JEFFREY BROWN: Next: theft and security in cyberspace.
A front-page story in today’s Wall Street Journal details a computer attack against financial giant Citigroup that may have resulted in the theft of millions of dollars. The company has denied the attack took place. But The Journal says the FBI is investigating and linking the crime to a Russian cyber gang.
And, in Washington today, President Obama named a new national cyber security coordinator. Howard Schmidt will oversee the government’s efforts to secure its own computers and work with companies in the private sector.
We look at all this now with James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies here in Washington.
JAMES LEWIS, Center for Strategic and International Studies: Welcome.
JEFFREY BROWN: Let’s start with the attack — the report of the attack on Citigroup. Not — a lot of details we don’t know here, but how common are attacks on financial institutions?
JAMES LEWIS: They’re more frequent than you might think. Ten to 12 a year is one number I have heard, about in this range, you know, 10 million, maybe more, maybe a little less. So, this is not that unusual.
JEFFREY BROWN: In this case, they’re talking about, they’re pointing to this Russian cyber gang. Now, what or who is that?
JAMES LEWIS: You know, the Russians have some tremendously skillful hackers, cryptographers, mathematicians, not a lot of work there for a while in Russia. And, so, a lot of them went into hacking.
And the main reason you find them in the former Soviet Union is because it’s a sanctuary. They’re not going to be arrested. So, it’s a beautiful crime, lots of money, no risk.
JEFFREY BROWN: No risk, because there’s nobody trying to stop — shut it down?
JAMES LEWIS: Every once in a while, one of them gets caught. The main rule you have to know if you’re a hacker in Russia is don’t take vacations in the West.
JEFFREY BROWN: Now, in this case, in the report, supposedly, it took place over the summer or before. Do these things get found? How do they get found? How do they get stopped?
JAMES LEWIS: You know, sometimes, if they come from overseas, some U.S. government agency, whether it’s the FBI or NSA, will see them coming in.
One of the problems we have is that NSA is the best at monitoring traffic from outside, from foreign sources. But our laws…
JEFFREY BROWN: The National Security Agency.
JAMES LEWIS: … they prevent — our laws prevent them from intervening. So, in this case, it was discovered while it was in progress, but too late to really stop it.
JEFFREY BROWN: And to stop it, is it easy or hard?
JAMES LEWIS: And I have to say, we don’t know if it was Citibank, but we do know that some large bank was hacked this summer.
And to stop it is relatively hard, because these are very skillful criminals. And they have taken weeks, if not months, to prepare their attack.
JEFFREY BROWN: Now, how do they fit into this larger universe of hackers or thieves? I mean, is this world expanding? Are people getting more sophisticated? Is it, in fact, a range of sophistication from amateurs up to real professionals?
JAMES LEWIS: You know, I don’t even worry about the amateurs anymore. The top of the league are nation states, countries that are hostile to the U.S. and engage in cyber espionage, fabulously skillful, lots of money.
Second tier are the sort of cyber criminals, the high-end cyber criminals that we have seen in these bank incidents, very often from the former Soviet Union, also very skillful, not as good as the big countries, but up there at the top of the league. And then it goes downhill from there, all the way down to some kid.
But one of the problems we have is that it’s getting easier to do this. And if you saw the story last week about someone, an insurgent in Iraq, who bought some off-the-shelf software and was able to hack into UAVs, that’s the path we’re on.
JEFFREY BROWN: Now, the White House announcement today naming Howard Schmidt to head its cyber security effort, what exactly should he — what does a person like that do? What does that job include?
JAMES LEWIS: Howard has a real opportunity here. And his job is — pick one. He’s the conductor for the orchestra. He’s the coach for the soccer team. His job is to coordinate the efforts. And there’s been some good efforts in the last few months undertaken by the Obama administration at Defense, at DHS, at FBI, even at State.
JEFFREY BROWN: Is that the team, or the orchestra members, to use your analogy? Who is he coordinating?
JAMES LEWIS: Throw in Commerce, and you have pretty much the lot, thank USDR.
But we’re talking about the national security agencies, the technology agencies. And they’re the people who are trying to come up with solutions. Howard needs to make sure that the solutions are consistent and implemented coherently. That’s a big job.
JEFFREY BROWN: And how tough is it to corral that — the bureaucracy of different players?
JAMES LEWIS: You know, it depends. If the president is behind him, he will be able to do it. And, so, that’s the main thing that has to come across, is, this is a presidential priority. I think it is. It’s still going to be hard.
Agencies don’t like being reeled in. But this is the normal drill in Washington. So, I think he will be able to pull it off.
JEFFREY BROWN: Well, in fact, President Obama had talked about doing this as early as May. And then there were reports that it was taking a while to fill the position or to figure out who that person would report to.
JAMES LEWIS: There’s a dispute in the White House and in the administration. And I think that slowed things down.
Some people think it’s best to leave the Internet alone, let it be the Wild West, let it continue to have a limited role for government, and the Internet community will find its way out of this problem.
I don’t happen to agree. I’m not sure where Howard comes out on this, but…
JEFFREY BROWN: Don’t you agree why?
JAMES LEWIS: I don’t, because we have tried letting the Internet community solve this. We have tried seeing if it was a self-organizing global commons. It hasn’t worked. It’s just like the Wild West. Time to move in the marshals.
JEFFREY BROWN: Now you talked about the top tier, I think you referred to it, was governments.
JAMES LEWIS: Right.
JEFFREY BROWN: What are they — what are they doing? You’re talking about cyber spying and…
JAMES LEWIS: Yes. This is a new form of espionage.
The Internet is God’s gift to spies. It just is so helpful. You don’t have to go there physically. You can just break in from 30 — you know, 3,000 miles away, fabulously easy.
A lot of people have put a lot of effort into it. The first case I know about was in 1984, with the Soviet Union breaking into DOD and university computers here in the U.S. Some places have been doing this for decades.
JEFFREY BROWN: So, what does Mr. Schmidt do with — about that?
JAMES LEWIS: We have got a problem here as a country, because the only people who can really compete with the intelligence agencies of big foreign countries are at NSA.
But we’re all, with reason, a little nervous about giving NSA free rein to act in cyberspace. So, we’re going to have to sort out things internally, what do we want DOD to do, what do we want DHS to do, what do we want FBI to do, while recognizing that it’s only NSA that has the capabilities to play at the top of the league?
JEFFREY BROWN: Let me ask you briefly to come back full circle here to the financial institution, whatever it was. Is it something that average citizens have to fear?
JAMES LEWIS: No.
JEFFREY BROWN: Or is it something that any of us should be recognizing or dealing with?
JAMES LEWIS: Yes, we need to fear it, because the long-term cost to our economy is very damaging, the risk to the financial system, but, greater than that, the loss of intellectual property.
We pay for research. Other countries get the benefit. That’s not how to be competitive. But, right now, I do online banking. I don’t worry about it. I think that, if you’re a consumer, you’re probably safe. But, as a nation, we’re at risk.
JEFFREY BROWN: All right, James Lewis, thanks so much.
JAMES LEWIS: Thanks.