Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Support PBS Shop PBS Search PBS
hackersFRONTLINE
homewho are hackers?the riskswho's responsibleprotecting yourselfinterviews

interview: james christy


photo of james christy

As the Law Enforcement and Counterintelligence Coordinator for the Defense-wide Information Assurance Program, Christy investigates computer crime for the US Department of Defense. Prior to this he was the director of Computer Crime Investigations for the Air Force Office of Special Investigations.
Tell me about your day job.

I'm a computer crime investigator with the Department of Defense. I've been working on computer crime issues for, I guess, the last 14 years. I'm currently assigned to the Defense-wide Information Assurance program as the Law Enforcement Counter-intelligence coordinator. The job is to integrate law enforcement into information assurance and infrastructure protection.

And how is that going?

In the Department of Defense, we're actually moving pretty well now. I think we're way ahead of most of the other departments.

. . . Technically speaking, why is the internet so vulnerable now?

Because of the history of the internet. It was developed by the Department of Defense for nuclear weapons, for nuclear command and control. They designed it so there was no central point of control, so that it couldn't be taken out, which would cripple nuclear command and control. When you do that, there's no centralized piece that's in charge. There's no center that's in charge. It's a self-healing network that just reroutes traffic--so it's basically a living, breathing entity out there.

. . . Why can't we just devise a great big portcullis that comes down and stops anyone who is coming into places that we don't want them to come into?

. . . We have the technology. It's a matter of applying those technologies, and they're not cheap. And once you apply them, now your network has probably changed again. So now you have to continually assess that network and continually apply new security features. This isn't cheap.

And, of course one of the problems is that when you suffer a cyberattack, you don't necessarily know who's attacking?

Absolutely. Anonymity is built into the process. And in this environment, it's the great equalizer. You know, during the cold war, we knew who the bad guys were, and they had nuclear weapons. There was a finite group, and there was a deterrent, because they knew that if they attacked us, we would know that they attacked us and we would attack them back. That's a significant deterrent. But now, anybody who goes down to Best Buy or Radio Shack can buy a computer for two or three hundred dollars, and they have internet connectivity. And these individuals can . . . have a weapon of mass destruction sitting on their desk in their bedroom.

And you're learning that defending against such an attack is no little thing?

Absolutely. And I don't think that the big machines of government are tooled to address this yet. It's hard to make that adjustment quickly. There's another big difference, and that's the commercial sector. The commercial sector today, whether they like it or not, whether they want it or not, now have a role in national security. If you take down an infrastructure, the military, the intelligence community, and the economic security of a nation may depend on a private sector infrastructure, which the government doesn't have any control over securing.

Are we likely to see the growth of a private cyberpolice--Pinkertons of the cyberworld protecting private corporate interests?

. . . I don't think you're going to find private sector cops out there. You will find private sector security monitoring and securing. But once you have a problem, you're probably going to have to call law enforcement. And law enforcement is starting to gear up for that, at least at the federal level. We still have a way to go at the local level here in the United States. . . .

When you really look at this problem, it even challenges the Constitution. Do you see it that way?

We have to change the way we do business. We need Congress to enact new laws to speed up that process. We need other countries to understand, to synchronize the laws, the processes and to expedite . . . We need to set up processes that work at the speed that the bad guys work at.

Can you give me an example of what needs to be changed?

Anybody who can buy a computer for $200-300 and have internet connectivity. ..can have a weapon of mass destruction sitting on their desk. . . . A court order issued in Florida should be recognized in cyberspace, in US cyberspace, so we could expedite the whole process. . . . If you think about any law enforcement agency, jurisdiction is always based on geography--city, county, state, country. And that always made sense. It goes back to old common law, that the bad guy had to be in the same vicinity as the victim to commit the crime. That's no longer true. Now we can have multiple victims simultaneously all over the world with one event. So now we have to change those processes to be effective. . . .

What percentage would you put on the chance of an electronic Pearl Harbor, or at least a cyber catastrophe?

I don't think it will be tomorrow, but I think it could be tomorrow. I think that countries and traditional terrorist organizations have not really adopted this doctrine yet. But it's only a matter of time. . . . When the new generation of leadership in terrorist organizations and nation-states moves into positions where they can affect things, I think you will find that that's going to eventually happen to us.

And you're convinced of that?

Absolutely. I mean, anonymity is built into the process. You don't have to sacrifice two individuals like they did in Yemen. . . . You can do it remotely and maybe have the same effect. . . .

When you look at all the vulnerabilities and all the complications . . . ultimately, can we fix this? What is going to happen?

I guess I'm optimistic. It's just a matter of awareness. We addressed Y2K. That was a big problem, but once we recognized it and we realized the criticality of our systems, we dedicated resources to fix it, and we fixed it. So I think this is the same thing. Once we recognize that awareness is a big part of the problem . . . and we're willing to put resources to it, we can fix this.

And we can fix it even though the government doesn't own the infrastructure?

I think that the commercial world and the private sector are going to realize this at some point. When people start taking advantage of this and it's costing them money, they're going to realize that they have to apply resources to it, and they will.

And if we don't take some action soon, what's in store?

We could have that electronic Pearl Harbor. . . . We could actually go through something like that.

home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online

some photos copyright ©2001 photodisc
web site copyright 1995-2008 WGBH educational foundation