: I should say my first computer was – although I had an Apple II, my first and favorite computer was an Amiga 500, which is a far more elegant computer for those who know this. (Laughter.)
And to use one of Steve’s points, sometimes when you’re dealing in this area and you’re dealing particularly with the bureaucracy, it reminds me of something from the game “Adventure.” You’re in a series of twisty little passages all alike and you can’t get out. (Laughter.)
MR. HEALEY: So one of the questions when we looked at this with the cyber commanders, we see in the Department of Defense there’s always a wake-up call, and something that happens that makes the senior leadership go, oh my Gosh. And DOD has been through any number of these. The latest is “Buckshot Yankee.” Has that happened on your side also?
I know, Chris, you’d mentioned Mitnick and others. And you don’t have to go in any particular order. Have we seen that kind of pattern of repeated wake-up calls also?
MR. CHABINSKY: I think so. One of the first cases I was working on was Solar Sunrise. And a lot of these cases stand for not the proposition of how bad they were but almost this fog of war concept that I think permeates a lot of our entry into the new areas that have come upon us.
So the Solar Sunrise, we see military computers, dot-mil computers that are being intruded upon, and it’s coming from abroad. And it’s during some conflict that was occurring at the same time with Iraq, if I recall correctly. And we’re seeing the traffic coming in from another Middle East country. And on the receiving side it really very much looks like the dot-mil environment is under attack at this point from this other nation state.
So playing it out in real time – and keeping in mind that this is the first time we really saw a large-scale, across-the-board coming from one area intrusion set – there was obviously the real possibility that we are, quote, unquote, under attack. And you see the dynamics play out then between the interagency, right? If we are under attack, how are you sure of attribution? What is the appropriate response? And then you respond symmetrically.
Then of course the FBI, being an organization that is schooled not only in, investigating according to the rules and regulations and statues and constitutional requirements, having to respect the continental U.S. – not being able to travel easily in ways that might affect sovereignty of other nations; but also, on top of that, being an organization very much into notions of probable cause and beyond a reasonable doubt.
Do you have enough here for attribution that would make us comfortable to have you be comfortable to do something as a military campaign against this third party, this other country?
And we were, I think, at the table saying we don’t think there’s really that much attribution, that it’s state-sponsored, at the time. In that instance, that turned out to be correct, as we know the end of this story – a couple of kids in Cloverdale, California working with another – a young adult in Israel, purposely routing through another country to make it look like it’s coming from that country.
Now what’s the moral of that story? For me, as a wake-up call, the moral of the story was our dot-mil had been intruded upon, meaning our dot-mil could be used, therefore – remember, this was back in 1998 and ’99 – to launch attacks against another country and it will look like it’s us. So will our adversaries have the same restraint that we displayed during Solar Sunrise when they start seeing attacks against their infrastructure coming from us?
I think that that concern was something that – before that we really weren’t thinking about the optics of computer intrusions launched from the continental U.S. that may ratchet up, escalate and have this be a possibility.
Another story that I remember that happened really very early on – and I’ll leave it at these two – of perception, again trying to just come to ground on what we were looking at in a very fast-evolving situation, was the White House getting all of the main players on a teleconference. We had everybody you could think of – CIA, FBI, NSA, every brand of DOD. This is before DHS existed, of course.
And a large botnet, a very large botnet, was being assembled for the first time that we had visibility. And there was a lot of concern: What is this being assembled for? Why would anyone assemble this large supercomputer, right? Is it about to attack the United States? And the answer ended up being, no, it was being used for click fraud. (Laughter.) Right, and so now =it’s something that becomes comical, but while we were living through it, not so, because at the time you can’t anticipate what the end of the story is going to be while you’re playing it out.
And when I fast-forward to today, I think two things about that in the evolution of where we are. One is, I think it’s become – for the first concern it’s almost gone – to the opposite extreme, when someone is thinking that an attack is coming from a country, there is such deniability and so much of a lack of attribution that countries are less likely to even believe what’s staring at them in the face, so to speak, right? So it’s almost gone to the other extreme – not that I think that the problem has resolved itself, but I think it now favors a different problem.
With the click fraud, I think the communities have done a lot better now to be able to determine what the motives are, and what the distinctions are. I don’t think that we become over-excited about events. Obviously these things are happening routinely now and we’re not having White House calls about them, so we’ve become much more sophisticated in that way.
MR. PAINTER: Yeah. I think when you ask about wake-up call, I don’t think there’s been one single instance that’s been a wake-up call. I think it’s been a series of instances over time. And in some ways it’s almost been a wake-up call with a snooze button because you would have, at least early on, a number of incidents which people would get very excited about. There would be a lot of publicity around them. They make an impact for a short period of time and then they would fade away.
And you’ve even had some policies. In 2003 we had a cyberspace, cybersecurity policy. It was important. It didn’t really get a lot of traction at that time but it took a few years to get more traction in that.
But then, teeing off what Steve was saying, back around 2000 when we saw one of these botnets being put together, there was some supposition that maybe this is what’s going to try to take down everything when the millennium comes. It won’t be a bug; it will be someone actually exploiting this.
And there was a lot of concern back then but that seemed not to really happen. People calmed down. But then in February of 2000, so after the turnover, that’s when we had these large-scale denial of service attacks that took down lots of different Internet companies and also media companies like CNN – either took them down, slowed them down in the case of some of the trading companies, had a major impact and also got a lot of attention – a lot of media attention, a lot of world attention.
There was a sense that this illustrates how vulnerable we are, this illustrates how vulnerable e-commerce is, this illustrates how we – we are not going to be able to ever find this person, which we did fairly quickly. It took a few months, but found the person, and it turned out to be a 13-year-old who went by the moniker “Mafiaboy,” not his real name.
That illustrates the asymmetric threat. I mean, this is a 13-year-old boy who lives in Canada. We were able to use very quick international processes and work with the Canadians to track this down. You know, and I think that was important and is a lesson that you can have all this damage, you can have this asymmetric threat and it doesn’t have to be a nation state.
And the same kind of debate went on – this must be a nation state; this is too sophisticated; it couldn’t possibly be anything else. And it turns out to be a 13-year-old. But it did show people that we’re vulnerable, and I think that did create a lot of questions about how do you deal with these issues? This is an important issue. But then it went away for a little while.
And then “Mafiaboy,” it turned out they monitored – RCMP monitored the communications going to that house. And it turned out we traced him back because we had arrested someone who right around the millennium was building this botnet and then he was the one who was in contact with this kid. But they monitored the house and it turned out the father was ordering a hit on one of his colleagues, so it was “Mafiadad” and “Mafiaboy” – great family.
I mean – so I think that was one wake-up call that kind of paused – then you had later on, and just in terms of botnets, the bot herders, the commercialization in this area, really the growth of the threat for these kind of lone-gunman hackers that were out there, and the people who were just trying to cause damage to people who didn’t want to be seen, didn’t want to get the profile, didn’t want to make these big statements but wanted to either be stealing money or trade secrets or other things from companies and others or having some possible effect on the infrastructure, which people became very concerned about.
I think some of the early concerns about infrastructure attacks were inadvertent. You had these kids who reset an airport telephone switch to control the local airport. People began to think, well, this could have an effect on infrastructure. And that was another big development and a wake-up call as this can cause damage beyond just the theft of information. It could really have a damage that causes physical damage.
So all of those things I think built on each other to get us where we are today, which I think, is not all the way where we need to be. We are moving very well, I think, in that direction. But the atmosphere now compared to even five years ago in terms of people understanding how series this problem is, not just here but in other countries around the world, is dramatically different. And I think in part that’s because of some of these cases, some of these both successful cases that we’ve talked about and other things that have happened that I think has driven that.
MR. HENRY: So, as is typical, I agree with both of my colleagues here in different respects of what they said. I think when you think about kind of an aha moment, what are the things that happened, I think there are lots of individual issues that get us thinking from a policy perspective, what do we need to change, or from an operational perspective, where do we need to focus?
But I also – to Chris’s point, I don’t think we’ve had that wake-up moment yet globally, and I don’t think we’re going to have it until we see the physical implications and ramifications of an actual attack, and where we see lights go off for a period of time or we see people die. And that is – I see that as happening, but until we have that – it’s the equivalent of planes crashing into buildings. People are going to focus on terrorism when they see blood in the streets.
But for me, one my points where I started to think about this differently, it was around the same time as “Mafiaboy” in early 2000, which was the I Love You virus. This virus that went out around Valentine's Day – I love you. Of course, everybody wants to know who was enamored with them, so they all click on it and of course their computers were all infected with this virus. And it had a cascading effect across the network, and it happened just over the course of 24 hours or so.
For me, what I got from that is that this is not merely a United States problem. This is a global problem. And there are issues from a law enforcement perspective that we’re going to have to deal with because this is a global problem. One of the things was in the past when there was some type of a criminal act, it was relatively clear where venue was. It was in a particular city where the act took place. And the FBI and the U.S. Attorney’s Office in that city would be the responding officials, typically.
In this case, we had victims across 50 states, and we had 56 different field offices that had some sense that they had venue. And to a certain extent they were right. And I actually had to make the decision where – as the chief of the unit, where venue was going to be and which field office was going to work that case. And I did it unilaterally without confirming with the U.S. Attorney’s Office. And since I gave the case to one of the field offices – Newark, New Jersey – then that U.S. Attorney’s Office kind of jumped on board.
But the other part of that, kind of taking that same thought process about where’s venue, was when we ultimately, at the end of the day, through good investigation, good efforts by the agents there, identified that this was a young man in the Philippines, who actually was identified –somebody put their arms on him. At the end of the day, the Philippine government had no law against what he did. So even though he was identified, even though he caused great monetary damage – and this got worldwide attention – nothing happened to him. They arrested him and then they let him go.
And again, the global element here – and how do we look at this at an International level, because it’s an international problem. We need to have consistent laws. We need to have consistent strategies. We need to have an understanding across global boundaries, country boundaries, because this is something that impacts all of us.
MR. HEALEY: Does that happen anymore?
MR. HENRY: It does, to a certain extent. I think that we’ve gotten much, much better, I mean, within the FBI. The FBI is centralized, in much of what it does, and rather than 56 field offices operating independently, there’s a central command, and they’ll decide who is going to respond and not. And FBI headquarters is a lot more directive in how things are done.
But still, there’s still – there’s overlap in the way things are done. But I think we’ve become much more – and when I say we, not just the FBI but the community as a whole – much more strategic in our operations, much more strategic in our execution of the mission.
MR. PAINTER: And Shawn raises a good point about the kind of globalization of this issue. I think cybercrime has led in terms of our understanding, and cybersecurity followed on. I think people understood and started working on some of the cybercrime policies before they started really thinking at a policy level about cybersecurity.
And you know, partly because of that ILoveYou case – and I think that really accelerated it – there were a lot of efforts globally through – the G-8 was one of the first ones to focus on cybercrime.
And there was a ministerial meeting back in 1999 where this was pushed as a major agenda item that countries need to have better laws, better capabilities. Of the three legs of the stool you have to have good capacity to fight these crimes – law enforcement and others. You had to have good laws in place. And you have to have the ability to cooperate internationally.
And that was laid down then and really followed through over the number of years both within the G-8 and in the Budapest Convention on Cybercrime, the Council of Europe convention, which is still the single instrument that’s out there that really deals with some of these issues.
At the same time we’re also looking at operational cooperation. We had the G-8’s 24/7 Network, which now has 60 countries. It started with eight back then. There was a lot of work in enhancing the LEGAT (Legal Attache) program around the world.
So there really was a lot of international work here, but I think the difference now and then is it was really good expert work, work among the cognoscenti, and I think it’s elevated over the last few years so that now it’s reached the level of the – you know, the leaders of these various countries and the leadership of these governments.
MR. CHABINSKY: I think you are being modest, Chris, because the world started developing laws with the help of– you and your colleagues at DOJ that were called in. You were showing them not only what U.S. law was but where we actually thought U.S. law could improve. So you aren’t selling them the old model, right?
So you put – the Department of Justice put in a lot of effort after the ILoveYou virus. I think the Philippines ended up updating their law within a couple of months. And a lot of others followed. So that was a very big defining moment. I think the United States, through the Department of Justice, showed a leadership role and really put us in place now where I haven’t seen any cases where internationally we can’t prosecute because the laws are not on the books. I haven’t seen any in the last – it’s got to be at least eight years.
MR. PAINTER: I think there’s still the problem that there are some countries that still do need to update their laws. Part of it’s also capability- having law enforcement capability. These are not easy cases to trace. So I’ll go back to something Shawn said in the very beginning.
Anyone who has worked on these cases realizes it’s not all about following the cyber trail. You do have to have traditional investigative capacity, and traditional evidence, following the money trail, when there’s a money trail. You have to combine all of those things, using undercover operations.
There are a lot of countries where it is illegal to do undercover operations, which is something that in this field is really tough. You can react all day long, but if you can’t get inside these organizations and bust them out from the inside, I think it’s a real problem.
MR. HEALEY: So it sounds like, overall, on the computer crime side and the law enforcement in the U.S., we’ve made great progress. Are we winning?
MR. HENRY: We’re not winning.
MR. PAINTER: But I don’t think we’re losing. So this is why I always hate this.
MR. HENRY: The State Department. (Laughter.)
MR. PAINTER: I hated this when I was at Justice. I hate this question of- are we winning? Well, what are the metrics for winning? How do you measure winning or not winning?
Clearly there’s much more awareness about this. There’s much more law enforcement resources in this. There are a lot of things like IfraGard. The private sector is working on this. There’s a lot more international awareness of this. But at the same time, the threat has gotten much bigger in terms of criminal groups, nation states, potentially terrorists. We really haven’t seen that yet.
But all of these different groups are out there. So we clearly, I think, are still, I think, being more reactive than we should be, and I think we need to have a lot more capability around the world to fight it. But I never want to engage in this, are we winning or losing sort of thing. Yes and no.
MR. HENRY: So when I say we’re not winning, we’re not getting ahead. We’re falling behind. We’re having impact and we’re having success. And through the efforts of the FBI and the Department of Justice and the intelligence community and the private sector, we’ve had impact. We’ve made arrests. We’ve identified groups. We’ve done attribution.
We’ve had a lot of successes but we’re falling farther behind because there’s more and more data that’s getting pushed, there’s more and more people that are coming online, there’s more subjects that are getting into this and recognizing that there are opportunities to exploit and there’s opportunities to line their pockets. There are more countries that are moving in terms of electronic espionage.
So we’re having success – successes – but we’re falling behind. So we are not winning.
MR. CHABINSKY: I would agree with that characterization. So, tactically, we have a lot of wins. When I see where we were in – I came to this in August of ’98 – we’re having so much more success between government agencies. I see the private sector working better than ever together. I see the government and the private sector working better than ever together. I see more arrests.
So tactically, I think you could show a really good chart to show how well we’ve improved. Strategically, though, I don’t think we’re winning against the entirety of the problem for the reason that Shawn says. We’re doing better but the threat is out-pacing our capabilities.
And I think that when you look at it from that perspective – I try to think about our strategy. What does success look like? Have we defined what success looks like in this space? And I think that the reason we’re getting further behind is we tended, early on, to view this as an Internet problem, a real net-centric view, and over time I think we’ve all come to realize that this is a technology threat.
Every aspect of our lives now is technology enabled, is chip enabled. So you start seeing the vulnerabilities to automobiles where researchers are saying, hey, there are chips that are controlling your acceleration, there are chips that are controlling your brakes. Can we get in through Bluetooth? Yes.
Then you start seeing biomedical devices: Hey, there’s software that’s in the insulin injection pump that’s going to be surgically implanted within your body. That’s going to allow for remote diagnostic capabilities so that surgery doesn’t have to be repeated. Can we actually start injecting insulin remotely? And researchers find, yes.
And then you see the increased critical infrastructure alliance on all of these chip-enabled devices – wireless, right? You start seeing now concerns about purposeful interference and jamming. And so we’ve become, at the same time as the threat is growing, more reliant on these inherently vulnerable products and services.
So the combination of those two makes us, strategically, fall further behind. And I think that we’re getting to this point where we really have to reflect upon what risk mitigation looks like in this area, whether our policies that focus predominantly on vulnerability mitigation, are actually a successful long-term security model.
If you think of most security models, I think predominantly you’d find that they rely on threat deterrence, that the notion that the actor won’t act because there will be some penalty-based deterrent at the end of it – they’ll be captured, they’ll have some penalty. Here we have a model where people are predominantly focused on hardening the target, patching their systems. That’s not how we live in the real world. That’s called a fortress, right? I mean, the technology is not meant to be bunkered down.
And so it’s not surprising then, as we move further and further into this model of accepting devices that are not fortified and bunkered down, without a risk model that predominantly relies upon threat deterrence, we would fall further behind. So I think that that risk modeling is something that we still need to focus on.
MR. PAINTER: So, I would agree with that characterization. I think that you have to marry the two. You do have to have a hardening of the targets along with creating a deterrent effect. You have to have both of them. It’s the old adage of walking outside – you need to lock your doors, which we haven’t done a good job of doing, frankly, in the physical world and the cyber world. And then you have to have consequences for the people that break in.
And although I think it’s better, there’s a lot more to do to try to harden the targets and to lock the doors, but you can’t focus exclusively on that. You have to do threat reduction and threat deterrence. I guess the question is this – if you’re a cyber criminal right now – let’s take the criminal element – it used to be this was really costless, completely. You could route your attacks through various different countries. You wouldn’t really think there’s any chance of you getting caught. I think that’s changed a little but not nearly enough.
So I still think that most cyber criminals don’t really [understand the risk], even with the high profile cases that are out there that are great deterrent-effect cases. Doing them, getting them out there, and making sure people know about them, helps create the costs. That’s why undercover cases are so important, taking down these criminal organizations so they don’t trust each other is key, but if there’s still not the sense of risk on the actors and they think, you know, the positive side is this- I’m going to get a benefit out of there; the negative- is it’s almost negligible that I’ll be caught, you’re not going to have an impact.
MR. HEALEY: Now, when I look at DOD, I still see them caught up with many of the same questions that they had in the late ’90s, they’re still caught up with organizations and authorities and definitions. And when I look at cybercrime, I don’t necessarily see that. I mean, you still might have some of the issues, but it seems like you’ve made some linear progress against that.
But to look back, what do you think, are the most important lessons, and do you think those lessons are being inculcated in the new agents, the new attorneys, the new people that are coming on board in the law enforcement community? And this will be the last question and then we’ll go to the audience.
MR. PAINTER: Yeah. I think understanding really the scope and enormity of this problem and how it actually will affect your life, and I think partly that there’s this age-old problem, and the three of us have dealt with this for their entire careers, of actually getting victims to come forward and say – when they’ve been victimized, to actually say that they’ve had an intrusion to their systems.
In the early days – and it has persisted – there is a sense that there’s not much that law enforcement or the government can do for them. That instead they’ll be further victimized; everything will be carted off, and that their pubic reputation would suffer.
And part of the problem is if we actually don’t know about what’s going on, it’s very hard to address them in a systematic way. And that’s changed marginally. I think it’s gotten better, but it’s changed marginally.
So I do think we need to move this from this kind of sexy area where people think cyber intrusions are this special kind of thing, and that if it happens a company is terrible and they’ll abandon them, to something that is akin to what bank robberies were in Los Angeles. There were a lot of bank robberies in Los Angeles. It didn’t stop people from using banks.
So how do you create the kinds of incentives for this to be more routinized and for people to take individual precautions, but also to work more closely with the authorities in addressing these problems? And I think that that’s been a big issue. It continues to be an issue. I don’t think that’s changed dramatically over the last 20 years. It’s gotten better but it’s still not there.
MR. CHABINSKY: I’ve seen a lot of dramatic progress in how law enforcement agencies approach this issue. First, I’ve seen a lot of progress in not further victimizing victims.
MR. PAINTER: Yeah, that’s absolutely true.
MR. CHABINSKY: So in the very early days, prior to my being there – I mean, cybercrime didn’t start in the 2000s, and really didn’t start in the late ’90s. There were big cases before that, Citibank being one of the – the prevalent one with Vladimir Levin’s, I think, $10-million heist.
MR. PAINTER: Yeah; this is not new stuff, but I think certainly even in the late ’90s we had sporadic instances within the bureau where we’d hear stories of the FBI going in, and in order to preserve the data they would, you know, basically seize the machines of the victims, take them offline for a long time. And we took care of that right away.
That didn’t end up repeating itself. The stories repeated themselves, but fortunately we were able to make sure that we were protecting the victims, we recognized them as being ongoing concerns. We were trying to get the information that we needed while at the same time being able to allow the business to proceed.
And I think after that, we also stopped naming the victims. At the beginning there was a lot of back-patting – hey, we had this big case and this big case. And the only way you identified the cases back then was by, remember that case against CNN?
And we would kind of push the names of the victims. And we stopped doing that. So, very early on I think we saw a good shift towards being able to work with the private sector as the victims and making sure that they weren’t revictimized.
Another shift that we saw from this kind of early ’90s approach – and this was really a “Cuckoo’s Egg” issue – when you read Clifford Stoll’s book on the difference between the FBI and AFOSI, , which was a phone call – you get the phone call and someone says, they broke into your computer. And you say, what was the damage? And they say, 75 cents. And you don’t laugh on the phone because that would be rude, but you laugh after you hang up.
And that case of course resolves itself in a way that was not very positive towards the FBI’s involvement because it took a lot to capture the FBI’s imagination almost up to and including saying, hey, it turns out to be an Eastern European intelligence service.
And so we now – and then, again we took care of these issues very early on, in the late ’90s, of saying that the impact, recognizing that you’ve got critical infrastructure that could be affected, where the damage is not obvious but the threat against them – not just because it could be a counterintelligence concern but because you don’t want to give constantly free bites at the apple, right, so the next attack might be the one that brings down the whole system. We don’t want to wait.
In that sense, it started becoming a preventative organization earlier on, so that you don’t have to wait for the big dollars to successfully investigate and pit resources against a problem.
I think the third area on victims that law enforcement has gotten incredibly more adept at is being able to take information during the course of investigations, and using it for net defenders. And that really, at the beginning, I think was something that we had to teach ourselves, that while we’re investigating, we’re in receipt of a lot of information that could help both the initial victim and other victims, right?
We’re seeing now where that could affect a lot of targets, and we would literally, back in the National Infrastructure Protection Center days, get on a stage with these software owners – a lot of cases, whether it’s Microsoft or another platform, there’s a patch available.
The FBI is seeing the threat, going against that. We’d have the Critical Infrastructure Assurance Office in those days, FedCIRC in those days, groups that no longer exist, but a true collaboration between government and private sector to address common areas of concern, of victim vulnerability, while proceeding with an investigation.
That was unheard of. It used to bet that the mantra – I still hear some of it today, but it really couldn’t be further from the truth – that all the FBI wants to do is keep the problem happening so that it could monitor it and eventually catch someone. And it has no concern for the victim in this.
And that is – it wasn’t – it wasn’t true in the late ’90s when we started advancing this collaborative approach, and it’s certainly not true today. And I think we’ve done a lot better job on lessons learned of teaching every agent, all law enforcement officers, of their value to the net defender while we’re actually proceeding against the adversaries.
MR. HEALEY: Shawn –
MR. HENRY: What he said. (Laughter.)
MR. HEALEY: Yeah, excellent.
I remember the – I had been out of cyber and out of the country for a bit, and I came back and I heard you, Steven, and Kim Peretti up in New York talking to the finance sector. And when I had first started, the special agents would always start; I don’t understand these computer machines. I have to ask my granddaughter to help me. (Laughter.) And every FBI dude would get up and he’d start the pitch that way.
You and Kim Peretti, from the Department of Justice, got up and you were talking about ACH networks, and I was like, oh, they get it. They really understand not just cyber language, but financial cyber language.
MR. CHABINSKY: I guess that’s another thing. We then started really hiring towards this talent pool. And so if you go back to the ’90s, we had – our hiring tended to be very much focused on attorneys and CPAs for the agent role, and then adding to that or changing away from that over time, starting to bring in some really brilliant people who worked for major companies, who are very patriotic, who have given up two-thirds or three-quarters of their salaries and are coming on with incredibly advanced degrees in this area.
And we’ve then created a career path that didn’t exist certainly back when I started the program that’s specific towards cyber, and an entire group of specialized training, over 30 unique courses that get evaluated constantly because of changing technology that we’re pushing out to the workforce. So those are the types of things that just didn’t exist a couple of decades ago.
MR. PAINTER: And that’s a huge thing to have a career path that rewards people staying in this field rather than doing it for a couple of years and moving to something else.
And just on the dealing with victims, even in the Mitnick case we had a list of the victims in the plea agreement, and many of them were just designated with A, B, C, CC. There were lots of victims, which we didn’t identify. And that was one example of working with the victims.
And another was Michael Bloomberg before he was the mayor of New York. His system was intruded into. They took data. They tried to extort him. The hacker tried to extort him. He went to the FBI, worked very closely with the FBI right from the beginning, because his attitude was “screw them”. If they’re going to come in after me, I’m going to send a message that you don’t come after me.
And that’s the kind of message that Steven is saying you want to send. Otherwise they’ll just bring their friends and keep coming back if there are no consequences. So Bloomberg offered to hire the hacker. The hacker said, I’m too smart; I’m not going to come to New York for this meet; I’ll come to London – where he was quickly hooked up and then moved back to New York.
MR. HENRY: When he met with Michael Bloomberg, Bloomberg had a suitcase of cash, $250,000, if I recall, and he had his two consultants with him, one of whom was a Metropolitan police officer –
MR. PAINTER: Right.
MR. HENRY: – from London, the other who was an FBI agent. And they proceeded to lock up these two Kazakhstanis.
MR. HEALEY: Although, for Michael Bloomberg, a suitcase with $250,000 is called a wallet. (Laughter.)
OK – now I haven’t given enough recognition to our audience, because really – and I haven’t called out names and recognized some of the great people we have in our audience, but we really have a very distinguished audience. I’m really glad that everyone was able to join.
But we’ve got about 40 minutes. We want to end at 3:30, if not a couple of minutes before. But, please, let’s open up for questions. And we’ve got some microphones coming around. We’ll start one and then two. So Sean, and then Steve.
Q: At the beginning –
MR. HEALEY: And can you saw who you are, and can you say your affiliation?
Q: I’m Sean Shank, with Delta Risk.
At the beginning it was mentioned that obviously you need to find ways to cooperate with the private sector, and there are issues of nationalizing some resources involved with critical infrastructure when it comes to pursuing cybercrime.
Have there been problems with existing authorities in addressing that problem? Where does this idea of nationalizing really become a problem in fighting cybercrime? Is it just something that is an issue after a crime has been committed, or is this also more of an ex-ante problem when you’re trying to see what potential sources of cybercrime there are?
MR. HEALEY: That’s lawyer talk.
MR. CHABINSKY: From an investigative point of view –
MR. PAINTER: He’s not reacting to your question, as far as I know.
MR. CHABINSKY: I mean, certainly some of the things that – without any legal framework in place or regulation like that – that we see a lot of disparity in that is to the detriment of our investigations has to do with the maintenance and retention of log information.
So what constantly surprises me when we’re going into some fairly sophisticated companies – not necessarily sophisticated on the technology side but very understanding of what the threats are, business models that understand risk – that we go in and they’ve been completely compromised. And when we ask where their logs are, they’ve absolutely retained – they’ve never turned them on, no less haven’t retained them.
And I think areas like that, from an investigative point of view, right, you start with this idea that when we’re in an investigation, it’s bound to go international regardless and we’re going to have a lot of different jumping around and hops, and it’s going to take a lot of time. And it might be that by the time we get to someone, they won’t have retained it.
But what’s really surprising is how many haven’t actually captured standard logs in the first place. And I haven’t seen any appetite in this country for moving in a direction towards doing that, but that would be of great benefit to the extent that the private sector would do that on its own volition.
MR. PAINTER: Yeah, and I think – and practices really do differ across the spectrum and there’s still not any kind of common accepted practice or common standard of care, I think, in this area, which is something that I think as a lawyer I expected to develop like 15 years ago and it just hasn’t happened. But I think that will happen over time.
Part of it is practices like their retention practices. Part of is it, do they have an incident response plan at all for the big companies? Much more now than they did because this is something that people have been preaching for a while now, and you don’t want to write your incident response plan while you’re in the middle of an incident, which happens far too often.
Another issue is- how do you create both the incentives and also make sure that you’re hearing about some of these things? One of the issues is that 47 states have data breach reporting laws. They’re still looking at a national law on this.
The interesting thing about those is most of those laws have a provision that you can delay notification if you report to law enforcement, which actually allows law enforcement maybe then to stop some – mitigate some of the damage that’s happening. I think that is a way to get more visibility. It’s also a way to get institutions and companies to think about how they can protect their data better, and also how they can follow up. So I think that’s important.
MR. HEALEY: Steve Bucci; IBM.
Q: I’m Steve Bucci, with the Heritage Foundation.
MR. HEALEY: Oh, sorry about that.
Q: I’m moved. (Laughter.) I used to be with IBM – and DOD before that.
Can you guys comment on organized crime, espionage of business-on-business, espionage of intel services on business, intel services on the government? All of that stuff is kind of mixed up in one big pile. How do we really effectively address those within our system, which is much more used to pretty big stovepipes but stovepipes nonetheless, and authorities-wise and that sort of thing?
MR. HENRY: I think that it starts with identifying who the specific actor is, right? So, one of the things that is probably the most significant challenge that we face in this space is attribution. How do you do that? And I think that there’s a lot that you can do.
And when we talked earlier about we’ve had successes, we’ve had a lot of successes, it’s been in this space where, through a variety of protocols that we’ve utilized on the law enforcement and the intelligence community side, we’ve been able to do attribution by looking at the infrastructure that the adversary is using and identifying the TTPs that they’re employing, and starting to shape who actually is pushing the requirements. Is this a national of a foreign country who’s doing this action on behalf of that foreign country or on behalf of an organized crime group which happens to reside in that foreign country?
I think when you can start to do that and get a better site picture on your adversary, it allows us, both public sector and private sector, to start to take the types of actions that make the cost much more expensive for the adversary and takes this from purely technical to the human side of this.
So, it’s hunting who the adversary is, identifying them, hunting them, and taking the threat mitigation protocols that takes them off the field or allows you to use diplomatic means, economic means to thwart them or deter them from taking these types of actions.
So you’re right; Steve and I worked on a big case a couple of years ago where we had 200 cases that were occurring around the United States. So within 56 field offices there were 200 separate investigations. And it turned out when you started to look at all the intelligence, when we started to collate it all, that it was one group of people, it wasn’t 200 separate groups. So you think about the resources that are being employed in 200 separate cases administratively, operationally, and there’s not a lot of cross-correlation of data.
If you have an infrastructure set up both internal to the organization and within the government, you can start to look at this type of information and really get a better understanding of who that adversary is.
MR. CHABINSKY: There are a number of things that come to mind when you asked that question, because I’ve heard some people say, from the net-defense perspective, well, it doesn’t really matter. From a net-defensive perspective we’re agnostic. We want to stop everybody.
And I don’t know that I really agree with that. In fact, I guess by saying that, I don’t agree with that, because it really does matter to your company who’s coming after you. And the reason it matters is because there are crimes of opportunity and then there are very targeted activities that are occurring against some companies.
And the crimes of opportunity, I think a lot of companies can really have a return on investment for putting in certain security. They can get certain opportunistic criminals especially out of their system. They can do damage control. They can figure out if it’s financially motivated, especially how they would protect their intellectual property or whatnot.
But what we’re seeing is there are two other types of activity that are going out there. One, crime that’s not financially motivated – this hacker problem where someone actually is going in just to make you look bad and to damage your business and the consumer confidence. That does matter to a company. The cost-benefit analysis of that is not survivable over the long term if you have someone who’s specifically gunning to make you look bad and you are really being targeted.
And the other is the nation state and persistent threats where the targeting by email is much more sophisticated than it used to be. And our vulnerabilities are greater because of the social networking that we have.
So we are seeing foreign nation states taking advantage of social networking sites where everything that we do, right – I could get an email later today from one of the gentlemen on this podium, right, because it will say, hey, it was great seeing you today; one of the things we talked about, just take it off the Web – here is an article that you would be interested in reading, right, and spoof the name.
So it’s becoming – our vulnerability to those types of persistent threats are showing up, even in very sophisticated security companies that ending up being victimized. A companies’ reaction to those different threat actors I think does change. So I think it is important to know.
Working with the law enforcement community and the intelligence community, one of the good things that’s occurred – when we think about lessons we’ve learned in the past, perhaps sometimes we’ve lost our way and had to relearn our lessons.
I think that this is one of those times where the law enforcement and intelligence community, we had our way – we had found our way in 1998 with the National Infrastructure Protection Center, with the model where all of the agencies were working together and had relationships with the critical infrastructure, the owners and operators by sector, and then the private sector at large.
Something very ironic occurred with the Homeland Security Act, of all things, after 9/11,one of the issues facing the government as a challenge was whether or not the agencies that are stovepiped, whether or not they’re sharing data, connecting the dots. The National Infrastructure Protection Center was really one of the few, I would say, crown jewels, where everybody is working together.
We had senior-level management at the time, not only from FBI and DOJ, but CIA and NSA – Secret Service was there, Transportation – everyone was there. The irony was the Homeland Security Act actually ends up getting rid of the National Infrastructure Protection Center, and the resources were placed in a new department, creating one more vehicle, another agency instead of the collapsed, coordinated agencies. Then we lost our collaboration and ended up with another agency.
So since that time we’ve rebuilt that capability. Both DHS have rebuilt it through US-CERT and now through the NCIC multiagency collaborative vehicle, and the FBI through the National Cyber Investigative Joint Task Force, which brings together about 20 agencies that now are looking at our shared situational awareness, our common data pool, so that when someone reports something to one of our agencies, we get to determine what our collective knowledge is to help the victims better know who are they, going up against what are the mitigating procedures that will work on the vulnerability side, and how can we better go after them?
So I think it’s valuable, because I don’t want to be here 10 years from now after those structures were taken away and then we have to rebuild them once again.
MR. HEALEY: I’m sure that won’t happen.
MR. PAINTER: I do think that when they moved that – what Steve failed to mention is they moved part of what the NICP did to Homeland Security, and they kept the investigative part, the FBI. So they split what was finally brought together. And it’s important to have those things joined together.
And it’s also important to have the intel community and the law enforcement community working closely together, because certainly there have been instances in the past where someone says, well, this is a law enforcement matter. This is an intel matter. But now, people are talking much more than they did.
MR. HEALEY: I’ve recognized three previous hands with Joe, Dmitri, Frank, and then fourth the young lady there. And so we’ll go through in that order.
Q: Joe Nye; Harvard.
Steve, I wanted to pick up your point about information and not penalizing victims, which obviously makes good sense, but to the extent that security is partly a private good for companies but also a public good, companies don’t fully internalize the costs. And one of the ways in which you can try to internalize externalities is through insurance markets. But you can’t develop insurance markets where there is no information.
So if you don’t have a data base, you can’t develop actuarial tables. So this partially private solution to this problem is blocked by the absence of information. How could you square this circle? Is there a way in which you could keep, inside the FBI, a database and make it available to just insurance companies?
In other words, you don’t name victims, you don’t embarrass the victims, but you take a much firmer view on passing on the information in the form of databases and actuarial tables. How do you square this circle until you provide information you can’t develop the data base? Without that you can’t have an insurance market.
MR. CHABINSKY: Well, I think part of the answer to that is taking advantage of data that already exists for data breach reporting. Right now there is no central aggregation of state-required data breach reporting. That could be done.
Right now there’s no federal agency that’s resourced to do that, but one could imagine that not only would that reporting be able to be centralized and data coming from that, but that we could overlay that with a standard protocol of how information is obtained, how it’s formatted, similar to there’s a company that created a data structure for looking at intrusions, puts out a report every year in concert with some law enforcement agencies.
And so you’ve got models out there where people could come up with a standard format so that we’re comparing apples to apples. I think that that would be a very good idea. It’s not currently being done– that’s a gap that would help. The insurance market certainly has not kicked in here, and people are not able to transfer their liability, as a result.
One of the things that we’re seeing that I think is cause for concern is in cloud computing environments where we see a lot of customers, be they government agencies or private sector agencies, moving towards public cloud solutions in which the provider flat-out says in their terms of service that they have no liability if there are hackers, if your data is stolen, altered, not available to you.
And so we’re in this odd situation now where companies are ceding – they retain responsibility for their customer or business data, but they’re giving over that capability to a cloud provider and they’re losing the visibility, right, so without transferring any of the liability.
So I think that we do need a healthier market to be able to transfer that liability. And in the absence of that, people really better start thinking about what models they’re adopting. And I think that that’s quite possible, and I think that data sets exist right now because of state data breach reporting.
MR. PAINTER: And also CERT reporting. I mean, I think –
MR. CHABINSKY: Yeah.
MR. PAINTER: – there is a CERT reporting, which could help also, I think, figure out what the real actuarials are. But that is a big problem. And there’s also –, there’s the absence of really any kind of firm understanding what liability would be in this area, and that drives insurance. So there’s a lot of missing pieces.
MR. HEALEY: Dmitri?
Q: Dmitri Alperovitch; CrowdStrike. Also a question primarily for Steve, as a representative of the FBI and an attorney.
So in October of last year, the SEC put out a staff guidance, not a commission guidance and certainly not a regulation, but basically saying that the securities laws from the ’30s do apply to cyber, and particularly for public companies they’re obligated to report material information to shareholders and certainly have to do so in cyberspace.
The question is: To what extent does FBI have responsibility – or maybe it doesn’t – to report such information to SEC when it comes across information about a breach in the course of investigation that is material to shareholders in a public company?
MR. CHABINSKY: Well, what we’re seeing is this – obviously on the side of the companies, we think that they are respecting a lot of that. We haven’t been checking to see whether they’ve been reporting, or whether the reports that we’re getting are finding their way into the quarterlies. That’s not something that we’ve proactively done.
One of the areas, though, that concerns me about the trend that I see is there’s so much reporting now that is becoming normalized. I think the incentive; there was a notion that if companies would have to declare that they had this material loss or certainly this intrusion that could affect their bottom line, that it would change their behavior.
But I think almost quite the opposite is starting to happen, where customers and the investing public have almost become immune, saying, well, they at least recognize their problem, so they’ve probably done something about it and they might actually be a better position right – this kind of Tylenol notion that you’ve already been infected, you’ve kind of owned it, and now you’re the best – you’re the leader in security.
I think that, speaking to some people who get these notices in the mail saying, we’ve suffered a data breach; your personal, identifiable information is available to who knows whom, and we’ll pay for credit monitoring, what’s happening is there’s really diminishing cost to the companies to send out those letters because the recipient already got the credit monitoring three letters ago from someone else. (Laughter.)
So I’m concerned that what had looked like shedding light on this situation and having this visibility, would have actually done more for security, that it might not be having that impact. But that really gets to a larger issues, which is something that Chris mentioned earlier, what is the – what is negligence in this space? We haven’t seen that really discussed, what the best practices are.
And in a space that’s inherently vulnerable, where everybody is saying, big problem, no one can really defend against it, how does that play into what the norm is for protecting yourself when it’s almost – the ground has almost been seeded that that’s going to happen? So, I think some companies use that to their advantage, because then it’s obviously not negligence.
MR. PAINTER: I think that’s coupled with almost no good statistically sound estimations of how much damage all this is causing. You hear numbers thrown around constantly, sometimes in the trillions, sometimes in the billions. Without really getting a handle on that, I think this is not just an actuarial problem; I think it also is a policy problem.
Without being able to understand the enormity of the problem, it’s hard to make policy but it’s also hard for companies to understand how important this is because when something gets taken from them, it’s not really taken. They haven’t lost it. It’s still there. And it may be years before they realize what the real damage is, but unless you get a good sense of that, like they did with physical assets, it’s going to be very hard.
MR. HENRY: That comes full circle to earlier. When there’s a physical impact and people actually see it and they can count it, that’s when people will start taking this seriously.
MR. HEALEY: I was watching a detective show the other night that was set in the 1930s, and everybody was all worried because one sheet of plans for a new fighter plane got stolen. And I was like, oh, you guys haven’t seen anything yet. (Laughter.) But at least they cared.
Q: I’m Frank Kramer.
So let me ask the three of you: How do you go from tactical success to strategic success? I mean, what would you have people do? I mean, one of the things that I hear often when I’m talking to private sector people is, well, what do you actually want us to do that would cause a success, point one.
And point two – at least two of you have heard me say this – if it really is a highly significant type of intrusion, nation state-type intrusion, why would you expect me to be able to handle that? What can the government do for me? So, what should the government do? In other words, how do we move off of a series of tactical successes into some kind of strategic success?
MR. HENRY: Well, we can have a comprehensive initiative to help protect the country, which we did back in 2008, which I think there was a fairly large degree of success there in the development of a plan that cut across all branches of government and talked originally, initially about how do you protect the dot-gov space?
As you’ve, I think, just highlighted – there’s nobody responsible for protecting dot-com. There’s no agency with the authority to protect the dot-com space. And it’s not happening, for a variety of reasons, from a policy perspective, from a legislative perspective. And I understand the concerns that people have about the government playing in the information infrastructure because there’s concern about privacy and the like.
I think that there are a lot of people that are working really, really hard. And I’m very proud of my service in the FBI and in the government, and working with people that I have the utmost respect for and confidence in. But it just seems that there are so many moving parts. It’s an incredibly complex issue.
And what it requires is this comprehensive analysis across all branches of government, across all departments and agencies within the government to sit down and not only have the plan but actually execute on the plan. And I think that there are some smart people who have started down that path. I think that the framework has been developed, and I think it’s a matter of just executing.
MR. PAINTER: A couple of things.
On the CNCI, as we call it – I mean, I think that has been built on – it really was focused more on the dot-gov. It didn’t really talk about as much the dot-com – dot-com is not really the right phrase – the dot-com, or really what we’re doing internationally. And I think – but it was a good base to build on.
, I’ve heard the term public-private partnership so many times and used so many different ways, it is virtually devoid of meaning at this point. It’s not really clear what people mean by that. So you have to define what it really means and how you’re going to have some real strategic success by this.
This has been typified, for instance, in the administration’s legislative proposal – it’s sharing actionable information. You talked about if there’s a nation state involved, the private sector, I think rightly, says, look, what are we supposed to do? Being able to share actionable information back and forth that they can actually do something with –working with the government I think is a key part of that.
And the other is, when you’re talking about some of the core critical infrastructure, and defining that narrowly, which is also in the administration bill, I think you have to look at what can you set as workable standards for the core critical infrastructure. That’s an important part.
And then the third part is using all the tools in our tool kit. So, it’s both doing better defense and it’s having the threat reduction, the law enforcement and other operational issues, but it’s also using all the right diplomatic tools to talk to other governments about why this is a problem to build a consensus around what the rules of the road – this is a much longer-term game in cyberspace.
So, I mean, there’s a lot of different moving parts, as Shawn said, but you have to execute all of them at the same time and you have to be very coordinated among government and among government and the private sector, and among our government and other governments in doing it.
MR. CHABINSKY: I think, from our perspective, when I think of the difference between tactics and strategy is strategy to me is really what is the end game? What does success look like, right?
And what’s remarkable in a lot of areas is we’ve really never spent a lot of time thinking about what that end state is. And, therefore, when you’re driving towards it – it’s like your GPS, right? I’ve got a great GPS. If I don’t put in an address it doesn’t do me a heck of a lot of good.
So I think we really have to figure out what success looks like. And success in this area is not – cannot be discussed as this holistic view of success. It’s not, what is cybersecurity? It’s not, how do we control technology or make it survivable, or anything like that. It’s going to be very specific to specific uses and users. We tend not to get granular enough in order to have successful outcomes in those particular areas.
So getting back to the core critical infrastructure right, success for the core critical infrastructure presumably is a lot different than success for your email or your Twitter or CNN.com, right? Everyone has a different model. And those – that risk calculus, what any particular business or infrastructure’s needs are has to be defined for whether it’s for the sake of society, in the case of some of the infrastructures, or as a cost-benefit analysis for the sake of business.
And I think once we figure out what success looks like for each of those – and you could define them, so that it’s not this enormously large discussion – then you get to say, OK, can our current tactics, right – what do we have on the table that we can do, and what are our gaps, right?
So if you need certain systems that require a different risk model that you’re never going to be able to reduce all of the vulnerabilities and you’re going to need to rely on threat deterrence, similar to a nuclear strategy – we are not in a situation right now where we can defend against all ICBMs that would enter our nation.
We don’t have that – we neither can handle that on the risk model as a matter of vulnerability mitigation or consequence management. But we do know where the trajectory is, so we could track where missiles come from, and that’s done a pretty good job with deterrence.
So re-establishing the risk model for particular uses and users is essential. And what I think we will find when we go down that path is that there will be particular uses and users that require a risk model – getting back to this notion of re-establishing threat deterrence as prominent – that will require us to put more emphasis on assurance and attribution for certain systems.
So the owners and operators of an electric power grid in which all of the workers are cleared wants to have perfect attribution of who’s on the system at any given time. It’s a closed network. And they would like to be able to tell whether their software or hardware has been altered. Right now, no systems, or very few systems, are designed to provide assurance and attribution.
So that’s I think a long way of saying success will be different for different uses and users, that the risk model is going to have to be established based on cost-benefit analysis for each. And at the end of the day, I have more faith in the technologists and the economists for being able to figure out how this will play out and be adopted, because there’s a great need out there.
There are markets that are begging to be filled right now for these types of capabilities. We could really sell products globally if we’re the ones here in this country that produces that need that is not being fulfilled. So I think it can be market driven, and I really don’t think – all deference to the lawyers, two of whom are on this panel – that we’re going to legislate our way out of this one.
MR. HENRY: No, it will come down to individual companies protecting themselves at this point by changing the paradigm, not looking solely at defense, hunting within their perimeter, looking for the adversaries themselves, because the adversaries are on those networks. They’re not going to stop them from getting in. They’re on the networks. They need to look for them on the networks. Individual organizations at this point in time, where we are in our history, are going to have to do this work themselves right now.
MR. HEALEY: I think we’re going to “CrowdStrike” our way out of this problem.
MR. HENRY: Tweet that.
MR. HEALEY: OK, so I had this hand, and then I had this gentleman in the front. And that’s probably going to be it. I’m sorry. I know there’s a lot more hands, but –
Q: This is building off of a lot of –
MR. HEALEY: And you are? Can you –
Q: Oh, I’m sorry. I’m so into it. I am Sierra Forbes, and I am a legislative staffer for a senator. And our office is very much looking at this issue and discussing this issue.
And so, building off of some of the other comments and what we’re just talking about now, I wanted the panel to speak a bit about to what extent do you think that – even though this has been an issue for a very long time now, since we talk about the late ’90s – to what extent is it too soon to legislate anything?
We have vastly different legislation coming out of the House in the form of CISPA, and we have – from legislation coming out of the Senate in terms of the cyber security bill, that are doing very different things. One is working with private information sharing between private companies and facilitating better information sharing routes and access, and the other one is focusing on building more institutions and working with DHS to establish better cybersecurity.
So this hits on a lot of the things that you have been talking about in terms of to what extent can we really legislate about this – because to what extent are we not fully understanding it?
MR. HEALEY: OK. We’re running out of time so –
Q: OK; sorry.
MR. HEALEY: Let’s look at the legislation. Thank you very much.
MR. PAINTER: After a lot of work, the administration sent a package up to the Hill last May, I guess, and that really did reflect the sort of entire administration.
The all-of-agency view was that every agency was involved in this process about what we thought was needed in this area, and not trying to legislate every detail, and understanding that the technology is still evolving, but very much addressing a lot of the issues we talked about, including strengthening some of the law enforcement authorities, strengthening the – you know, this has been largely captured in the Lieberman-Collins bill – strengthening the ability to share information between the private sector and government, having the standards for core critical infrastructure.
I mean, I think that was a pretty comprehensive approach, and that really is what, from the administration’s perspective, we think would help, and I think it would help pretty substantially.
MR. HEALEY: Yeah; yeah?
Q: But in terms of that, you know, that building another layer, when we talk about this option at DHS and how that one thing to some extent underlines these previous information sharing networks between the agencies. To what extent would there be unintended consequences from the Lieberman-Collins bill, and how would that perhaps be inappropriate when we haven’t finished defining it as policy –
MR. PAINTER: You know, there’s lots of people who follow this far closer than I do in my current role. But I’d just say that, you know, I think our view is that it doesn’t – it’s not meant to, and it doesn’t undermine existing good cooperations that have been built. If anything, it enhances it.
MR. HEALEY: It’s one of the things that I see fairly frequently – if I can jump in as moderator here – if I’m consulting or other places and people say, oh, we still don’t know enough yet.
And one of the things that I think is really coming through as we look at our history project is how much there are not these huge discontinuities between the problems of 15 years ago and the problems of today. Yes, the technology has changed and the adversaries are different or more advanced, but essentially the conflicts, I mean, are all relatively similar.
I mean, you could take a defender from today and they’d feel comfortable 15 years ago, and you could take a defender from 15 years ago – and they’ll have to catch up but they’re not going to be completely out of their depth today.
So, whenever I see Department of Department of Homeland Security or other says, oh, we just need to figure out the definition of what “attack” means –
MR. HEALEY: – or we just need to define “cyberspace” and then we’ll be set; it turns out it’s not really the case because generally it hasn’t significantly changed.
MR. HENRY: It’s like not buying a computer. You don’t want to invest money in a computer because you know in six months there’s going to be a better one out there and mine will be obsolete. So I’m not going to buy a computer. Well, if you followed that mentality, you’d never have a computer, right, because you’d always be waiting for the next iteration.
I think that you’re absolutely right. I mean, we can work on the 80 percent model. We’ve got 80 percent of this. We get it. We’ll figure the rest out as we go along. And you’re absolutely right. Fifteen years ago – there’s so many things that are so similar to what happened 15 years ago. The names have changed, some of the technology has changed, but the scenarios are the same.
MR. HEALEY: And we really are going to end at 3:30. So you get the last one, but please keep it brief. And, gentlemen on the stage, please keep it brief.
Q: Hi, my name is Hugh Grindstaff. I’m with THIS for Diplomats. And I was in AUTODIN, which was the predecessor – was the Automatic Digital Network. My first computer was an Apple.
But I’ve gone – since I retired three years ago, I’ve gone to many, many cybersecurity events. And the one thing I was going to say was that – almost what she said – was Congress and how Congress goes this way and Congress goes that way. And I just don’t see a unified think about it, and an urgent unified think. How do you convince Congress to quit being political about it and get something done?
MR. CHABINSKY: One of the things I would – well, you know, one of the things – there are a lot of different proposals, there are a lot of different views about the problem, and I think there’s merit to – when you see what people are proposing, it’s not like someone is out in left field, right? They all make a lot of good sense, and I hope that it gets resolved.
But I don’t want anyone to leave thinking that the current stalemate has left us without any progress is this area when, you know, getting back to the theme of why we’re here, what it was like in the old days.
So I remember in 1998 when we had a hacker in a system, and we would be called by the owner/operator of that computer network saying, they’re in my system right now – and we’d have to say, we need to go get a warrant. And they would say, what the heck are you talking about? It’s my computer.
And I would say, yeah, but they’re just traveling through your computer. They’re not stealing your data, right? You’re not the end victim. And they’re like, yeah, but they’re in – they’re not allowed to be in my computer. I’m calling you. And we’d say, we can’t, because that was in the days when there was no hacker trespasser exception, which ended up being built into the Patriot Act. We’ve come a long way, right?
Another example –
MR. PAINTER: Before he moves on, I just want to tell one little funny story on that, which is –
MR. CHABINSKY: I don’t know how anything could be funny about that. (Laughter.)
MR. PAINTER: Well, it was the –
MR. CHABINSKY: You come prepared, too.
MR. PAINTER: Bob Mueller, in the space of while we were looking – he’s told this story –
MR. CHABINSKY: We call him Director. (Laughter.) You can call him Bob.
MR. PAINTER: He then was the U.S. Attorney up in Northern California, and we were tracing back the “Mafiaboy” case and other cases too. He wanted to do exactly that, and work with the victim and do that.
And I had just moved to the mothership, the Department of Justice. And we looked it up and said, you know, you can’t – as Steve said, you need a warrant. This is before the Patriot Act changes that allowed victims to really do this. And that’s not been changed and that’s been a very good change.
And he said, you know, who – you know, who did this? Who came up with this DOJ policy that you can’t do this? And we said, well, it was this guy named Robert Mueller when he was the assistant attorney general for the Criminal Division. (Laughter.) But it was a real impediment, as Steve said, in –
MR. CHABINSKY: Let the record reflect I did not tell that story. (Laughter.)
MR. PAINTER: Well, he said it publicly.
MR. CHABINSKY: So, another example – so, we have different authorities on the criminal side and the national security side when we need to do full content monitoring, that type of surveillance, commonly on the criminal side is known as a Title III, and V is on the national security side.
For Title III for communications, be they voice communications or digital that are moving, we have to make probably a larger showing of cause in front of a court than we do for anything else, so in terms of constitutional and added statutory protections, our need to then go back and show what we found. It’s really a very high standard.
And we did that in a particular case. We went to the court and we got our Title III. We started getting all the information from the intrusion. And then we realized it was not a U.S. person. It was not a criminal. It was a foreign nation state.
So, we wanted immediately to get all that information over to the intelligence community that works outside of the United States. Do you know that under the old law, the law that I started with in 1998, the answer was, you cannot do that, because Title III specifically said that when you acquire information pursuant to that title, you can only share it for a law enforcement purpose.
So this is preposterous. It turns out that the subject of our surveillance wasn’t even – didn’t deserve any constitutional rights whatsoever. They weren’t even U.S. citizens. And yet we were hamstrung from sharing it. We could not get that information over.
That’s been changed. So I don’t want anyone to think that there hasn’t been an evolution in our statutes and our laws for the advantage of modernizing certain statutes to show what damages – that was another huge change.
So the law has progressively gotten better each time with the debate that’s appropriate, that we expect in our society. That’s healthy. It hasn’t been stagnant, and we are certainly better off in the law today than when I started in this area.
MR. HENRY: Let me add also that from the congressional perspective it’s not just legislation but it’s also funding for the agencies.
And they have been very benevolent in recognizing the threat and funding it in terms of money for both personnel and non-personnel capabilities, which from the FBI perspective at least – and I know from the broader community – has been incredibly helpful in developing new technologies and in bringing more resources to bear on the threat. So, it’s not just legislation but it’s also authorization of funding and appropriations.
MR. PAINTER: And finally – and I think this is probably a good question to sort of compare where we were before to where we are now – and it’s, finally, capabilities. I mean, you know, we used to try to get people at companies who understood this. It was very hard. You’d try to get people in U.S. Attorneys’ offices who understand that. And although there’s a cadre of prosecutors, this CHIP network as they call it, it really wasn’t very widespread.
But it’s far different today in that sense. You tried to get law enforcement officials in other countries to understand this, and especially when any smart hacker is going to route their communications through several different countries, and either they didn’t have the laws or they didn’t have the units and they didn’t have the capabilities in place, and that’s changed dramatically – still a lot to go but that’s really changed.
So there are a lot of lessons from the early days of this. However, I think there’s also been dramatic improvement, as both Steve and Shawn have said.
MR. HEALEY: Well, hopefully these improvements will make a tipping point and we’ll be able to really beat back the cybercrime, with the help of you gentlemen and maybe many of you out there.
Thank you very much for joining us for today’s event. And let’s please thank the panelists. (Applause.)
On May 22, the Atlantic Council's Cyber Statecraft Initiative will hold a discussion on the history of cyber critical infrastructure protection in recognition of the 15th anniversary of Presidential Decision Directive 63 (PDD-63).
On May 30, the Atlantic Council’s South Asia Center will release a new issue brief, The Kaleidoscope Turns Again in a Crisis-Challenged Iran, a discussion of Iran’s upcoming presidential elections.
From June 13-14, the 2013 Wrocław Global Forum will bring together over 350 top policy-makers and business leaders to explore the region’s impact as an actor in Europe, as well as its crucial role in the transatlantic partnership and on the global stage.