JEFFREY BROWN: Now some wider perspective on all this from two who follow the online world closely.
James Lewis is director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies here in Washington. And Larry Clinton is president and CEO of the Internet Security Alliance, an industry trade group that represents companies and organizations focusing on Internet security.
Welcome to both you.
Jim Lewis, how — we listen to this. Now, broaden it out. How vulnerable is the system and where do you see the main problems?
JAMES LEWIS, Center for Strategic and International Studies: The main problem is that we’re using 1970s technology, or, at best, 1990s technology, and it just isn’t appropriate anymore for a global infrastructure.
And there are some things, like this Gawker website, that we’re just never going to be able to fix. Passwords are very difficult to make secure, maybe impossible. So if you’re depending on a password, chances are you’re going to be in trouble. And I know that might frighten people, but that’s the reality.
JEFFREY BROWN: Reason for being frightened? What do you see?
LARRY CLINTON, president & CEO, Internet Security Alliance: Well, there is reason for being frightened.
We have an insecure system that was designed to be open, not to be secure. And we’re expanding that system with all sorts of new devices, handheld devices, smartphones, et cetera. So, the system is becoming generally less secure.
JEFFREY BROWN: It’s interesting, because a lot of this isn’t about high technology. This is human nature, right? People want to simplify their lives, so we use the same password.
LARRY CLINTON: Well, that’s right. I mean, the problem really…
JEFFREY BROWN: They even use the password for password.
LARRY CLINTON: Exactly, or 12346, the most common password.
JEFFREY BROWN: Yes.
LARRY CLINTON: The problem isn’t that we couldn’t build secure systems. The problem is really more that we won’t buy secure systems. We want easy and we want cheap.
And we’re going to have to begin to look at cyber-security as much more than just a technological issue. It’s a strategic and economic issue. And we’re going to have to take a full-scale look at all these things in an integrated fashion.
JEFFREY BROWN: Well, give us a little sort of news that viewers can use here. I mean, what should consumers, what should they do? Especially, here we are in the holiday season, and a lot of people are online shopping, for example.
JAMES LEWIS: Yes. And if you pay a little attention to your password, you can make it harder, and you’re going to knock out the lower-end hackers, which is mainly what we have seen in a lot of these WikiLeaks and Gawker things. You know, don’t use your pet’s name.
If you have personal information on Facebook or a social networking site, don’t use that as your password.
And a lot people do that. And, finally, the default password on all equipment when you buy it is password. Change the default.
JEFFREY BROWN: What would you add to that for…
LARRY CLINTON: Well, that’s all good advice. And it does begin to scratch the surface of the problem.
But we need to get much deeper with the problem. Enterprises need to be much more involved in overall cyber-security. One of the least publicized facts in this field is that we know tons about how to secure these systems.
JEFFREY BROWN: We do?
LARRY CLINTON: We do.
JEFFREY BROWN: What do we know, for example?
LARRY CLINTON: Well, enterprises need to have a risk management plan. Most don’t. They need to have somebody in charge of the plan. Most don’t. We need to be beginning to fund the investment in cyber-security equal to the upside that we do invest.
Most businesses are happy to invest in online marketing and all the advantages for cyber-security. They are not investing in the cyber-security defensive structures that they need to be putting in place, many of which are highly effective. There are standards, practices, technologies that could protect many of these sites. They’re simply not investing in them.
JEFFREY BROWN: Is that correct, in your experience, that they don’t want to invest, even after we see something with Gawker? And we see it — of course, that’s just the tip of the iceberg, right?
JAMES LEWIS: Yes, it’s a question of investment. It’s a question of practices. And it is, to some extent, a question of technology.
To some extent, this technology is just not securable. And so there’s always going to be an element of risk. One of the things that’s nice about these denial of service attacks is it…
JEFFREY BROWN: Explain. Explain what that is.
JAMES LEWIS: Denial of services, as we heard, people launching hundreds or thousands, tens of thousands of messages at a company, to the point where their computer on the receiving end is overloaded and crashes.
And that’s an avoidable problem. That’s a problem that people have figured out how to beat. So when you see somebody falling prey to denial of service attack, it means they haven’t been paying any attention for the last five or six years.
JEFFREY BROWN: But so what do you tell — let’s focus on companies for a moment. We talked about individuals. What should companies be doing, do you think?
JAMES LEWIS: Companies have to take this a lot more seriously. And the denial of service is the low end of the threat.
The high end of the threat is espionage or sabotage. We have seen a lot of espionage. For denial of service, as for espionage, you have to say, am I doing the basic hygiene things? Am I making sure my systems are patched? Do I have a risk management plan? Have I put in place the technologies that will let me track who is trying to do what to my network?
All of this is out there. And, in fact, the whole WikiLeaks thing with DOD, with the right technologies, we could have avoided WikiLeaks. So this is a problem maybe of will, maybe of incentives. But it’s something that is fixable if we can get our act in gear.
JEFFREY BROWN: And yet you’re saying that, when you go to companies, a lot of companies just say, this is last on our list, after marketing and various other things?
LARRY CLINTON: Well, if you’re a small business, you want one thing, which is to become a big business. There are about a third of our major corporations that are investing adequately in this.
But in two-thirds of American businesses, investment in cyber-security is actually going down. And I think Jim is absolutely right. We need to put in place a 21st century partnership between government and industry, so that we get the proper incentives put in place to expand the perimeter of cyber-security, and, that way, we don’t have to be training our grandparents to update their Twitter accounts properly.
JEFFREY BROWN: What about the hackers? I mean, we refer to this phrase now hacktivists, right? Do you see them that way? Are they pranksters? Is it worse? And how organized is this all?
JAMES LEWIS: Well, one of the nice things about the Internet is it lets virtual communities spring up. And it can be virtual communities of people interested in the same kind of dog, or it can be people interested in the same kind of nutty political cause.
It empowers them both. And so what we have got now are groups that share views widely distributed around the globe and have a technology that will let them express their opinions. We have seen this in Estonia. We see it all the time in Asia.
It’s a way to — it’s a new form of politics. And it’s like those anarchists who come and demonstrate in front of the IMF, except, these times, they can hide behind the Internet. They can do — make a lot more noise, do a lot more damage.
JEFFREY BROWN: And do we know much about how organized they are as groups? I mean, we’re talking about Gawker. We’re talking about the Wikipedia — WikiLeaks. Excuse me.
LARRY CLINTON: Yes, they’re very organized. Actually, the biggest problem is organized crime.
The organized criminal syndicates, particularly in Eastern Europe and in China, are the ones who are providing the basis for a lot of this nefarious behavior. And then we get a lot of attention paid to the hacktivists, which generate attention.
But the real insidious threats are things like the advanced persistent threat, which, unlike a hacktivist attack, like we’re seeing with the WikiLeaks, is not designed to generate attention. It’s designed to get into a system, and so you don’t even know that it’s there. And it quietly steals, not only personal data, but corporate intellectual property, national secrets, et cetera.
And this is very, very organized. And it’s driven by the attempt to make money.
JEFFREY BROWN: And mostly quiet, right?
LARRY CLINTON: Very, very quiet.
JEFFREY BROWN: And that’s the kind of discussion — those are the things we don’t discuss, usually, and we don’t hear about.
LARRY CLINTON: That’s right.
JEFFREY BROWN: All right, Jim Lewis and Larry Clinton, thank you both very much.
JAMES LEWIS: Thank you.
LARRY CLINTON: Thank you, Jeff.