cyberthreats april 09 2013

7/28/2019 CyberThreats April 09 2013

1/75

CyberThreats & The EconomyNew Strategies to Secure Our Economy

from Cyber DepredationBRIEFING

April 9, 2013

Rachel Ehrenfeld, Ph.D.Kenneth M. Jensen, Ph.D.

Editors


2/75


3/75

POST-EVENT REACTIONS FROM PARTICIPANTS

The conference was just a terrific, lively exchange, from which I learned agreat deal and I am sure the other attendees can say the same Were very

grateful to the American Center for Democracy for helping us pull the eventtogether, and I hope we can do more of the same in the future. Daniel Polsby, dean, George Mason University School of Law

"It was good fun and a remarkable set of panelists." Stewart Baker, panelist, Steptoe & Johnson, former assistant secretary forpolicy, DHS

Very nice work by you inpulling together a first-rate event. What a line-upSteve Chabinsky, panelist, senior vice president of legal affairs and chief riskofficer, CrowdStrike, former deputy assistant director, FBI Cyber Division

"It was really excellent and a surprisingly large number of peopleI didntanticipate was how entertaining and candid most of the speakers were!" Christina Ray, panelist, senior managing director for market intelligence,Omnis

The ACD/GMU conference on cyber threats was eye-opening. It highlightedthreats that reach beyond the theft of government or industrial secrets, illustratingthreats to our whole economy. And it showed that defense will require mobilizingnot only private sector vigilance but the deployment of cyber know-how outsidegovernment to respond to these threats. When America is threatened, we won't

find security in government alone.Jeremy Rabkin, panelist, Professor of Law, George Mason University


4/75

Special thanks to the cosponsors and hosts of our April 9, 2013,event: The George Mason University School of Law and The GeorgeMason University Center for Infrastructure & Homeland Security.

Also, thanks are due to panel moderators Dr. Mark Troutman of theCenter and Professor Nathan A. Scales of the School of Law.


5/75

CONTENTS

Executive Summary6

IntroductionRachel Ehrenfeld, Ph.D., Director of the American Center for

Democracy and the Economic WarfareInstitute.........................................13

Introduction of Rep. Mike RogersMichael B. Mukasey, Debevoise & Plimpton, former Attorney General of the UnitedStates, Member, Board of Directors, American Center for Democracy..15

Keynote AddressRep. Mike Rogers (R-Michigan), Chairman, House Special Selection Committee onIntelligence17

Cybersecurity: Engine for Growth or Economic Anchor?Mark Weatherford, Deputy Under Secretary for Cybersecurity, Department ofHomeland Security..31

Key Elements of Energy SecurityR. James Woolsey, Chairman, Woolsey Partners LLC, former Director of CentralIntelligence, Member, Board of Directors, American Center forDemocracy...37

Cybersecurity and Economic, Financial and Market WarfareChristina Ray, Senior Managing Director for Market Intelligence at Omnis, Inc.43

CyberWhere Time Marches On and Progress DoesntMichael B. Mukasey, Debevoise & Plimpton, former Attorney General of the UnitedState, Member, Board of Directors, American Center for Democracy....51

How the Attribution Revolution is Changing CyberthreatsStewart Baker, Steptoe & Johnson, former Assistant Secretary for Policy, Departmentof Homeland Security..57

Passive Cyber Defense and the Laws of Diminishing and Negative ReturnsSteven Chabinsky, Senior Vice President of Legal Affairs and Chief Risk

Officer, CrowdStrike, former Deputy Assistant Director, FBI CyberDivision..65

Retaliation in Cyberspace: Lessons from the History of War at SeaJeremy Rabkin, Professor of Law, George Mason University School ofLaw.71


6/75

EXECUTIVE SUMMARY

On April 9, 2013, the American Center for Democracy/Economic WarfareInstitute held a briefing entitled CyberThreats & The Economy: New Strategies

to Secure Our Economy from Cyber Depredations. The event was cosponsoredand hosted in Arlington, Virginia, by the School of Law and Center forInfrastructure & Homeland Security of George Mason University.

This was the second in a series of briefings on economic threats to the UnitedStates. The first, Economic Warfare Subversions: Anticipating the Threats washeld on Capitol Hill on July 9, 2012, under the sponsorship of Sen. Jon Kyl.Transcriptionof it is available on the ACD website.

PRINCIPAL INSIGHTS

Cyberattacks on government, public and private industries in the U.S. havecaused enormous financial loses and untold damage to our national security.Untold, because often hacking victims in both private and government sectorseither are unaware, are reluctant to report (or underreport), thus making it theperfect tool for economic warfare. Indeed, theDefense Science Boardpublicreport noted that China has compromised the United States' most advancedweapons systems. While the report understandably didnt list the weapons, itfailed to mention the companies whose systems were hacked. The report warnedthat the U.S. military is unprepared to win a cyber-conflict. Wrong policies, lack offoresight, budgetary constrains and bureaucracy that shackle the Pentagon, donot apply to the private sector that is able and eager to counter cyber attacks.

Their hands are tied because the U.S. law forbids such actions. Rep. Mike Rogers, chairman of the House Permanent Select Committee onIntelligence, our keynote speaker, noted that the Internet accounts for one-sixthof the U.S. economy today and that 80 percent of U.S. cyber networks are inprivate-sector hands.

Rogers believed (at that time) that there was a good chance that his proposedCyber Intelligence and Protection Act (CIPSA) would be passed by Congressand signed by the president despite the failures of 2012. The event was on theeve of the House mark-up and passage of its version of the bill, which turned out

to be dead-on-arrival in the Senate and was also objected to by the White House.Accordingly, the United States has yet to take the first step in cyberdefense:government and private sector information sharing on cyberattacks.

Cybersecurity On the question of whos responsible for protecting from andremedying the effects of cyberattacks on the economy, Mark Weatherford ofDHS referred to our status as that of Constant Remediation. When the privatesector is attacked, its each and everybodys responsibility to take the necessary
http://acdemocracy.org/wp-content/uploads/2013/02/Economic_Warfare_Subversions4_.pdfhttp://acdemocracy.org/wp-content/uploads/2013/02/Economic_Warfare_Subversions4_.pdfhttp://www.policymic.com/articles/44897/defense-science-board-hacking-report-china-is-hacking-its-way-through-u-s-defenseshttp://www.policymic.com/articles/44897/defense-science-board-hacking-report-china-is-hacking-its-way-through-u-s-defenseshttp://www.policymic.com/articles/44897/defense-science-board-hacking-report-china-is-hacking-its-way-through-u-s-defenseshttp://www.policymic.com/articles/44897/defense-science-board-hacking-report-china-is-hacking-its-way-through-u-s-defenseshttp://acdemocracy.org/wp-content/uploads/2013/02/Economic_Warfare_Subversions4_.pdf


7/75

measures to prevent further attacks. When the government is being attacked, it issupposed to take care of the problem. They seldom work together.

More than one panelist, but most especially former Director of CentralIntelligence R. James Woolsey, noted that state sponsors of cyberattacks are of

two sorts: rational actors (such as China) and not-so-rational actors (such asNorth Korea and Iran). The presence of the latter means that U.S. cyberdefensehas to be ready to protect us against all cyberattacks.

R. James Woolsey presented a complete (and horrifying) picture the U.S.electric grid vulnerability to cyberattacks. Identifying 18 critical infrastructures inthe country, Woolsey noted that all of the others in country depended on thestatus of the electrical grid. If a substantial portion of the grid were knocked outby cyberattack, or an electro-magnetic impulse (EMP) attack, remediation couldtake years. Such a circumstance would return the United States, not to the pre-Internet 1980s, but to the pre-electricity 1880s. By his estimate, the prolonged

absence of electricity would likely mean that two-thirds of our population coulddie.

Woolsey also pointed out that, apart from state public utility commissions andthe Department of Energy, no one is in charge of Americas 3,500 public utilitiesand no one is responsible to protecting the grid. The Department of Energy onlyregulates transmission (but not distribution) and the state commissions doessentially nothing to protect the grid. Americas public utilities in toto commitless research and development per year than the U.S. dog food industry. Unlikethe U.S., Russia, China, Israel and Britain, for example, are hardening theirgrids against attack. The U.S. does not because, in Woolseys opinion, No oneis in charge.

Christina Ray, cited PLA officers Colonel Qiao Liang and Colonel WangXiangsui, from their book Unrestricted Warfare:

So, which [of many unconventional means], which seem totally unrelated towar, will ultimately become the favored minions of this new type of warthe non-military war operation which is being waged with greater and greater frequencythroughout the world? Financial War is a form of non-military warfare which is

just as terribly destructive as a bloody war, but in which no blood is actually shed.Financial warfare has now officially come to wars center stage.

This quote goes a long way to answering those critics who regard cyberwarfareand economic warfare as exaggerations.

Former attorney general Michael Mukasey noted that we have laws againstcrimes, and at least a comprehensible if not a comprehensive way of applyingthem. We really dont have either in the cyber sector; and, in his estimation,weve made no progress over the past decade. Mukasey also noted that, in May


8/75

2011, the White House issued a document entitled "International Strategy forCyberspace," subtitled "Prosperity, Security and Openness in a NetworkedWorld." He remarked, I think perhaps a further subtitle for that document, afterprosperity, security and openness, might be pick two out of three, so long as thetwo aren't security and openness. And then theres the way the document

ends, with the pledge that when we do act, it will be in a way "that reflects ourvalues and strengthens our legitimacy, seeking broad international supportwhenever possible."

The U.S. government is interested in the dot-mil and dot-gov segments of theInternet. Mukasey cites Cyber Command head General Alexander, as sayingthat when he saw a threat to the dot-com portion he thought he had littleauthority to do more than say - to himself and others in the room - ouch, this isgoing to be a bad one.

In the U.S., the situation regarding cyberdefense is not unlike that besetting our

war on terror. Just as we cant decide where and how to try terrorists, we cannot decide on where responsibility lies, with the government or the private sector:Witness the Senate and White House rejections of CIPSA.

Former assistant secretary for policy at DHS Stewart Baker pointed out thattheres been a revolution in cyber attribution, that is, in our ability to find outexactly whos hacking. It is not possible to operate in cyberspace these dayswithout leaving little digital bits of your DNA all over cyberspace. It's just likePigpen. We've got this cloud of data falling off us whenever we move around incyberspace. Meaning, hackers are traceable.

Baker encouraged taking the attribution opportunity: I've been trying topopularize Baker's Law, which sums up the attribution opportunity this way: Oursecurity sucks, but so does theirs. That's what we need to remember. Thehackers are no better at securing their communications and their data than weare, and we know we're bad at it, right?

Baker again: The attribution revolution creates an enormous set of options forpolicy makers. Many people know what attribution 101 is. You've got all thepeople who've been compromised up on that top line. Then the command andcontrol server which tells them all what to do and receives all their reports aboutthe information. Then headquarters takes that information from the commandand control and ultimately passes on to some final customer who actually isgoing to use the information that has been stolen.

If we can break down that set of information, we can start penetrating each ofthose steps along the espionage trail. We can go from attribution to, notdeterrence, but retribution. Bakers basic position was that deterrence isimpossible without retribution first.


9/75

One way to look at where we are now, as Baker noted, is according to thefollowing analogy: You know how much help you're going to get from the policeif somebody steals your bike: They will tell you how sorry they feel about it, andthey will tell you what kind of lock you should buy next time for the next bike youown. That is the treatment we're getting now from the FBI and the CIA when they

don't have the ability and don't have the resources to do the help. According toBaker, the ability and resources exist in the private sector.

It is instructive to call our current response to cyberattacks passive defense.As CrowdStrikes Steven Chabinsky notes, the entire emphasis is on thevulnerability of the victims and not the actions of the perpetrators:

It's absolutely incredible how much cost today is borne by individuals and theprivate sector in trying to defend their security with little to no return oninvestment. It's incredible the amount of time, effort, opportunity cost that's goinginto a failed strategy, and how our response to that continues to be information

sharing efforts to do more of it. We keep blaming the victim. Chabinsky likensthis to the police sending a locksmith if someone breaks into your front door.

The current passive approach to cyberdefense actually makes the problemworse. According to Chabinsky, That's what we're doing here, because everytime we have our businesses spend more money on security against targetedattacks and raise the bar to this level, guess where the well-resourced, verycapable organized crime groups and nation-states bring the threat? To a higherlevel. Its like building a 20-foot wall around a house when thieves can easilybuy 30-foot ladders at a hardware store.

Retaliation and retribution in cyberspacein other words, cyberoffense as theonly conceivable approach to cyberdefensewas generally approved byconference panelists, but none more than George Mason University LawProfessor Jeremy Rabkin. He noted that the 2012 Defense Authorization Act,said, "Congress affirms that the Department of Defense has the capability andupon direction by the President, may conduct offensive operations in cyberspaceto defend our nation, allies and interests." And then the Senate said, Wait. No,we can't just say that. We've got to add, 'Subject to the legal regimes theDefense Department follows for kinetic capabilities, including the law of armedconflict. This meant that consideration of cyber retaliation and retribution shouldbe reconciled with the law of armed conflict and, therefore, effectively neutralizedthe approval of cyberoffense.

Considerable attention is being given when dealing with conflict in cyberspace,to such things as the Geneva Conventions and what the Red Cross has saidabout the laws of war. According to Rabkin, Pretty much the Red Cross view ofthe law of armed conflict is this: it's how Switzerland would have fought theSecond World War--if it had actually been fighting. Post-Vietnam, AdditionalProtocol I of the Geneva Convention became something of an international norm.


10/75

That protocol has it that in armed conflict only military objectives must beinvolved; nothing must harm civilians or civilian objects. This, Rabkin calledutopian and wholly at odds with how the First and Second World Wars werefought by the Allies. In those instances, we instituted blockades that sought topunish our enemies economically. These certainly harmed civilians and civilian

objects.

Non-military retaliation for aggression is hardly new. It dates from the MiddleAges at least and is enshrined in the Article 1, section 8 of the U.S. Constitution,which deals with war at sea. There, the Constitution authorizes the granting ofletters of marque and reprisal.According to Rabkin, we don't need to be at war.Our government can grant letters of marque and reprisal separate from adeclaration of war. In the early American Republic, when it was impossible tofight the enemys army or navy, such a letter allowed private ship owners toattack the commercial navy of the enemy. Were letters of marquee and reprisalused to take the offensive in cyberspace, they, like those concerning the sea,

their message would be clear: Youre aggressing, were retaliating. Maybesomething less than kinetic battle would convince you to end the aggression.

According to Rabkin, there's no good reason why we shouldn't use cyberattack to damage a lot of property, especially in retaliation for enemies who havealready done that to us. It is insane to allow the Swiss to tell us how we fight ourwars, and it's doubly insane to have the Swiss tell us how to fight cyber conflict,which mostly won't rise to the level of war and is something Switzerland knowseven less about than actual armed conflict.

Further, he says Is cyber more like naval war--where we disrupt the enemy's

trade and communication, without exempting commerce just because it's ownedby civilians? Or is cyber conflict more like a land war, where we send tanks intoenemy territory and then say to enemy civilians, Stay out of our way and we'llstay out of yours? I say it's more like naval war, so what is permissible in navalwar should be applicable to cyber conflict.

While Rabkin was the only panelist advocating a modern, cyber version ofletters of marquee and reprisal, all generally agreed that the U.S. governmentshould at least authorize private sector counter-hacking which would otherwisebe illegal. Moreover, the general conclusion was that the private sector has thewill, fiscal means and technical ability that the government may never have.

Concluding this briefing are notes by former assistant Secretary of Defense andACD/EWI Board Member, Richard Perle, (who was unable to attend):

"Would it make sense for us to approach the Chinese with the followingproposition: We know what you are doing and we insist that it stop. If it doesn't,you should understand that we can do to you what you are doing to us. We don'tthink there is much to be gained by stealing your intellectual property (it's mostly


11/75

ours to begin with) but how would you feel about the publication of yourintergovernmental communications made available to your own citizens? In anysociety governed as the Chinese govern theirs, the threat of disclosure could bea very powerful deterrent.

I suspect that at some point we will begin to hear proposals for a treaty ortreaties, or an international convention aimed at creating norms with respect tocross-border intrusions of all sorts. I hope we will resist the temptation to hopethat such an approach offers any substantial protection. What it is more likely todo is compromise sensitive information that we are sometimes able to keepsecure, and invite the foxes into the chicken coop. The worst prospect of allwould be a cyber version of the Non-Proliferation Treaty--a universal conventionbased on the premise that any country willing to sign up should have full accessto advanced computer science from anywhere in the world. We've been downthat path before.


12/75


13/75

INTRODUCTION

Rachel Ehrenfeld,Ph.D., Director of the American Center for Democracyand the Economic Warfare Institute

Threats to the U.S. economy have been a longstanding concern of the AmericanCenter for Democracy and led to the establishment of its Economic WarfareInstitute. Before 9/11 we had done extensive work identifying who and whatfunds terrorism against the U.S. and its allies, and what were the methods usedto deliver the funds. The 9/11 attacks on the World Trade Center and Osamabin Laden's repeated calls to hit the U.S. economic interests at home and abroad

refocused our efforts to look for indicators of such potential threats. We haveidentified many, which at first glance are not associated with cyber. But since theworld has become more digitalized, our state and nonstate adversaries haveincreasingly used the internet not only to secretly communicate with each other,but also to inconvenience, harass, and harm us. Cyberespionage, includingstealing manufacturing secrets, patents and other intellectual properties, identitytheft, fraud of all sorts, and even market manipulations have become more andmore prevalent.

Cyber has become the lifeblood that runs our communication, electric grid,transportation, aviation, banking, industry and commerce, our military apparatus,

hospitals...everything. To increase security, we have been advised to storeinformation in clouds, yet another set of computers. If one day the system goesdown, the damage would be irreversible. We will be left in the dark--with norecords to reconstruct and replace what we have lost.

The predominant attitudes in the U.S. do not consider preemptive measures asthe best defense. They don't even consider in-kind reaction, because cyberattacks have not yet left the streets littered with dead bodies, in a way a massive
http://www.youtube.com/watch?v=UtJmm-UQ9vEhttp://www.youtube.com/watch?v=UtJmm-UQ9vEhttp://www.youtube.com/watch?v=UtJmm-UQ9vE


14/75

bombing or a detonation of a dirty bomb would.

It is clear to me that unless the U.S. upgrades its cybersecurity fast, andacknowledges massive cyber attacks as warfare and offense as the bestdefense, the cumulative affects of cyber attacks would soon undermine thepublic's confidence in the government and destroy our economy. RichardPerle, former Under Secretary of Defense, and a member of the ACD Board ofDirectors, presented the following questions:

"How can we deter acts of cyber aggression in peacetime and what should we bepositioned to do in the event of a major cyber war, or a major cyber attack,launched in the midst of a conventional conflict? If recent press accounts areeven half-truths, the United States government and its public and privateinstitutions and businesses are the subject of continuous electronic intrusion,sometimes to steal valuable intellectual property--including secret data--andsometimes, perhaps more worrisome, to plant menacing software for subsequentdestructive purposes. We know this is going on and, presumably, we haveconsiderable knowledge of who is doing it. So what can--what should--we doabout it? China is frequently identified in the press as one of the mostegregious hackers, draining corporate data-bases and government agencies ofvaluable information--and worse. Would it make sense for us to approach theChinese with the following proposition: We know what you are doing and weinsist that it stop. If it doesn't, you should understand that we can do to youwhat you are doing to us. We don't think there is much to be gained by stealingyour intellectual property (it's mostly ours to begin with) but how would you feelabout the publication of your intergovernmental communications made availableto your own citizens? In any society governed as the Chinese govern theirs, thethreat of disclosure could be a very powerful deterrent. As for the wartimescenario, I certainly hope that we are positioned to take the offense as well aserect defenses. Perhaps the panel could comment on this. Finally, I suspectthat at some point we will begin to hear proposals for a treaty or treaties, or aninternational convention aimed at creating norms with respect to cross borderintrusions of all sorts. I hope we will resist the temptation to hope that such anapproach offers any substantial protection. What it is more likely to do iscompromise sensitive information that we are sometimes able to keep secure,and invite the foxes into the chicken coop. The worst prospect of all would be acyber version of the Non-Proliferation Treaty--a universal convention based onthe premise that any country willing to sign up should have full access toadvanced computer science from anywhere in the world. We've been down thatpath before."

The speakers have prepared to address Perle's questions and then some. Theirspirited discussion and intriguing suggestions would be soon available onYouTube and on our website.

[From prepared remarks.]


15/75

INTRODUCTION OF REP. MIKE ROGERS

Michael B. Mukasey, Debevoise & Plimpton, former Attorney General of theUnited States, Member, Board of Directors, American Center for Democracy

It is a pleasure and a privilege to introduce Mike Rogers. He is the Chair of theHouse Intelligence Committee, which is the House's principal panel responsiblefor authorizing and funding and overseeing the execution of the Intelligence Actof the United States. He is the rarest of creatures particularly in the Washingtonarea, a person who moves things in a bipartisan, nonpartisan way. He got threeof his intelligence projects passed the House. The last one went through on avote of 386 to 28. You can't get a majority like that for the Flag Day Resolution,and it mattered that he got it for an intelligence budget.

He's also taken the lead on critical cyber security issues, including cyber securitylegislation to help better protect this country against the constant onslaughts thatyou just heard summarized by Rachel [Ehrenfeld]. In fact his bill is going tomarkup tomorrow, and I'm hoping that you can hear some[thing about] thattoday. This is not the beginning of his public service. In addition to having been acommissioned officer in the United States Army, he served his country as an FBIagent, fighting organized crime in Chicago, and then was elected to a position insenate in 1995. He was elected to Congress in 2000. He represents Michigan's


16/75


17/75

KEYNOTE ADDRESS

Rep. Mike Rogers(R-Michigan), Chairman, House Special SelectionCommittee on Intelligence

Thank you, Your Honor. I appreciate that kind introduction. I'm not sure that Iwant to say anything to change what you're thinking of me right now. I appreciatethe opportunity to be here and take a few minutes, and I don't want to go long.We have some very, very distinguished panelists, and I wish I could stay for that.

I just wanted to talk about a few things. I first got on the committee in 2004, andgot my first classified briefing on cyber activities in the United States and aroundthe world. It was one of those things that is something that we might want to payattention to, something that could become an issue that we can't handle, andunfortunately exponential since that day. It grew worse and more complicatedand is an issue that is a serious threat to our national security that America is not

prepared to handle. It is amazing to watch, even just the last couple of years,about nation states--whether one would argue or not, rational actors--NorthKorea, Iran developing and building their cyber capability to not only ... wellthey're not [just] interested in espionage, let's put it that way. They are interestedin attack and disruption. And we have non-rational actors who have thatcapability.

I worry about this every single night after we go through our daily prep
https://www.youtube.com/watch?v=RZN0hxKgXPghttps://www.youtube.com/watch?v=RZN0hxKgXPghttps://www.youtube.com/watch?v=RZN0hxKgXPg


18/75


19/75

going to be a home invasion at 123 Street tonight at six o'clock," I am morallyobligated to do something about it. I will contact the local police to show all ourcalls to make sure that that person doesn't get through the front door and causesome harm. Think about what this cyber activity is. It is no different than acompany willing to pick up that 911 call and say, we are under attack and we

need some help. So what we've said is "listen, [we need to] do all of this talkabout offensive capability and developing an offensive capability in the UnitedStates"--and we have lots of debates about that, believe me, all worthy debates.None of it means anything if we cannot protect our networks here at home.Candidly, we are not ready to protect our networks here at home.

Talk about Chinese espionage: that last string, those were a cyber attack. Wehave several nations that have used it, Russia clearly in Estonia, 2007. Yourecall when they tore down Lenin's statue, [the Russians] were a little miffedapparently, and they used a very aggressive cyber attack on a submarine--severe damage, shut them down, scared them to death. One of the most vocal

advocates of the government's assistance in protecting networks you'll find isEstonia, and I highly recommend to meet the ambassador, she'll school you wellon the threats of cyber security. They also used it in prepping the battlefield inSouth [Ossetia] before they went into [that part of] Georgia, so they had a veryaggressive cyber attack, a disruption of their electric grid, their financial servicesnetwork, then they sent in the soldiers and the tanks.

We know that nation states, including China, by the way, have this capability andare eager to put them into their arsenal. Now there's one thing about this Russiaand China are not likely to go after--our financial services networks, [that's] notlikely unless we are in direct conflict. They're rational actors as to theconsequences of that kind of very destructive behavior, and I argue the Chinesewouldn't want to go after our financial services networks: we owe them too muchmoney. You have those rational actors. Here's where it gets concerning: weshould be concerned that North Korea [,which] showed, about a month ago, thatthey had the capability to go in, and they attacked a financial institution in SouthKorea and did some damage. Probably not where the other nation states are, butit shows they have a growing investment in their ability to conduct cyber attacksthat have real consequences.

Iran, clearly has exponentially gotten better and is learning everyday, but if you'renot familiar with the Saudi Aramco case, I would recommend that you get familiarwith it. It shows what a nation state can do when it sets its resources to attack asingle business to cause destruction and harm to that particular establishment.They attacked Saudi Aramco, a very important energy company in Saudi Arabia,the largest company in all of Saudi Arabia that does all their transactions andclearances--financial transaction clearances for the country when it comes to oiland gas.

Think about this: you had, say, ten thousand computers. You show up to work


20/75

that day and seven thousand of those computers don't work anymore, andeverything that was on those computers is gone. You can't reboot them, you'renot going to find it again. It's gone. You can't even turn it on. It is a paperweighton your desk. They destroyed thirty-thousand machines in the attack on Saudi

Aramco, thirty-thousand.

Here's where it gets interesting, they also went in and manipulated data. Insteadof Mike Rogers owing Saudi Aramco $100, they had it turned around the otherway. They manipulated data, they destroyed data and then they destroyedmachines. The scary part was [that the telecommunications network almostcaught fire. It's still vulnerable.

I don't think that was by design, I think that was just by propagation of thisparticular mode of attack. They almost shut down and destroyed certain pieces ofequipment in the telecommunication sectors of private companies that wereoperating in that particular region. It doesn't take too much, if you understand

common communications, that [something like that] can hop, pretty quickly, notonly from across the Middle East or across continents, across oceans and get toa place like the United States. If that doesn't worry you enough, imagine that.

We now know that, according to public reports, Iran has been lapping at ourshores and probing our financial services institutions. Not with their best stuff,their best stuff was we believe Saudi Aramco Plus, but they were just trying tofind vulnerabilities in our financial services networks. Is that a problem? Imaginea bank, that does say eight-trillion, nine-trillion dollars in transaction clearances aday, gets attacked and the data is lost, the machines are broken, and we havewhat we would call chaos occur. They know it. They're not a rational actor.They're corner unbalanced, at this point in the world, isolated clearly, and they'reon the offense.

This is a huge problem. It is not Orwellian, it's not Hollywood, it's today. Theproblem is most people at home don't have any understanding of the impact andhow it might affect their lives. Trust me, if you have money in a 401K account,you will be in that. If your check, for those Federal employees ... some of thesebanks clear a whole bunch of Federal transactions, stops coming ... And yourSocial Security checks can stop for a period of time.

Try to imagine going back and reconfiguring that in a timely way to get peopletheir checks. So, you can compound this pretty quickly and get to a place wherechaos is the reigning [condition] of the day. Here's why I know this is going towork, and here's why we have to have this today.

The Internet is one-sixth of our economy today. If we want to maintain theeconomic engine, I would argue the freedom engine that the Internet has broughtto not just us but the world, means that people have to have faith that it works forthem and not against them. If you want a free and open Internet, we better take


21/75

some steps today to make sure that we can protect it and maintain theconfidence that, when you use the Internet, somebody's not stealing you blind.

Imagine that happens at a bank, and it happens at your bank, and it happensevery time you use your credit card, you pretty soon will stop using the Internet

as a means of commercial transaction. I can't imagine what we would look like, ifwe started withdrawing from the commercial aspects of the Internet. I think itwould be a horrible outcome.

What we did is we stepped back, quickly, my ranking member and I, a Democratfrom Maryland, he's a prosecutor and former FBI agent ... We figured we couldtalk the same language. I would say the FBI does the work, the prosecutors getall the credit. We'd probably have a marriage made in heaven here.

We sit down, and we start with a blank piece of paper. We said, no let's not bringanything to the table. Let's go out and let's talk to Silicon Valley. Let's talk to the

high-tech industry folks, let's go to New York City and talk to those folks. Let'stalk to the privacy groups. Let's talk to the end users, and try to figure out what isthe narrowest, least intrusive, nongovernment mandated way that we can providecyber security information to the private sector so they can protect their ownnetworks, very simply.

Well, we came up with a whopping thirteen-page bill. I know some of you areaghast at that. Right? I was going to put on that a four hundred pageamendment, just to show you all I was serious. Nothing in it, but just weight. So,through time, we've been working with those players.

Last year, it passed in a bipartisan way, mainly by people who were exposed tothe real threat of what's happening out there in the real world when it comes tocyber. This year, we have been bringing members down. I call it a "holy mackerelbriefing." You come down, we expose members of Congress to what the realthreats are in a classified environment. Why we can't sleep at night, why this is arelevant problem, why more nations are themselves investing in the capability todo this kind of thing, because it's so lucrative for them, and how we can take avery narrow small step to do something about it.

Let's share the secret sauce, that information that we collect overseas, that reallynasty, malicious source code, and share it with the private sector, so that theycan protect their networks. And when you're at home on your computer, you don'thave to worry about somebody stealing your personal identity.

We can make it a little more difficult for them to be successful. And vice versa.You know, probably the biggest misperception about this whole thing is that yourNational Security Agency, or your CIA, is plugged into the domestic Internetcircle, if you will. It's clearly not. It's illegal for them to do it. We monitor that veryclosely. They would have no benefit to themselves to do that. They are not on a


22/75

vested network. This wouldn't change at all. All it does is say, well you want tohelp the private sector when they get hit.

What happens is a private sector company gets hit with something verycomplicated and very nasty -- and by the way remember -- I could be a mid-sized

company trying to fight off a nation state like China. You're going to lose that fightin a cyber war, I don't care how good you are.

If you get a thousand people getting up every single day with the sole purpose ofgetting into your system, guess what? They're going to get in your system. Andwhen they got hit with something, what we said is we'll give you as much as wecan on the mail order side, and you shoot something back that says, this is the911 call I was telling you about. This happens in real time by the way. Nobodyreally picks up the phone. If they have to pick up the phone, it won't work. Theirmachine sends that nasty piece of code to folks who understand it. They look atit, and they can go back overseas and find out where it came from.Just as you

call a detective and they come and catch the burglar that's in your house oroutside your house, same system. But it happens in real time.

It'll happen a hundred million times a second, and to give you an idea of whythat's important, the average credit card in your wallet, that company will get hitthree hundred thousand times today alone by bad actors trying to steal--creditcard companies, three hundred thousand times today. I talked to one agency thatgot hit six hundred million times last year, one company, six hundred milliontimes in one year, a huge process.

What we're doing tomorrow is we're doing markups, that's the legislative jargonfor taking a vote, working amendments on the bill in the Intelligence Committee.

Again that does that very narrow simple thing: have the government share what itknows and when you get hit as a private sector only if you want--100%voluntary.

You share that malicious source code back with the government so thegovernment can take it and try to figure out who the perpetrator is, and buildthose signatures into its network so we can stop him from robbing us blind. As itis, it's happening everyday. So, we're looking forward. if I haven't depressed youenough already, I can take a few questions.

Audience member:I'm on the cyber economic espionage front. If we're a system of, a nation of laws,rule blocked, we have governmental information that we know that X hundredbillion or trillion dollars worth of electric property will be stolen, why can't we notuse our court system to go through the process, repeal false judgments, and startdecrementing the debt we owe to the people who are violating our laws?

Mike Rogers:


23/75

Because we are members of the WTO, there are companies that choose thatroute. It is just not successful. If you have a company who is using it'sgovernment military intelligence services to steal information for the sole purposeof building it's economy, you can tell that the rule of law is not nearly as importantto them as we would think. It works in a system where both parties believe in the

rule of law. You go to court, some win, some lose. Right? That is just the waythat our system is. If you respect that system, it works fantastic. If you don'trespect that system, it will hardly work at all.

There are efforts underway to try to raise the pressure on countries like China.And remember that they have to grow 7% a year, just to maintain their socialprogramming. Growth ... you know we'll be lucky if we hit 2% this year for a profit.If we're really lucky this year, we'll have 2% growth. So, you imagine that they arenot great innovators, but they have shown they can be great, well I won't use theword, but they're taking a lot of stuff. Right? They can take that stolen material,and it helps them fulfill their need. By us filing a charge and doing it that way, I

don't believe it'll work. I believe that by raising the pressure dramatically, thisshould be the number one, number two, and number three bilateral discussion onany issue we talk about with China moving forward. We've got to get them there.

Audience member:You're talking about what your committee is doing, what cooperation are yougetting from the Senate and from the administration?

Mike Rogers:Part of the problem is last year, we got caught in the election cycle, so we got thebill out of my committee too late. This year is better,and we are much betteraware, because you cannot open the paper today without another example of acyber theft, a cyber intrusion, a hacking. That helped.

Unfortunately, that helped build awareness in both voices. The good news iswe're having a constructive dialogue, so far with the White House and aconstructive dialogue in the Senate. We're going to get a bill by the end of thisyear that will get on the President's desk and get signed. I believe that.We are right in the middle of the making sausage part of that whole thing, andour goal is to protect privacy, civil liberties. Let people understand exactly whatthe bill does. People must have faith that this thing is not intruding on their livesand won't work, we need to make sure that that's right and it doesn't intrude. It'snot a surveillance organized event. So, we're going through that process now,and we're going through this education process.

If you know a member of Congress, I highly recommend you call them and saywhatever you do for, you better get out there and start fixing it. This is a greatopportunity to do that.


24/75

Audience member:Because we're private citizens, everything we really know about the Chineseattacks is from reports like GrossNet. Private citizens got into their command andrecall servers and figured out what they were doing and learned a lot about theperpetrators MO. We can't do this just with government resources. You're under

a lot of pressure, and I fear from the Second Amendment that basically sayswe're not going to give any additional authority to private sector guys who want toinvestigate who's attacking them. Can't we find a way to make sure that we haveleveraged some of those resources?

A lot of people are worried about this.

Mike Rogers:You're talking about the hacking back provision of the bill. I do worry a little bitabout cyber vigilantism, because if you're not at the top of that spectrum, you canget a bomb for sure.

Same audience member:We need this really badly.

Mike Rogers:Absolutely. One of the things that we didn't want to do is get into establishingnew law by allowing people to participate in stealing, stealing back or hackingback. However, that being said, in an information sharing regimen, it empowersthe government to know more about what's hitting the private sector, because wesometimes don't know. If we don't catch it overseas, and you don't call the FBI,the federal government does not know what business has been hacked, which ispart of our problem, why we're trying to get a handle on this.

Most people think that the government is sitting on the Internet, listening to all ofthat. It doesn't happen. So one of our challenges is how do we entice businessesto cooperate back so that we can find these new signatures out there? So thegovernment cannot do it without the private sector. It is impossible. The privatesector cannot do it without what the government knows. I'll guarantee you it'simpossible. Even your best CIO who tells you, "we've got a handle on it. Weknow exactly who they are, no problems", my argument is find yourself a newCIO.

Because we know for sure, the last estimate I heard from our intelligenceservices was that we would know almost 40% more on malicious source codethat's laying on the shelf than the private sector even knows exists. Imagine thevalue of having that protect every network in America, but all you've got to do isget in the right. If you know what you're looking for, you can find it. That's thebeautiful thing, but this stuff so sophisticated, so complicated, you have to knowwhat you're looking for. That's the benefit of sharing that we hope gets away fromthe need ... because what you're going to do is have somebody make themistake of bringing down a business, with at the most unintended consequences


25/75

can be very very serious.

I will tell you that the good news is that the government is getting better aboutcatching on to how they do it, the signature based-task, but it's difficult. That maytake you through five or six countries of a hundred different cities before you find

out where that thing was written and sent. That's the challenge, and I wouldargue knowing what we know on our side, even some of the best private sectorcompanies wouldn't have the ability to track it all the way out. Some can, a lotcannot. My fear would be those, a lot that cannot, could cause more harm thanthey do good. So that's why we're kind of at where we're at.

Audience member:What role do you see state and local governments in this cyber policy?

Mike Rogers:Obviously the criminal part of this is important. We're dealing with, as the

intelligence chatter, we're worried about what threats come in to the country fromoverseas. I think it's not limited to that. We have criminal problems here in thecountry. Part of that sharing needs to be from federal to local and local to federalas well. And the more we know and find out in a classified setting, the more youcan stop.

The goal is, can we make it so hard and so difficult as we move forward? Can wemake it so hard and difficult that it's not worth trying and investing as muchmoney as they are in training a legion of cyber attack warriors and intellectualproperty thieves? And that's what they're doing. But how do we make that so ithas no dividend? And right now, there is no consequence. That's the problem.So, that's why we need to see this sharing regime between them [the federal andstate and local governments]. And then state and federal, state and local wouldbe heading out, trying to hopefully find those criminal elements that operatewithin the United States, conducting crimes here. The FBI is going to be a part ofthis as well.

Audience member:In your markup of the bill, do you intend to address at all DLS attacks on 911Centers?

Mike Rogers:Well, we wouldn't do it specifically by institution. You would hope that local unitsof government would participate. This again is all voluntary. There are nomandates in this whatsoever. I don't think that would work. You'd hope that theywould participate. The FBI, I will tell you, is getting better and better and betterwhen it comes to the forensic cyber crime part. There are discussions about howdo you try to stop it before it hits. That is a much more difficult proposition, andone that we wrestle with quite a bit, based on what the FBI's duties andassignments are here in the United States.


26/75

We hope through this sharing regimen you can get a lot of that. And here's theother benefit: when that 911 Center is hit, God forbid, if you have real timesharing capability and you're part of that loop, it is much easier to use thecapability of say the FBI, which has this growing cyber capability to find them

quickly and have somebody hauled off in handcuffs and put in jail. They're riskingpeople's lives when they do that. It's pretty sick of them.

Audience member:We know, at least some of us know, the Iranians have been targeting andhacking second-tier government contractors. Do you believe that there should bea cyber security standard in order to get a government contract?

Mike Rogers:The problem is you don't want to be exclusionary. And you want to find, to me thebest and most cost effective way, to allow those companies the outlet. So, in the

first part, you're going to see this anyway, but while it's not only in some of thedefense contracts, that "yeah I have at least these element," I would be veryreluctant to have a legislated standard that starts to get the government intosetting the standards, through rules about what their secure network looks like.That's the other side of our argument: a lot of people are pushing that. I thinkthat's a disaster. By the time you do the rules it takes eighteen months. Guesswhat? Your threat matrix is completely different by the time you're finished.

You have companies trying to beat the standard that doesn't beat the threat,because it's happening today. A) I think it's a waste of money, and B) I don'treally want government regulating the Internet. I think that would be a disaster.So, where we're at is a discussion. I'll tell you what's interesting, coming out ofNew York over the weekend, is now these venture capital firms are starting torealize that they don't want to invest in a company that is exposed to thevulnerability of getting all of that intellectual property in which they investedstolen. So now they're putting as part of their contract of investment their ownstandards of what those networks should look like.

Honestly, if you have the private sector and these folks who are exchangingmoney saying, "Hey, this is important enough for us to say, 'You want ourmoney? Your system has got to look like this.'" Perfect, that's fast. They don'thave to go to the government for permission. They can set their own standards,and when it changes in six months, you can change with the threat matrix. I thinkthat market force is starting to kick in by the sheer volume of loss to economics inthis, and I think it's going to have a great outcome. I'll just take a couple morequestions, if I can.

Andy Cameron with Augur-Nexus:In the War on Drugs, we found out that banks were a big part of the problem withthe money back and forth. In cyber warfare obviously a lot of these groups


27/75

denied state sponsored funds are getting funded somewhere, and banks areinvolved in this. We've been talking to people on Wall Street. They want to figureout who they should be dealing with and not dealing with, and try to give badbanks bad ratings and such, is there an economic bent to this?

Mike Rogers:On the fence, if you're talking about people trying to launder money or if you'retalking about ... or did you just say that bankers were on drugs? Did I understandthat?

Cameron:But there are banks that are literally funding corporations in China and Asia thatare knowingly ...

Mike Rogers:I see what you're saying.

Cameron:Is there a way to get Wall Street more involved in a proactive list bymanagement?

Mike Rogers:Again, I think the driving force is this sharing regime, and I do think there's goingto be a parallel track here. The only reason that I talk about the defense part isbecause we're so far behind. We haven't even, you know in the old saying of theday, we haven't hired one soldier or one rifle yet to protect our networks, andthere is an invasion underway. Right? We're way behind target. We have to fixthat part. The second part and the parallel part that I understand is equallyimportant is where we gain the support of Germany and Japan and South Korea,other innovation economies in the world, getting absolutely killed, is where westart putting pressure on China directly.

The Mandiant report was important because it named names, that was reallyimportant, and the Chinese hate that, and so what we're going to do is we'regoing to name more names, and we're going to start ramping this up. I argue thatwe ought to look at trade issues when it comes to companies that we havedetermined have stolen intellectual property, repurposed it, and put it in themarket. I'm a passionate believer that, I guarantee that, that will definitely gettheir attention. And again, we have to start putting into place things that takeaway the benefit of stealing this property and repurposing it.

We had one American company, a well known manufacturer, that had theirproperty, the blueprints for their products stolen. That product is now inproduction in China. Twenty-five thousand American manufacturing jobs, onecompany. I didn't talk about it, because they were afraid of the brand or afraid ofannouncing vulnerabilities. They don't get out there and wave a flag that they'd


28/75

been hit, but that's the kind of thing that's happening.

There's another company that actually came to us. They had a company namedAmerican Semiconductor, that went into China to do a joint venture, and hastechnology or had technology that would allow windmills and solar to be

converted to the grid. Right? Had this patented technology. The Chinesegovernment stole it, all of it. They went from a company that was valued at 1.8billion dollars monthly, that's worth about 170 million today. They are no longerdoing business in China. The number-one company in China doing that businessis the company that stole it from him, that he did a joint venture with. And I wishthat I could tell you this is a rare thing.

It happens again and again: there's a line around the capitol building ofcompanies willing to come in and tell us in a classified setting. I've got my wholefrontal property portfolio gone. I've never seen anything like this, where we are

jazzed, and our blood pressure isn't up. I mean it's unbelievable. I'm getting all

worked up...

Audience member:Okay, I also have your permission, we also have that, but we also have to goback and practice, create a number of programs to make this thing difficult to do--like, liability, privacy, competition amongst companies who already have cyberprotection, plus education rules about information, how do we do that?

Mike Rogers:If we don't have liability in the bill, he was just saying, this is a hard problem towork, because you have liability issues with sharing information, and you have,my fear would be, this unwieldy cooperation of competition between companies,and so, yes, we put liability protection in the bill, and again we did that because ithas to be in my mind a voluntary process. We don't want any mandates tellingpeople, "you must give us information, or you must cooperate." We don't do thatin the ... well we did do it in the FBI, but it was only in the hardest cases.

We did, we built in liability so that they can share, and remember this still has tohappen in a classified way. If you just put all of this open, on the open Internet,take that source code, change enough of it, and it's in. I mean this is complicatedstuff, so that's what we look at. So, what we tried to do is, you'll push it as farupstream in the system as you can. Your Internet service providers would likelybe the first members, I would guess that would join. You share with me, and I'lltell you what we're catching on our system that's really nasty, and we'll build abetter system together. And we think that's what happens. Then you'll have thatnext tier of very capable IT companies.

If you're a small company in America, you don't want to build a SCIF (SensitiveCompartmented Information Facility], and have to meet all the standards ofhaving and maintaining a SCIF, and have the people for compliance for the


29/75

SCIF, just to share information, if your ISP provider is already getting it. Right? Iwouldn't spend the money. That's where we think we get the value on thatdownstream. Somebody was talking about supply chain. That supply chain isvery vulnerable, that's how we think that we can help the supply chain, before itever gets to the network, or personal office network, it has to go through that ISP

provider that is sharing classified data. Thanks everybody getting involved in thisdiscussion. It is very, very important.

[Edited from transcript.]


30/75


31/75

CYBERSECURITY: ENGINE FOR GROWTH OR ECONOMIC

ANCHOR?

Mark Weatherford, Deputy Under Secretary for Cybersecurity, Department

of Homeland Security

I focus today on two issues related to cybersecurity and the economy: The first is the role of government in working with the private sector with

respect to cybersecurity The second is how the United States might use cybersecurity as an engine for

economic growth. The first issue is a question many of us in government have been asking

for some time and that is, "What's our Role in Cybersecurity?" I'veonly been in the federal government for about 18 months but havesat through quite a few meetings where we've explored thequestion and I can assure you, it's not a trivial or easy discussion.

Historically, the mission of the Department of Defense is to provide themilitary forces needed to deter war and protect the security of ourcountry. Doctrine however, seems to be shifting to anticipate, or atleast consider, that the next big destructive act facing our countrywill involve information technology.

Here's a couple of things to think about: What is the role of government in a toxic waste spill where a community

is endangered? The government typically monitors the situation but
https://www.youtube.com/watch?v=oQfiKt-azekhttps://www.youtube.com/watch?v=oQfiKt-azekhttps://www.youtube.com/watch?v=oQfiKt-azek


32/75

the private sector does the work. What is the role of government when a hurricane destroys miles of high-

voltage transmission lines that supply electricity to our cities andthe result is physical and economic suffering? Government oftenplays a more active role like during Hurricane Sandy but we

typically monitor the situation while the private sector does heavylifting. What is the role of government when geomagnetic storms or solar flare

activity create coronal mass injections significant enough todamage electrical transformers that then cause widespread poweroutages - perhaps for months at a time?

How about if that same transformer damage if it is caused by a High-Altitude Electromagnetic Pulse from a warhead detonated milesabove the earth's surface?

These are two completely different issues requiring the samemitigation steps by the private sector, but I assure you that

expectations regarding the role of government are different. Who is responsible for hardening the transformers? Who is responsible for maintaining a supply of spare

transformers? These things are made mostly overseas, cantake up to two years to built, cost millions of dollars, and noteasily transportable?

Closer to home and more timely, what is the role of governmentwhen an cyber-adversary launches a Distributed Denial ofService attack against the banking and finance industrywhich threatens the banking industry's ability to satisfy theircustomers? Several days every week?

This is something we know a little bit about, but it still isn'tclear-cut.

DHS and other government agencies like Treasury, theFBI and DOD have been working with the Bankingindustry for the past nine months on how to mitigateand respond to these attacks but is there a threshold?What is the government's role if that threshold iscrossed?

One of the significant roles of government is to share threat and vulnerabilityinformation with the private sector. This kind of information is frequentlysynonymous with Intelligence Information, which is often - too often in myopinion - classified.

As most of you probably know, classified information is only shared on a"Need-To-Know" basis with those who have been vetted and granted asecurity clearance. This creates a conundrum for the government becausethere are a lot of people in the private sector who could benefit from "Needto Know" information.

When I worked at NERC, I'd get into conversations with governmentorganizations who, because I had a security clearance would brief me on


33/75

these scary things threatening the electricity industry, but then tell me thatI couldn't share it with the electric utility companies who actually run thesystems.

Our philosophy at DHS is different because while we have cybersecurityresponsibilities for the civilian federal government agencies, our primary

constituents are those private sector critical infrastructure companiesacross the nation. It's something we call a "Duty-To-Share" versus a "Need-To-Know" and we do

everything possible to get threat and vulnerability information into thehands of people who need it.

So shifting gears, my second point is that I think there's an opportunity for theUnites States to consider how cybersecurity policy, and the investment intechnology that supports the policy, could be a catalyst for economicgrowth.

First, we have to recognize where we are today in our capabilities versus thecyber-threat environment.

Security has always been a "throw it in if you have time and it doesn't costanything" issue during system design and development. It's never reallybeen a priority and consequently, we are in a constant state of rebuildingof our infrastructure.

I was reading about the Hubble telescope a while back and I thought it mightserve as a crude, but related analogy.

Hubble was funded in the 1970s and launched in 1990 at a cost of about$2.5B. As most of you know, they almost immediately discovered that themain mirror was too flawed and required repair if they were going to beable to get anything useful from the project. The Hubble servicing missionfollowed in 1993, just three years after launch, and cost about $1.1B.

This is the security business today. The vendor market around bolt-on securityis proof of this constant rebuilding, and while there is certainly someeconomic value to this market, we'll never achieve the kind of security Ithink we expect from a nation of innovators.

These aren't just maintenance issues like changing the oil in your car - weexpect to do that. What we shouldn't expect is constantly fixing softwaredefects and faulty applications.

Almost all of our critical infrastructure systems have security flaws that couldhave been corrected during the initial design. The problem is, most ofthese systems were put in places decades ago. There are still turbines inDams, substations in the power grid, and industrial plants in themanufacturing sector that were built 20, 30 and even 40 years ago.

This was way before there was even a cybersecurity issue to worry about.Since that time, these facilities and systems have been connected to, andare dependent upon, this very vulnerable thing we call the "Internet".

This requires companies to conduct extensive vulnerability analysis and then,either mitigate the vulnerabilities, or apply compensating controls likenetwork segmentation, isolation and other wrap-around securitymeasures.


34/75

Of course they can also choose to upgrade and replace the systems entirelybut this is incredibly expensive and something not many companies wantto do when there are years left in the life cycle. These kind of capitalinvestments are typically only made every decade or so in many sectors.

This is where we are today - in Constant Remediation.

We are making systems work with, metaphorically, a bunch of broken parts. This Remediation creates jobs but this has only limited impact on the overalleconomy.

This is where the next big thing, or Cybersecurity 2.0, can elevate the UnitedStates and actually distinguish us from other nations as a safer place to dobusiness.

Cybersecurity 2.0 is when we begin to design security into every criticalinfrastructure system, to make the United States the safest place in theworld to develop and host systems and applications..

Just like "Safety" in a manufacturing plant is everyone's responsibility, goodsecurity design will become habitual and an expected performance

measure. After the significant remediation in our existing critical infrastructure iscompleted, and it's going to take a few more years, standards for goodsecurity design and development will guide a new generation of productdifferentiation.

This is when all of the new Cloud and Mobile applications and services willbecome safer.

And in case you haven't been paying attention, Cloud Computing and MobilityARE the future.

In a November 2011 Harvard Business Review article, Andrew McAfee calledCloud computing:

"A deep and permanent shift in how computing power is generated andconsumed. It's as inevitable and irreversible as the shift from steam toelectric power in manufacturing, which was gaining momentum in Americaabout a century ago."

So here's a Question? How do you feel about banking and hosting yourfinancial information in a country where you don't know whatsecurity policies and controls govern the infrastructure?

Would you feel better about doing that same business in a place wherethe policies and systems have been specifically designed,implemented and are regularly tested to ensure they have effectivecybersecurity practices and controls in place?

What about your healthcare information? How about the rest of your privacy related information? I think people in other Nations and companies in other countries will feel

the same way and chose the more secure place. There's very little disagreement that the next generation economy is

already information-based and becoming more-so every day. That means we can't - CANNOT - continue to treat security as a bolt-on

after-thought. It must be designed and built into everything, and I


35/75

think that can become a differentiator for the US economy. Made in the USA will mean something! Software will be developed with secure coding, Systems will be

designed to natively encrypt and protect data, and our Hostingfacilities will have threat monitoring and continuous diagnostics and

mitigation built-in to create the most secure facilities in the world. Security can be profitable!

[From prepared notes.]


36/75


37/75

KEY ELEMENTS OF ENERGY SECURITY

R. James Woolsey, Chairman, Woolsey Partners LLC, former Director ofCentral Intelligence, Member, Board of Directors, American Center forDemocracy

I was about ten years old, my father and I were going fishing one day. I went in tofind him in our living room in Tulsa, Oklahoma. My father, a lawyer, had spreadout on a card table a whole lot of yellow pads; he was taking notes and puttingslips in the books and so forth, and I said, "Dad, what are you doing?" And hesaid, "I'm really sorry that we're going to have to put off the fishing trip. I'm gettingready, since I'm now expecting to go to trial on Monday, and I need to get a lot ofwork done." I said, "Well, what are you doing right now?" "I'm figuring out theopposition's cleverest strategy." I said, "Why do you do that?" And he said,"Because it's not only the opposing case that you think you'll likely be facing, butthe strongest, most powerful, cleverest, sneaky and crafty thing that is possiblyimaginable that you prepare for. Figure out how defeat that and then you're more

likely to win.

Well, I thought that that was kind of an interesting approach to debates andlawsuits, and I've always tried to follow it.

Let me suggest an approach a bit like that with regard to cyber security. Today,Kim Jong Un, Ahmadinejad, and some of their buddies in other countries likeChina like to steal money from us over the Internet, and that's a serious matter.
https://www.youtube.com/watch?v=FesqnTLPQv8https://www.youtube.com/watch?v=FesqnTLPQv8https://www.youtube.com/watch?v=FesqnTLPQv8


38/75

We have to protect ourselves and deal with all such important issues. But forsome of them, their objective may be a lot worse than that, say destroying us.Now a common way of discussing these latter sorts of existential issues is to sayof somebody--fill in the blank: Kim Jong Un, Ahmadinejad--that is not crazy. Ifthey tried that, then they'd know we might go back and attack them or even, you

know, use a nuclear weapon, and since they're not crazy, we have little to worryabout--they'll be deterred. Well, the problem is that there are at least two kinds ofcrazy

I once wrote a paper on Hitler's diplomacy. I can assure you that although hisobjectives were absolutely hideous (to conquer Europe and rule it for a thousandyears as an empire and to kill all the Jews), his skills as a diplomat were superb.From 1933 to 1939, Hitler had the chancelleries of Europe eating out of his hand.He was as good as Metternich. It is not inconsistent for a sociopath like Hitler, orKim Jong Un, or Ahmadinejad, to have a crazed, evil world-destroying objective,but still be a crafty dude. We have, I think, lapsed into a mode of thinking about

the Kim Jong Uns or the Ahmadinejads that they can be treated like youraverage Soviet leader.

Let me be clear about what I mean when I say that. I kind of miss the SovietUnion, but only in a sense. I spent a lot of years trying to figure out how to deterthem, what kind of weapons systems to buy to defeat them, and how to spy onthem. But I also negotiated with them four times. Sometimes my Sovietcounterpart and I would get really intense at a meeting, but then we'd go out todinner together and after a couple glasses of wine, we'd start talking about ourfamilies and maybe trade some Jewish jokes. And sometimes in the negotiationswe could then kind of make a few things work.

The Soviet military kept Fidel Castro from persuading the Soviet Government touse a nuclear weapon during the Cuban Missile Crisis. We now know from thematerials released that Castro badly wanted a nuclear weapon used during theCuban Missile Crisis. Why? Because he wanted to destroy the United States. Buthe would have consequently also destroyed Cuba, right? Well, yes, but did hecare? Not that much. A Soviet Navy Captain stopped his small flotilla from usinga nuclear torpedo during the Cuban Missile Crisis, something that could have setoff nuclear war between the U.S. and the Soviet Union. So bless the more or lesscommon sense of at least some Soviet military people. They didn't really want todie for the principle of "from each according to his ability, to each according to hisneed." They wanted to remodel their dachas, their country homes outsideMoscow.

So we got used to dealing with an enemy that was very bureaucratic, and wouldallow its economy, which we substantially outperformed, to wither away. Andthey produced a Gorbachev, who was a pretty decent guy. The enemies we havenow, I would say, Kim Jong Un and Ahmadinejad and those around them, arequite capable of creating a lot more tension than what we ordinarily had with the


39/75

Soviets. They appear to be quite capable of Hitler-like thinking, behavior, andobjectives.

Now if they were thinking about attacking us, using my father's approach, asdescribed above, what might they do?

Well, first of all, they would notice that the United States has eighteen criticalinfrastructures: food, water, electricity, natural gas, financial markets, and so on.

All seventeen of the others depend on electricity. If the electric grid goes out, notjust for a few days as in super storm Sandy, but for months to years, we don'thave stockpiles of things like transformers--it's not just that your lights would gooff. You couldn't pump gasoline at the filling station, because the pump is electric.You couldn't get food because the food delivery system depends on things thatare electric in one way or another. You couldn't get water, because the pumpsdon't work. You would not be back in the 1980's, pre-world-wide-web. You wouldbe back in the 1880's, pre-electric-grid.

I doubt very seriously that we have enough water pump handles and plow horsesand seed to function in a 19th century economy. So the estimate on what wouldbe the result of the grid's going down for a substantial period of time, let's say ayear or more, looks at the possibility that you would have two hundred million ofthe three hundred million people in the United States dead, because theagricultural system that we have is highly technological and feeds all of us, whileonly two percent of us work on farms. The end of that system means lots ofpeople starve. In that post-electric future we would not see more than about ahundred million people surviving in a non-electrical, non-networked country.

So, we are talking about the ability of an Ahmadinejad or a Kim Jong Un toseriously consider, if he hated us as much as Hitler hated the Jews, thepossibility of taking down the grid, or at least a big chunk of it, for a substantialperiod of time. It could be something more devastating than some scenarios inwhich nuclear weapons are used. An effective attack by a few nuclear weaponsmight destroy several cities. And while that would kill a large number of people,it's probably not going to fundamentally undercut all of our infrastructure. So whatabout the possibility of North Korea or Iran or somebody else hacking into thegrid and taking it down?

Well, the way that I feel about the electric grid is kind of bipolar. It's true, theNational Academy of Engineering said not too long ago that, in a way, it's themost remarkable invention of the 20th century. It's a just-in-time system, and,generally speaking, except when there's a big outage such as from Sandy, it'sgiven us the electricity that we need, so in a sense, it's really remarkable. On theother hand, the electricity grid has been, from the first instance, and it is now,highly fragile. It was first put together in the beginning of the 1880's, and becauseTesla won out over Edison, as an alternating current system, which makes longdistance transmission possible. But it is a just-in-time system, so if any part of it


40/75

is interrupted a lot of things can be thrown off.

It used to be, in the time of childhood or even young adulthood for most of us, asimply-operated system. If you were at a utility in Idaho, and you saw some kindof outage developing that made you need some added electricity, you would pick

up the phone, probably something with a dial that hung on the wall, and you'ddial long distance to folks at a utility over in Washington State. You'd say, "Hey,we're going to need a boost here in about thirty minutes. So, can you help out?""Yeah, we can, we can do that. We'll work it out and give you a call."

But after a while, with the coming of the computer, it was not a couple of guys onthe phone but computers communicating on unique software that some localvendor had sold them so they could communicate a bit faster than they could onthe phone. It would have been pretty hard for any outsider to get into it. Then inthe mid-1990s, we got worried about Y2K, so as we fixed that problem, westarted basically putting the electric grid's control systems on the web. About the

same time we basically de-regulated electricity, and let it be bought and sold onan open market. So you now have an open market all over the country, on theweb, with a lot of very standard software, and the control systems are ones thatlots and lots of people know how to hack.

And so we now have a system, important parts of which can be disruptedrelatively easy. I'll use one example: the Department of Homeland Securitycleared some information to go on CNN about three years ago. I don't think itshould have been cleared, but it was and it was all over the web. It was a prettysimple hacking maneuver. When you have a spinning machine, at sixty cycles,and you want to put another machine into the mix, and you need to synchronizeit, instead of putting them so they synchronize properly, what you do, if you're ahacker, is turn off the control of one of the machines. One of them then spinsvery much faster than the other because of the torque, and then, within a fewseconds or so, you put them back together again. The spinning one thendestroys the other. It was on a demonstration up in Idaho three years or so ago.There are other relatively simple tricks.

Who's in charge of the electric grid? Clearly somebody must be. Not really. Thereare fifty public utility commissions that are sort of in charge of electricity in eachof the states. They are more or less run predominantly by retired utilityexecutives in each state. There are not very many of them that are up to datewith respect to new research and development in electrical matters. A FormerDeputy Director of ARPA-E in the Department of Energy told me a couple ofweeks ago that if you take research and development done last year by all three-thousand, five hundred American utilities and add it together, it is less than the R& D that is done by the American dog food industry.

There is very little interest in the industry in dealing with these problems. There isa tragedy of the common problems with these utilities. Each essentially says "If I


41/75

stockpile transformers and my neighbor's utility goes down, he'll probably takeme down too, so that stockpiling will turn out to have been a waste of money, soI'm not going to do anything unless everybody has to do it." Who wouldeverybody be? Certainly not fifty public utility commissions. How about theDepartment of Energy? They have a small electric office and no authority to

regulate transmission. What about the Federal Energy Regulatory Commission?Not really. They can regulate transmission but not distribution. Why don't wehave a national energy strategy? Because nobody's in charge.

We are in a situation where a whole set of electricity issues--substantive andorganizational--is extremely troubling. Now, since I've been so happy andoptimistic, let me leave you with one other--I'm afraid--rather difficult problem.We've heard about EMP (Electro-Magnetic Pulse). Apparently it's the case that,about once a century, we have a very large solar event--it's called a CarringtonEvent--and there's a huge electromagnetic pulse, naturally caused. The last timewe had a very large one was a century and a half ago, in 1859. There were just a

few telegraphs around to show what happened to electrical equipment, buteverybody is quite clear: It was a devastating electrical storm.

There have been lesser events that were still quite devastating to more modernelectronics. There was one in the 1920s that was reported in Russia and to alimited extent, in the Western Hemisphere. As far as man-made EMP events areconcerned, open-air nuclear detonations sometimes occurred from 1945 until1963 before the atmospheric test-ban treaty took effect. There were not manytransistors in the early '60s, and vacuum tubes aren't affected by EMP, but bylooking at the effect of those open-air tests, both the Americans and the Sovietscame to the conclusions that a storm of the sort that occurred in 1859, or acomparable powerful nuclear explosion, particularly at a very high altitude--couldbe absolutely devastating to electronics.

The Russians, the Chinese, now the Israelis and the British, are all getting theirelectrical systems protected against electromagnetic pulse, whether caused bythe sun or by a nuclear explosion. We're not, because nobody's in charge.

One final point. It's possible to create such a pulse with the detonation of arelatively simple nuclear weapon. It doesn't have to be sophisticated; it just has togo off a few hundred miles above the target area. So, we have, to put it mildly, avery major cyber problem with the grid and at the same time we have a solar anda nuclear explosion problem. The electric grid is vulnerable in more than one wayand we have not done a responsible job in taking care of it or the rest of ourinfrastructure. We've got a lot of work to do, and it needs to be done quickly.

[Edited from transcript.]


42/75


43/75

CYBERSECURITY AND ECONOMIC, FINANCIAL AND MARKETWARFARE

Christina Ray,Senior Managing Director for Market Intelligence at Omnis,Inc.

The global financial markets are the virtual equivalent of the US power grid; eachof these two networks whether physical or virtualmay exhibit both the fragilityand robustness that are the characteristics of a HOT (highly optimized tolerance)system and therefore be high-value targets in a new paradigm of warfare.

We know that the financial markets are one of the battlefields on which future

wars will be fought. We have been told so: for example in a 1999 book titled,Unrestricted Warfare, (literally, warfare without bounds) written by two PLAofficers Colonel Qiao Liang ad Colonel Wang Xiangsui, and translated fromChinese.
http://www.youtube.com/watch?v=FSGGMpsMpGwhttp://www.youtube.com/watch?v=FSGGMpsMpGwhttp://www.youtube.com/watch?v=FSGGMpsMpGw


44/75

As they stated, So, which [of many unconventional means], which seem totallyunrelated to war, will ultimately become the favored minions of this new type of

war the non-military war operation which is being waged with greater andgreater frequency throughout the world? Financial War is a form of non-militarywarfare which is just as terribly destructive as a bloody war, but in which no bloodis actually shed. Financial warfare has now officially come to wars center stage.

In that same book, the authors posited a number of economic attacks, includingan attack on the World Trade Center and an attack by Bin Laden. 9/11 was aninstance of economic and financial warfare as well as a physical attack: in thedays following 9/11, Bin Laden explicitly bragged about the loss of marketcapitalization the attacks had triggered.


45/75

The Intelligence Community is well aware of the links between economic warfareand geopolitical risk. As described in the O/DNIs Vision 2015, Each driver andtrend independently produces unique changes and challenges; those points

where factors intersect often reinforce and amplify the effects of change andcreate a series of unpredictable threats and risk that transcend geographicalborders and organizational boundaries.


46/75

To understand its vulnerability to cyberattack, it is necessary to take a systemsview of the global capital and commodities markets. The global markets are

chaotic (strictly speaking, in a state of deterministic chaos), which is not to saythat theirbehavior is random. Instead, like an amusement park Tilt-a-Whirl ride,they obey the laws of physics (or economics) even as they jerk and spin.

Specifically, they exhibit the characteristics of a complex, adaptive, and self-organizing system. The global markets are complex and adaptive, in that theychange in response to either exogenous forces or to changes in theirenvironment. They are self-organizing, in that market mechanisms and activitiespermit the spontaneous generation of order in a complex, adaptive system. Forexample, a market economy is self-organizing, whereas its opposite acommand economyis not.

Such adaptation might result in a self-correcting process that attempts tomaintain the current state. Or, conversely, it might instead require the system to

jump to an entirely new state to find a new type of stability (i.e., exhibit emergentbehavior). The danger lies in the fact that this new state might be consideredcatastrophic by some observers.


47/75

Some systems are more robust than others, and like the power grids, thefinancial system and be both robust and fragile because of their highly-optimizedtolerance.

For example, because of market activities such as location arbitrage (e.g., buying

one security in New York, selling its economic equivalent in London) the globalmarkets are highly interconnected. Transactions are the message packetsbetween markets venues, causing the markets to be in a continuous state ofevolution. And transactions in high-frequency trading (HFT)that is, tradingusing computer-based algorithms without human interventioncan occur in aslittle as 100 nanoseconds. So, such evolution to a new and dramatically differentstate can be virtually instantaneous.

In the past weve experienced relatively benign instances of contagion in the USmarkets. So-called fat finger trades may have been manually triggered when,say, a human trader entered an order to sell 10,000 futures contracts instead of

100 in a thin market in French Franc futures. The Flash Crash of May 6, 2010was a more dramatic version of the consequences of a similar, benign trigger(attributed by some to an unusually large order in e-mini S&P 500 contracts by amutual fund) in a market already nervous about the Greek credit crisis. On thatdate, the Dow Jones Industrial Average plunged about 1000 points (about 9%).

Although it recovered from those losses within minutes, massive losses occurred.Similarly, on August 1, 2012 a "technology breakdown" at Knight Capital Groupcaused a major disruption in the trade of about 140 stocks and losses to Knightof over $400 million.

Net-centric warfare may be both literally and figuratively accurate in the future. Ifsuch disruptions can occur at the hands of benign actors, they might be able tobe deliberately engineered by adversaries of the US. The recent interest instoring big data and development of the means to perform sensemaking onsuch data may give adversaries an enhanced ability to identify points ofvulnerability and fine-tune attack mechanics in the financial network.


48/75

The nature of a cyber-attack on the markets would be different from, say, a denialof service attack in another sector. For example, although there is now in-line

risk management for HFT (that is, the size of an order is checked against risklimits before being sent to the electro

cyberthreats april 09 2013

Documents