JEFFREY BROWN: At the White House this morning, President Obama warned, it’s already taken too long to address computer security. He said the country now faces what he called a transformational moment.
BARACK OBAMA, President of the United States: Our technological advantage is a key to America’s military dominance. But our defense and military networks are under constant attack.
Al-Qaida and other terrorist groups have spoken of their desire to unleash a cyber-attack on our country, attacks that are harder to detect and harder to defend against. Indeed, in today’s world, acts of terror could come not only from a few extremists in suicide vests, but from a few key strokes on the computer, a weapon of mass disruption.
JEFFREY BROWN: Just last April, The Wall Street Journal reported the U.S. electrical grid had been hacked. It said cyber-spies probed the power system and planted software to cause disruptions.
Another report said the Pentagon’s Joint Strike Fighter program was struck, but officials insisted the breach was nothing serious.
Overall, the Defense Department reported 360 million attempts to penetrate its data networks last year, up from six million in 2006. And cyber-damage has cost $100 million over six months. Add to that rising threats to the private sector, including losses from identity theft and monetary scams, and the president said, it’s clearly time for urgent action.
U.S. PRESIDENT BARACK OBAMA: From now on, our digital infrastructure, the networks and computers we depend on every day, will be treated as they should be, as a strategic national asset.
Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy, and resilient. We will deter, prevent, detect and defend against attacks, and recover quickly from any disruptions or damage.
JEFFREY BROWN: The president said he would soon appoint a coordinator to head a new White House office on digital security.
He also laid out a broad strategy to safeguard vital private and public computer networks. Those would include systems that handle financial transactions at the stock exchanges and manage air traffic control of the nation’s skies.
Meanwhile, the Defense Department is crafting its own cyber-security military command to complement the new civilian efforts.
Broad spectrum of threats
JEFFREY BROWN: And for more on all of this, we turn to Michael Vatis, who, in the late 1990s, headed the first federal agency charged with safeguarding the Internet from attack. He's now in private legal practice working on related Internet and technology matters.
And James Bamford, journalist and author of several books about national security, intelligent -- and the intelligence community.
Michael Vatis, first, how serious a problem is this? What kind of vulnerabilities are out there?
MICHAEL VATIS, Internet security expert: This is an enormous problem.
We have vulnerabilities throughout the computer networks that make up what is known as cyberspace. There are vulnerabilities in the infrastructure of the Internet. There are vulnerabilities in the computer systems of the critical infrastructures tied to the Internet, of the banking systems, communication systems, energy systems.
All of these vulnerabilities can be exploited by foreign and domestic adversaries. And we have to address both the vulnerabilities themselves and the adversaries who would take advantage of them. This is an enormous problem and a broad spectrum of threats that we're facing.
JEFFREY BROWN: James Bamford, that number I cited in the -- in the introduction of 360 million attempts, the Pentagon says, to penetrate data networks, that is kind of an astounding number.
What does it -- what does that mean, an attempt like that, and how is it fended off?
JAMES BAMFORD, author, "Pretext For War": Well, there are a lot of attacks. There's a lot of people that want to get information. There's a lot of people that want to get into the banking system. There's a lot of people that have an interest in finding out what the Pentagon's doing.
How you prevent that is the question, I think, that they are trying to deal with right now. The problem we have had before is that there hasn't been an organized effort to try to mobilize what defenses the United States has.
And, today, they have created a cyber-czar for it. One problem with that, however, is that the person who is going to be the cyber-czar in the White House doesn't really have a lot of money to give out. That is mostly in the Pentagon. And there is a lot of worry that the NSA, which is the big intelligence agency, may get involved in trying to protect the infrastructure.
Attacks from abroad
JEFFREY BROWN: All right. Well, before we get to questions like that, though, I still want to understand the nature of the problem. I mean, who are the bad -- let me stay with you.
JAMES BAMFORD: Sure.
JEFFREY BROWN: Who are the bad guys in cyberspace? Who are the potential bad guys? Who are we talking about?
JAMES BAMFORD: Well, a lot of the attacks are coming from China. A lot are coming from Russia. A lot are coming from just plain old hackers.
So, it's hard to tell exactly who the -- the attackers are. Somebody could be coming -- an attack could be coming from a computer in China. But that could be being sent from the Philippines. It could be being sent by anyplace.
So, where the attacks are coming from doesn't mean that -- necessarily, that that is where the -- the person behind that computer is the person sending the attack.
JEFFREY BROWN: Mr. Vatis, what's -- what's your answer to, who are you most worried about?
MICHAEL VATIS: Well, the biggest worry is about our potential adversaries, especially nation states, like China and Russia.
If we ever come into a period of conflict, they have great capabilities in this area, and they could do enormous damage to our critical infrastructures, to our ability to project military force abroad. And they could disrupt our vital infrastructures here that -- that are necessary to the everyday functioning of our economy and our society.
So -- but those are more in the -- in the realm of the potential threats. They are not going to be unleashing incredibly destructive attacks right now, when we're at peace with both nations.
But, even today, we're seeing ongoing attacks that, as the president said, are causing an estimated $8 billion of -- of losses to American businesses and individuals every year, very active criminal groups in the former Soviet countries and in Eastern Europe that have made a very dynamic business enterprise out of stealing proprietary information, directly stealing funds from financial institutions, engaging in identity theft and -- and related extortion efforts.
So, that's going on right now. I think another very worrisome potential threat is terrorism, cyber-terrorism. Osama bin Laden and -- and other high-level terrorist leaders have talked about using cyber-attacks as one of the weapons in their arsenal against U.S. interests and -- and Western interests.
So, it really is a -- a broad spectrum that includes those -- those most worrisome threats.
Protecting civilian infrastructure
JEFFREY BROWN: So, Mr. Bamford, you started to talk about some of the issues going forward here, and -- and some of the questions, I guess.
One is almost an organizational question, given the kind of -- the number of agencies involved and the potential for conflicts, right? Is that what you are referring to?
JAMES BAMFORD: Yes, the -- the problem is that there's attacks coming from a lot of places that people don't know where it is coming from.
So, the issue is, how do we protect the infrastructure? We have got a civilian infrastructure and a military infrastructure. And the military infrastructure, the talk right now is to use the National Security Agency, to a large degree, to -- as the protective force.
And the -- I think the danger with that is, the National Security Agency, if they get involved in the domestic telecommunications system, it could be a very disastrous move for privacy, because the NSA spent three years doing warrantless eavesdropping. And that could be one of the -- the issues if they get involved in trying to work inside the U.S. telecommunications system.
JEFFREY BROWN: Well, Mr. Vatis, there -- there is some experience here. You -- you have been part of it over the last number of years. What -- what lessons have been learned to help going forward?
MICHAEL VATIS: Well, I -- I worry that not enough lessons have been learned, because I see the same problems crop up in each successive administration.
And they run up against the same impediments and don't seem to find a way around them. One of the problems is -- is what James was talking about, turf battles among government agencies. There are always turf battles in Washington, but this issue is particularly conducive to turf battles, because it spans across the mission areas of many, many different agencies -- law enforcement, intelligence, military and civilian agencies.
All of them have a very big role to play. And, so, they naturally engage in battles for who will have the principal responsibility. That needs to be resolved quickly. Appointing someone at the White House to be in charge is a great first step, but it's not enough, because that person has to have the requisite budget, the requisite authority, and the ideas to implement. What is the strategy going to be to get all these agencies to -- to work together and to work effectively with the private sector?
What we heard today was really a plan to make a plan. It isn't the plan itself. It's not the strategy. The only new thing today, in addition to the announcement that there will be a -- a White House czar in charge of all this, the really new thing is that the president himself took personal ownership of the issue.
He gave a 17-minute speech saying, this is a serious problem, this is a top national security priority for the president himself, and he's going to fix it.
That really hasn't been done before. And I think that, in itself, is -- is a big, big milestone for this issue.
JEFFREY BROWN: And are you also...
MICHAEL VATIS: And now that he is responsible, he has got -- his -- his administration has to come up with a plan that actually meets -- meets the expectation that he has set.
JEFFREY BROWN: I was just going to ask you about the privacy issue that Mr. Bamford raised. How much of it is -- has been discussed through the years? How much of it is an issue of concern going forward?
MICHAEL VATIS: Well, I think there are significant privacy issues. But they shouldn't be overstated.
The privacy issues really arise if you have got government agencies monitoring private communications without the consent of the private parties that are engaging in those communications. But figuring out a way to harden our infrastructure against attack, to make software and hardware less vulnerable, those sorts of efforts, in themselves, don't raise any privacy issues.
And we can also, I think, figure out ways to have communications be more secure, and also allow better authentication of identity, which, also, if it is done with the consent of the users of the Internet and of communication systems, would not raise privacy problems, necessarily.
So, I -- I think it's -- it's a mistake to raise -- you know, wave the flag of privacy in a way that -- that stops all progress.
JEFFREY BROWN: All right.
MICHAEL VATIS: We have to be concerned about privacy. But it's really -- it's not necessarily an issue, with all of the measures that could be taken to secure our systems.
JEFFREY BROWN: All right. And a last -- I'm sorry -- and a last word, Mr. Bamford.
You sound more worried about the privacy issue.
JAMES BAMFORD: Well, I'm worried about it because we had the National Security Agency engaged in illegal warrantless eavesdropping for many years, without any congressional oversight of it. And now we're -- we would be letting the -- the NSA get access to the -- the domestic infrastructure, telecommunications infrastructure.
The other problem I think is just the -- the hype aspect. This is a problem, but we always seem to hype these problems greatly when we start getting into it, the war on drugs, the war on terrorism. It's always this enormous threat.
And I think we have to tone down a bit the -- the threat that the world is coming to an end if -- you know, if we don't do something immediately to correct the cyber-problem.
JEFFREY BROWN: All right. We will leave it there and follow along.
James Bamford, Michael Vatis, thank you both very much.
MICHAEL VATIS: Thanks for having me.