Tell me about your day job.
As the Law Enforcement and Counterintelligence Coordinator for the
Defense-wide Information Assurance Program, Christy investigates computer crime
for the US Department of Defense. Prior to this he was the
director of Computer Crime Investigations for the Air Force Office of
I'm a computer crime investigator with the Department of Defense. I've been
working on computer crime issues for, I guess, the last 14 years. I'm
currently assigned to the Defense-wide Information Assurance program as the Law
Enforcement Counter-intelligence coordinator. The job is to integrate law
enforcement into information assurance and infrastructure protection.
And how is that going?
In the Department of Defense, we're actually moving pretty well now. I think
we're way ahead of most of the other departments.
. . . Technically speaking, why is the internet so vulnerable now?
Because of the history of the internet. It was developed by the Department of
Defense for nuclear weapons, for nuclear command and control. They designed it
so there was no central point of control, so that it couldn't be taken out,
which would cripple nuclear command and control. When you do that, there's no
centralized piece that's in charge. There's no center that's in charge. It's
a self-healing network that just reroutes traffic--so it's basically a living,
breathing entity out there.
. . . Why can't we just devise a great big portcullis that comes down and
stops anyone who is coming into places that we don't want them to come
. . . We have the technology. It's a matter of applying those technologies,
and they're not cheap. And once you apply them, now your network has probably
changed again. So now you have to continually assess that network and
continually apply new security features. This isn't cheap.
And, of course one of the problems is that when you suffer a cyberattack,
you don't necessarily know who's attacking?
Absolutely. Anonymity is built into the process. And in this environment,
it's the great equalizer. You know, during the cold war, we knew who the
bad guys were, and they had nuclear weapons. There was a finite group, and
there was a deterrent, because they knew that if they attacked us, we would
know that they attacked us and we would attack them back. That's a
significant deterrent. But now, anybody who goes down to Best Buy or Radio
Shack can buy a computer for two or three hundred dollars, and they have
internet connectivity. And these individuals can . . . have a weapon of mass
destruction sitting on their desk in their bedroom.
And you're learning that defending against such an attack is no little
Absolutely. And I don't think that the big machines of government are tooled
to address this yet. It's hard to make that adjustment quickly. There's
another big difference, and that's the commercial sector. The commercial
sector today, whether they like it or not, whether they want it or not, now
have a role in national security. If you take down an infrastructure, the
military, the intelligence community, and the economic security of a nation may
depend on a private sector infrastructure, which the government doesn't have
any control over securing.
Are we likely to see the growth of a private cyberpolice--Pinkertons of the
cyberworld protecting private corporate interests?
. . . I don't think you're going to find private sector cops out there. You
will find private sector security monitoring and securing. But once you have a
problem, you're probably going to have to call law enforcement. And law
enforcement is starting to gear up for that, at least at the federal level. We
still have a way to go at the local level here in the United States. . . .
When you really look at this problem, it even challenges the Constitution.
Do you see it that way?
We have to change the way we do business. We need Congress to enact new laws
to speed up that process. We need other countries to understand, to
synchronize the laws, the processes and to expedite . . . We need to set up
processes that work at the speed that the bad guys work at.
Can you give me an example of what needs to be changed?
. . . A court order issued in Florida should be recognized in cyberspace, in US
cyberspace, so we could expedite the whole process. . . . If you think about
any law enforcement agency, jurisdiction is always based on geography--city,
county, state, country. And that always made sense. It goes back to old
common law, that the bad guy had to be in the same vicinity as the victim to
commit the crime. That's no longer true. Now we can have multiple victims
simultaneously all over the world with one event. So now we have to change
those processes to be effective. . . .
What percentage would you put on the chance of an electronic Pearl Harbor,
or at least a cyber catastrophe?
I don't think it will be tomorrow, but I think it could be
tomorrow. I think that countries and traditional terrorist organizations
have not really adopted this doctrine yet. But it's only a matter of time. .
. . When the new generation of leadership in terrorist organizations and
nation-states moves into positions where they can affect things, I think you
will find that that's going to eventually happen to us.
And you're convinced of that?
Absolutely. I mean, anonymity is built into the process. You don't have to
sacrifice two individuals like they did in Yemen. . . . You can do it remotely
and maybe have the same effect. . . .
When you look at all the vulnerabilities and all the complications . . .
ultimately, can we fix this? What is going to happen?
I guess I'm optimistic. It's just a matter of awareness. We addressed Y2K.
That was a big problem, but once we recognized it and we realized the
criticality of our systems, we dedicated resources to fix it, and we fixed it.
So I think this is the same thing. Once we recognize that awareness is a big
part of the problem . . . and we're willing to put resources to it, we can fix
And we can fix it even though the government doesn't own the
I think that the commercial world and the private sector are going to realize
this at some point. When people start taking advantage of this and it's
costing them money, they're going to realize that they have to apply resources
to it, and they will.
And if we don't take some action soon, what's in store?
We could have that electronic Pearl Harbor. . . . We could actually go through
something like that.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2013 WGBH educational foundation