Espionage and Intelligence

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good afternoon I'm Bill nice and I'm the Associate Director of the Institute for security technology and society here at the college today we're very fortunate okay and this is our last speaker and a spring speaker series on state-sponsored hacking we have with us professor Dickie George from Johns Hopkins University brief introduction Dickie graduated from Dartmouth 1970 memory join the NSA we are immediately thereafter I and spent the next 41 years with the NSA and about five and a half years ago he joined the advanced physics laboratory at Johns Hopkins University and today is here with us to talk about intelligence and espionage Dickie thanks very much built it's great to be back here I love going back to Hannover it's wonderful time is the obligatory yet what you're going to hear is my view of things my opinions these have been vetted by public affairs but doesn't mean that they believe that they're truths just does my view on things and my memory goes back a long way most of those public fears people have no idea what happened back then it's good right so to start off I feel like I've been a target of espionage for about 47 years doesn't mean they're successful just means I've been a potential target the good news is today there are a lot more people like you all who are target's of espionage every day so welcome to the club it's a it's a fun Club information assurance which is where I spent my life it really is all about protecting information it means that you are you have information that someone wants access to to do something to it and you want to protect that information and that's that's the name of the game if you think about a threat and an adversary you can characterize that adversary in six ways you talk about the resources they have to spend in the capabilities they have those are somewhat interchangeable because if they don't have a capability they may be able to buy the capability from somebody else there's the intent and motivation what they want to do and why they want to do it the there are a lot of different groups that might want to do the same thing but for very different reasons if you think of a hospital database of information a disgruntled employee might want to just mess things up because he's mad at the hospital organized crime might want to go in there and encrypt the database so they want access to it to encrypt it so they can ransom it back to the hospital a foreign nation state might want it might want to go in there and just implant a tool so that they can do something at a chosen time if they want to a terrorist might want to just go in there and make people die so there are a lot of different reasons people might want to have access to that and you've got to address those various reasons in your game now if you think back to the old Cold War and I'm usually talking to college because this is great because most of you lived through that Cold War it's a it was a fun time it it was characterized by two things that the Espionage was number one and the technology race which was broken up into nuclear weapons in the space race so those are the two things and you can cartoon it in a sense by saying you were looking at someone who had the best guns and the best spies and that was what you were looking for the best guns and the best spies funny thing used to happen back then when I was in elementary school about once a month an alarm would go off and we'd all dive under our desks because the threat was someone was dropping an atom bomb on our school so it's a little school in Connecticut probably not a great target but the interesting thing about that was that everybody understood the threat and they knew how they were supposed to react to the threat and about two-thirds of the kids in my class when they went home they had bomb shelters in the basement and the bomb shelters were stopped because the government told them how to build that shelter how thick the cement had to be how much food and water they had to have in atomic blankets what had to be there to protect them how long they had to be protected for and the government told them what they were doing to prevent this attack from in the first place now compare that to today what kind of advice is the government giving you on the cyber threat and what kind of assurances are you getting that nothing's going to happen don't worry probably not much so I have an interesting story that will kind of bring that to light I was talking to a very senior guy at the Department of Defense one time and he said you know this was in the late 90s he said I have I have nuclear weapons I said yes sir he said you know I might have to use those nuclear weapons someday and I said yes sir he said so when I see that cyberattack coming and I thought this guy's thinking he's can see ones and zeroes coming through the air like it's a missile and that's not the way it works and so I said sir what do you do when it looks like that cyber attack is coming from Ohio and he can't just stare up at the ceiling and you know you could say well did you thinking why is a high OH attacking the Pentagon or if I take out a high or it's a swing state so it's fair if I take out Ohio does that send a message to the world but but I think what he really was speaking was I've got the biggest guns and you're telling me I don't know how to use them you know the game has changed in he had a real sad look on his face as he realized that having the biggest guns didn't mean he was the toughest guy anymore and that that is that's a profound difference in in the world I heard a talk that general McChrystal gave a couple months ago and he said you know there's only one superpower it's us and and no one on earth is ever going to take us on head-to-head in a traditional war again that means we've got to learn how to fight a different war you saw the recent results and when in the NATO competition where in the cyber competition we came in 13th in NATO which is a market improvement over last year when we came in last that's not where we want to be that's not where we need to be and that's in NATO so when I started in NSA the because there was an old guy we were bunch of kids with a bunch of 22 year olds there was an old guy sitting in back of the room that that probably means is about 30 so we were having a good time the second day he got up at the end of the day instead of said I want you guys to know that the Russians know who every one of you are they're tart they're targeting you they're looking for you to make a mistake as long as you don't do anything wrong you're okay but if you give them an opportunity they're going to take advantage of that and over the years I have seen that happen not anyone I know but people we hear about that as long as you play the game right you're fine if you give them an opportunity they will take advantage of it and you will become old so when they when they set up the rules for how we play this game it was set up back in the day of teletypes where you were typing out information it would go over the air and it would get printed out at the other end and CIA was supposed to get the information at rest and then as they was supposed to get the information in motion it doesn't really make much sense in today's world because there's not much difference between at rest and in motion today that information is sitting in computers that could be moving at one moment rest in the next and moving again it's an interesting world so let me talk a little bit about the kind of defense we put together because we knew the Russians were looking to get strategic information that was their aim to get strategic information about the United States and our aim was to keep them from doing it so we developed crypto and the information was encrypted information assurance tries to make life hard for the adversary and making it hard means forcing them to play the game they don't want to play so remember you have resources capabilities intent motivation access and risk aversion access what kind of access they have to the information risk aversion which kind of chances are they willing to take an example of how we built devices back then we had a handheld radio which was used at the front lines was called Vinson the some of you may remember that it was a device that was first designed in 1957 we studied it for about 12 years in 69 we decided we could start building it they made four models as they kept finding problems and fixing them and it was actually fielded in 1976 so that's that's only 19 years to get it from designed to the field it's still in the field 40 years later and it's never had any changes and that was the goal you make something right you know the old story about the two hunters and the bear everybody know that okay so they're 200 out there in the woods and they've only got one bullet left and Big Bear jumps up in front of them the guy said guy says his friend make it a good shot and he said I will he turns around and shoots his friend in the leg takes off running the guy says what are you doing said well you know I don't have to outrun the bear I just have to outrun you so that's that's almost the game in cyber back in the old days our crypto was designed to outrun the bear today the game is very much designed for people to outrun the neighbor if your system is better than your neighbors you're probably not going to get hit unless you're a real target if you're a target of opportunity you're fine as long as you're more protected than somebody else but if everybody's equally protected then they're going to look for the most lucrative target and that's that's the game we have to play I remember I was giving a talk not down at Georgia Tech one time and people were complaining about this they had never seen this kind of thing before in the early 2000s and suddenly everybody's getting hit what's going on and I said yeah there's nothing new here this is stuff that's been happening over the years it's just that you are now target and they said well you can't let that happen and I was at NSA at the time and they said why don't you look at all that stuff that's coming into the country and make sure that none of it is bad and only send me the stuff that I should be reading I said really look there are a lot of people who don't want me looking through all of their mail and deciding what they should read it's interesting that you all think that's the right thing to do and there is that that privacy security trade-off which is that's a very strange characterization of it but that's that's one way to look at it that we don't really have the power to decide what a person gets to read and what a person doesn't get to read and we can't make decisions for them we can't make good risk management decisions for them everybody makes risk management decisions every day when the light turns red and you're walking across it you make the decision that that car coming toward you is actually going to stop at that red light if it doesn't your risk management decision is lost if there's 30% chance of rain umbrella the risk management decision the difference between those decisions and cyber decisions is when you make that decision to cross the street or to not carry an umbrella if it's a bad decision you suffer for it in the cyber world were all connected and somebody making a bad decision can impact everybody else if somebody gets into the Dartmouth network you all can suffer for that it's a very different world so let's let's talk a little bit about some of the old old spy cases that we've seen we used to see back when it was us in the Russians in the good old days we used to see about one one a decade because they were hard to do so you had Martin and Mitchell Martin and Mitchell were guys who worked at NSA they worked in the research department the fairly typical description of the people they thought they were really good and people they work for it didn't think they were that good so they were a little bit disappointed disillusioned they defected to Russia they had access to a lot of information that we prefer the Russians not have access to but that's you know that's that's the game the Russians were playing they they honed in on the fact that these guys were unhappy and we can convince them that life is much better in Russia bring them over and take care of them we'll get the information you might even see somebody in today's world thinking that might be true you never know but that that's one and that was a bad one for us Walker you familiar with the Walker case in the old days Walker was kind of the equivalent of today's system admin Walker was a crypto custodian so what that means is you had that Vincent in it and the Russians knew what Vincent looked like yeah vitsin was was fielded in 76 interestingly I was talking to a friend of mine at FBI and did the FBI hang around the same bars that the Russians do downtown he said you might want to know that there's an offer out of a million dollars for the first Vincent that's delivered to the Russian embassy he called up a week later and said the offers been Pope yeah I had already we had a little box we could turn in ofis we called him one fine idea so since I got that call I turned in tonight one fine I did it we said we should go run it down to the embassy because the IAD the information assurance director could use a million dollars they're going to get it anyway I don't know if they took me up on the offer I know I didn't get a cut but it's pretty safe to assume that the Russians knew what Vincent looks like we we have engineering diagrams on all of our equipment so we had one company out on the west coast but somehow lost one complete set of engineering diagrams for everything they ever built for us just one stuff happened we were we were doing it odd at one time of the company that was building Vincent in the were classified chips missing well the project engineer was on vacation and turned out he was in China and remember this back in the 70s people did not vacation in China in the 70s so it was gone but that's okay because what you count on is the crypto variable that no one but you knows and we spent a lot of time making it so that it was stored in a way that nobody could get any information on it it was good in there you couldn't figure out anything about it you couldn't take it out and put it back in the only person would get any information about that with the crypto custodian who took it out and put it in the device so so Walker was he needed money he invested in a bar it was losing money so he walked into the Russian embassy with one of his little tapes and said I have these would you like to buy them and they they said we can't buy those because people would know they were gone but we'll give you a little camera and you can take pictures of them and so he was taking pictures and consoling him and he wasn't making much money on it certainly nothing like the cost to us unfortunately but but that's a guy again the money problems once the Russians knew that he had money problems they were happy to be his friend and try to help him out and that's what they're looking for an opportunity to help someone out to be their buddy and then and then to own them for the rest of their lives that's that's the model the Great Seal remember the Great Seal that some third graders carved for the president I've seen that Great Seal I'd say third graders did not carve that Great Seal it's really nice it also has a really nice listening device inside it so it it worked for a little while that's good in the modern day version that of course is the State Department with the chair rail if you've heard about that though in the so there was a DC policeman who saw a Russian diplomat doing something really funny so he watched him for a while and he feared this can't be on the up-and-up it so he called the FBI he said I got a Russian outside the State Department who's putting quarters in the parking meter and the FBI came rushing over Russian several quarters in the parking meter they have diplomatic immunity there's a guy in the Russian embassy who has 30,000 parking tickets in DC I don't know how you can collect 30,000 parking tickets it's like he must drive around following policemen intentionally parking and for our hydrants it's got to be a hobby but 33 so this guy was sitting there putting quarters in and that looks suspicious so the FBI came and they watched him every once in a while he would move a box of Kleenex in the backseat just sitting in the side so they went over and they hauled him out of the car and they found a recorder inside the Kleenex and when they went inside the State Department they found it there'd been a an 18 inch piece of chair rail between a door and a corner that had been replaced or perhaps hollowed out by maintenance but it looked like it matched perfectly but it had a transmitter inside it that was picking up whatever discussions were going on in the State Department now I figure the joke is really on the Russians because they're not getting much intelligence out of that but at least they were getting something but you know that's the kind of thing that they will do and that's applied to supply chain is real so you know if they can do that they will do it another supply chain is gunman project gunman that was in the in the 80s someone suggested that we might want to take a look at some of our equipment that was in the embassy over in Moscow and so one one weekend we took about a ton and a half of stuff out of the embassy and send it back home and we x-rayed it all and we found that the only thing that had really been impacted was the typewriter now the way that the embassy worked they had the devices that did actually the crypto devices were in the basement and the Russians didn't have access to that they had teletype send the crypto equipment down there on the first floor they had the typewriters and they would type out the messages that were to be taken down to the basement to be encrypted and sent out so when when anything happened to the typewriter which happened fairly frequently it seemed in the morning after after the Russians had been cleaning the typewriters wouldn't work well so they would send them out for maintenance and they would come back and there's there's a triangular stability bar under the keyboard that had been replaced with one that looked identical may have the same stuff but hollowed out with a recorder and a transmitter so record the keystrokes during the day and transmit them at night and that were that reports on the internet if anybody wants to read about it it's really good-looking stuff they did a really nice job for that time time for him but a lot of work that goes into that another funny thing that happened over there we were looking at at some cables that we had which had pretty heavy metal ends and we saw when it was cracked we said what the heck happened they said somebody must have put a desk on that or something and we went around and we looked and they were all cracked all the cables had they had those metal ends cracked so you know if it was an accident it was a big accident that's the kind of thing that happens to you and you have to watch out for it and you're making people work to get this that's perfectly fair and that's all according to the rules there are rules that you abide by it you know you're not I'm not worried about anybody kidnapping me or kidnappings on my family and trying to get me to turn over information that's not the way the game is played the game is played by you make yourself vulnerable and they take advantage of it and the Russians were going after strategic government information you had the big guns and you had the best spies the spies were enablers for the guns and they were getting that strategic information any way they could and that's life so so here's a little game on the rules that you have to play by we used to send teams over to the Russian embassy in fact when they were building we sent teams over there and looked at it and the materials were not very good basically the Russian economy was not that great but every once in a while you'd see a place where the cement was really pretty fine and that's that was we're listening devices were hidden now we don't know that they weren't hidden in other places but we found them hidden there so we used to send people over to the embassy occasionally they're always NSA people going over there and interestingly the only place that ever had any vacancies was one hotel on the seventh floor so our guys would always say I'm 7th floor of this hotel then KGB was on 6 May the 4th that's ok so we knew that so so one trip over we sent a big team and there weren't enough rooms on the seventh floor so one of the guys was on the fifth floor of course what do they do the first thing those guys did was they all ran down to the fifth floor see what's the difference between the fifth floor and seventh floor so that's not in the rules they're supposed to be on the seventh floor so there's a knock on the door and outside the door is the guy from the front desk at the hotel he said I brought you a copying machine in case you want to make a copy of something and he wielded it and plugged it in for them and left now when's the last time somebody brought you a copying machine in your hotel room so my guys were engineers so they got suspicious and they they unplugged it five minutes later there was a knock on the door it's the guy from the front desk at the hotel he said I brought you a new copying machine that one's not working so yeah I think it was his subtle way of telling them that they had broken the rule and they were supposed to be on the seventh floor not on the fifth floor to get back up there where they could hear what was going on it but it's a rules thing I you know when you're walking around Moscow it's the safest city in the world for you because you got three three KGB guys in front of you three KGB guys behind you you don't know who they are but nobody's going to come near you you know that nobody's going to talk to you I had one of my friends decided he'd go out late one night just see what happened he got a block so we took him by the arm and escorted him back to the room and said he should not do that again because accidents but at night he said he he didn't think it was an idle threat he's not that the guy really meant it that they wanted to know where he was and he should not be going out and doing things but that's that's life as long as you behaved all was good it was spy versus spy and there was honor among spies I've got a buddy his name is Victor shame off he was the director of information assurance in the 70s for the KGB he came over in 1980 and I've known him since then we get together once a month just it just to have a crab cake and discuss the good old days when one was him and me and all the fun we had and and he likes talking about how nice it was to trust your enemy one day were sitting there said you know I trusted you more than I trusted the Chinese and they were my best ally but I trusted you I knew what you were doing and I knew you wouldn't do anything that was outside of our rules said I didn't trust the Chinese in fact said we had a relationship with the Chinese like your relationship with the British we had people I had people working over there in their intelligence as as a Russian partner so one of my guys came back he'd been there for 15 years said Victor I don't trust these people I don't know what they're up to I died I just don't understand them I don't trust them you can't trust them in somewhere where I were sitting in Timbuktu having a crabcake and he grabs my arm and says I want you to know you can't trust the Chinese and I'm thinking I got a KGB guys him we're in a crabcake can he's yelling at me that I can't trust Chinese intelligence is it this is a great scene but but he's right we don't trust them one of the interesting things is remember James Lewis when he worked for the Obama administration he used to talk to a Chinese about espionage he said his last trip over he took it as a personal challenge to address the commercial espionage problem so he said he opened the meeting as the senior u.s. repla saying we have to discuss commercial espionage and his counterpart said let's talk about cloud security so he said they talked about crap for the first morning in the afternoon he said let's get on with the commercial espionage and his counterpart said now let's talk about so at the end of the day they hadn't gotten to commercial cryptography and the meeting was over the two of them were alone and the Chinese guy said you have to understand something in your country if you spy on another country you're a hero and then there's a line a strong line if you spy on another person or if you spy on a company you're a criminal in my country there's no line if you spy for the country you're a hero and it doesn't matter whether you're spying on a government or a person or a company and as long as we have that cultural divide we can't talk about commercial espionage and that that's that's the story there is a huge cultural divide and the rules are very different the Russians play by rules and the Chinese don't and other countries don't and in today's world the game is significantly changed the big change is access back in the 70s when we were building that Vinson it was designed at NSA by people with top-secret clearances didn't having a top secret clearance doesn't mean you're not a spy Ames Pollard it happens Martin Mitchell but it gives you some level of trust then it was built and it was built by a company in the United States on a line that only built things for NSA and we knew it was built the way we wanted it built I spent six months with with the engineering diagrams of that Vincent on a table going through and looking at every line every gate every every resistor in the thing seeing what happened if something went wrong in making sure that something went wrong it didn't go wrong in a cast Rafa quakes we'd alarm it if it did that's how well we built that thing we knew it inside out built in the u.s. today that there is no built in the u.s. it's internationally and everybody has an opportunity to do what they want to do to us I was talking to a big company one time I was talking to the CEO and he said you know what makes me different from my competition I will never use code from China I will always use code that's built in the US you have my word on that six months later I got a call from he said can't afford it I'm getting my code from China Louise he called and that's a fact of life that's that's that gives people an opportunity to do things so in the year I guess it was about 2005 they were talking about the critical infrastructure particularly the communications infrastructure in the United States they were taking bids from companies on maintaining that infrastructure and the low bid came from China so Congress established this committee of senior people from industry to look at that to see whether it was a good idea or not and I got to testify before them and so testimony want something like this they said so is this a problem and I said it's a problem because you're allowing them access and access gives them the opportunity to do something so you are giving them complete access to the maintenance of your infant structure and if they want to make it put a time bomb in it or anything they want to do they have that access and the chair said so are you telling me that if we sign this contract they're going to sabotage our infrastructure so I cannot say that they are going to Seb die so you're giving them the opportunity to he said okay so are you saying that if we don't sign this contract our infrastructure is safe from the Chinese and I said I can't say that you know there could be other ways they could do something he said you're not being very helpful I you know apparently I wasn't because they were all there like and what the heck do we do so he said could I talk to the next person next person with Commerce Department and he said it's a young lady he said did you hear that testimony she said yes sir I did he said what are you thinking she said sir if you are worried that if we signed this contract that Chinese will sabotage our infrastructure we'll put a clause in the contract that says they promise not to and suddenly they all smiled so we solved that problem you know that's the life you live in that that's kind of a failure to recognize that there is a problem today you know everybody's playing this game it's not just the Russians we knew the Russians were playing this game yeah you know the Super Bowl was broadcast live to 235 countries outside the US four of them have agreed not to spy on us it's a UK Canada Australia New Zealand everybody else for fair game we've we've talked about establishing a similar relationship with some other countries but we've never been able to do it and occasionally we do find people doing things that look suspicious and we say what the heck and they say you know what do you expect and that's that's kind of like what happens you know I I expect that everybody else is going to be spying on us and yeah yeah I'm an ia guy but I assume that we're probably doing something similar I don't know I've never worked on that side of the house but you one can only assume that there is some intelligence gathering somewhere it's an interesting life there's some interesting stats on things so in 1980 one of the first internet kind of emailing traffic it wasn't really email but that kind of traffic went and it was a big expansion not much happened by 1993 1% 1% of the two-way comms went over the Internet one percent by 2000 it was 51 percent and by 2007 it was 97 percent a lot of information on the Internet it's a lot of opportunity for someone and there are a lot of people that are looking to take advantage of that opportunity it makes it a lot easier when stuff is floating all over the world on the internet and you don't know where it's come from or where it's going to goes through a lot of different countries and that gives you access and access is critical it's a completely different game if you think of Walker I mean he provided access because he walked into the Russian embassy but typically you might be looking for someone who would establish a relationship in a bar it's a long painful process to set that up you've got to gain trust you've got to find a person who has a problem you can take advantage of if the person turns you in then you that's a real risk because you lose that opportunity and you may be sent home today you send an email to 10,000 people you hope what I'm it's a button you know how smart you have to me when someone sends you an email does it you if you click this button I'll reset your password for you I'll click that that saves me the work yeah really people do that and people do do that that click the button I was talking to Scott Charney one time he said he has to clean his computer every day he's got a four-year-old and his mother lives with him and they all use his computer said his son can't read but he loves looking at YouTube things particularly about the animals so he clicks watches clicks watches clicks watches every once in a while one of these little things pops up he can't read but he's learned that if he puts the mouse on that thing and hits it he gets to see another video so boink boink boink he says his mother does a lot of traveling she's a retired biology professor it does a lot of traveling around the world so always looking to see what she might be seeing what kind of shopping there might be whatever so he said she gets those windows up he watched her one day she was sitting in front of the tube and over three minutes she kept going closer and closer to the screen like if she got close enough those words were going to make sense to her and after three minutes she shrugged it hit okay yeah I lived this at home yeah my brother's a travel writer he goes all over the world every country he goes to he gets hacked and I get mail from him and if I don't get to it first my wife opens it and invariably it our email address is Lissa and Dicky with no spaces so invariably the mail from my brother says dear Lissa and Dicky and assigned Donald's George and whatever link you might enjoy this link she clicks and I get it and I say why would you do that cheese hey don't complain to me it's your brother no that's the whole point it's not my brother it's it's a fascinating life and that's that's what happens and so if you used to hear that what we need to do is educate the end user that that's a losing game because I'm never going to make my mother smart enough to know what that Russian guy is doing if he's aiming at her it's just not going to happen she's going to trust him and and she's going to share that risk with me it's it's the way the game is played they yeah last last information I have is from 2011 when I retired the government had actual attacks these are not pings not not somebody surfing by to see what looks like actual attack 41,000 attacks that country and wasn't just the government member RSA they had access email to a thousand people one guy clicked it they almost went out of business and they they had a good system they had a really good system they had a nearly perfect system and that that nearly came back to bite them Lockheed Martin lost a lot of info a lot of my info by the way Nasdaq lost a lot of money because guys were playing with timing game they were they're getting the timing before anybody else was you know wasn't minute he was pieces of seconds but that's enough it's a great game Mitsubishi they turns out that they just don't they don't make a little @r on electronics they also make submarines they lost a lot of stuff did you know Tower anybody remember them diginotar was a certificate company they issued certificates for four companies so when they got hacked the bad guys issued themselves a lot of certificates and went around pretending to be a lot of different companies and patched a lot of a lot of products in a very bad way diginotar is no longer in business they didn't survive and that's probably fair if you're going to put that much trust in a company like that they ought to do it decently happens every day interestingly there's not much concern about your credit card now because the credit card market is flooded the credit cards are worth less than a dollar apiece health information is the new target of interest because with your health information people can be you or they can order drugs in your name and apparently that's a it's a neat way to get drugs so health information is out there the nasty part about this is it's pretty easy to get a new credit card it's hard to change your blood type and that kind of information kind of sticks with you over your life so you don't really want to lose that kind of information and that's the world we're in attribution is really hard it is really hard you know one of one of the sayings that my former friends used to like to say is if it looks like the Russians it's not unless they want you to know it's them so yeah okay that's great now the the best guns in the best spies the problem is in today's world remember that poor guy he had the best guns but you can't use those guns if you don't know who shoot at in this world those it's not best guns and best spies because the spies hold the guns and they can play a game they can break your your critical infrastructure what do you do what do you do if someone takes out your your power grid how do you respond how do you recover it's not easy and the world is capable of doing it you know who could have shot a nuclear weapon at you in the 70s Russia who could take down part of your power grid the local high school it's a completely different game and what is the government doing to make sure that nobody does that to you they named the cyber czar they didn't give him any authority or money but they named a cyber czar and said now the new cyber cyber czar actually knows cyber which is interest because the last guy was a budget guy and people up people who worked with him said he didn't know anything but this guy knows a lot however without authorities in budget knowing a lot doesn't buy you a lot it's it's hard it's really hard one of my favorite things if I take any of the awareness training where they look at things like which of these ten URLs are bad and you know you get a three-line URL it's gotten you six characters in interactive code in yeah I got a snowball's chance of seeing that and they tell you this is one I love don't open attachments you don't trust really who opens stuff you don't trust it's like saying don't eat spoiled meat I'll take some thats bloat me now doughnut does that but people still get food poisoning because they don't really know it's support paid you automatically trust attachment I can I get attachments from the guy who sits ten feet from me I'm not going to turn around say did you just send me an attachment I gotta get 50 a day from him and I open them all let's hope they're okay but that's that's the world were in and it's everybody sharing that risk everybody's sharing that risk so yeah a good example that is buckshot Yankee this risk sharing is anybody familiar with buckshot Yankee so that was when the Russians got into the classified Network which everyone claimed we don't have to worry about the classified network because it's your gapped what doesn't always work that way so we those Vincennes on the front line have been replaced with laptops and the guys in the Middle East were you know their view was they're out there worried about terrorists when they get a terrorist who happens to have a thumb drive in his pocket or if they find a cave where it looks like the terrorists have been and they find some guys they're thinking there might be information on this thumb drive so I'm going to plug that thumb drive into my laptop and see what's in it because that guy is not worried about the terrorists putting malicious code on his laptop he's worried about the zero shooting him but it turns out that that thumb drive didn't belong to that terrorist that thumb drive was put in that cave by a Russian and the Russian wasn't trying to put malware on that guy's computer while he was but it's not because he cared about that guy he cared about the guys that that guy was connected to and that laptop wasn't just connected to the six other guys out there on the front lines he was connected to the Pentagon and it's that risk sharing that comes back to bite you and that's the world that we live in every country on Earth runs these types of attacks they'll play these games they're trying to take advantage because we are the best target we have the innovation we have the technology we have the information we have the money you know the old story why do you rob banks because that's where the money is we are the banks for the world we have the money and we are the targets everybody's got to live their life that way I'm going to finish up with one story and then give you all chance to ask questions if you want so this is a story I like to use it kind of it's a nice way of showing this idea of risk sharing and risk management and understand risk so in in 2004 Mike Hayden who's director of NSA walked into my office and said we've you know we're too quiet about the good things we do I want us to be out there I want us to be more public he's the director of NSA what'd you say yes sir and he said so I'm going to give the lunchtime keynote at blackhat and I said well that's a good first step sir you you really are going to be out there he said yes and I want you to give me the speech he said you don't have to write a speech I just want the story and I've got speech writers and so I gave him what I thought was a pretty good story and a week later I got the speech back from his speech writers and it was it was great and I called him up I said sir this this is outstanding you are going to be a hit at blackhat I guarantee and he said thanks and a week before the event I got a call from his exec and said general Hayden would like you to give the talk in his place at blackhat I said well you know the people at blackhat are going to be a little disappointed when they're expecting to see general Hayden walk out of the stage and they get deke George and she said well that's okay the people who organized the event know that you'll be there so this is not a request this is the I know I see now I am going to blackhat to give this speech and I said well how come I thought he wanted to be out there he wanted to expose NSA and she's what you have to talk to in the name wasn't John Smith but it was a friend of mine who runs security at NSA so I called him up I said John what the heck I got a call from the director he wants me to give this speech in his place and he said he wanted to get us out there he said go I have some information in it and it's rock-solid that if general Hayden shows up at blackhat to give this speech this could be an assassination attempt so we got together yesterday we talked about it we decided you're not that good at target so we'll take the risk and I'm thinking that is a discussion I would have liked to be in on my view of acceptable risk might be different than theirs but I went out and I gave the speech and I swear you three 500 people out there if anybody reach for napkin I was going to be on the ground clearly nothing bad happened but being on the Internet is much like that because when you get on the internet there are people aiming at you every day you got to be aware you got to be looking for that and understand this not just you but your friend when they make a bad decision they're sharing that risk with you and that's what espionage is today it's no longer the Russians meeting a guy in a bar and taking six months to make friendships to talk them into things - looking for weakness the weakness today is hitting a button it's not needing money it's hitting the wrong button and putting not you at risk but everybody at risk RSA email to a thousand people one guy clicked it it almost went out of business so when I when I'm on a panel and some educator says you know we spent six months training people in this company before the training 30% of the people recognized a phishing email and after the training 60% recognized a phishing email good job hon and I say not so much good job 40% bad is still bad but that's the world R in what is going to take is students like the ones you're teaching it's why I company recruiting because because you go you'll have the best students in the world these people are really bright they're really innovative they're really creative and they are going to make a difference and that's what we're looking for because because our generation didn't solve this problem we created this problem we need the next generation to figure out a way to make this country safe to take us from being number thirteen to number one yeah I got a buddy who teaches a Tulsa he came over from India and he said you know this really pisses me off I did not come to this country to be number three or number ten I came here to be number one we gotta straighten this out I think he's right we've got to get get back to that position where we are the strongest country in the world and you're training the kids that'll get us there thanks very much yeah I never get questions I never get planted questions guys what do we need to do well be the first desert so will we we do exercises with the students and how do we get from 13 to one we do exercises with the students we do these are the problem is you are these kids most of these kids in the military kids that haven't gone to college they don't have the training the formal training they may be decent with computers but they don't understand the threat they don't understand the risk and they don't have the right kind of exercise training because we don't have really knowledgeable people making up the exercises the exercises are phony you know I told the story today with kids a eligible receiver first it was the first time we were invited to a war game to play the cyber aspect so what did we do we took control the ships away from the guys and we got kicked out of the exercise they said that's not fair we said what are you going to do when the Russians do that tell them it's not fair and they got to give control back this is this is you're not taking this game seriously if you don't let us do that that's what that's what you got to prepare for same thing is true of any cyber exercise when we run cyber exercises we always we do tabletops and everybody says things are going to happen that don't make they aren't real it's not really going to go that way every time we play a real game where we I sit there with the director of information assurance we say let's pull the plug and see what happens and it's like lighting a fire in a building when you turn the stuff off you know when you have a fire drill everybody walks out in Nice order officially a fire what are people going to do you don't know it which is really funny yet you know they're like 60 million commercial buildings in this country and there's six thousand fires a year so that's like what's that one one in ten thousand or something like a chance of getting fired in cyber every company is going to get hit this year and yet they don't do a drill whenever we did that drill things that we didn't expect to have happen happen people react in ways you never nothing like what we told him to do and nothing like what we expected him to do it was weird and you never know why it's like panic mode but we don't try that we don't exercise and we don't pray the people and people are making up the military exercises don't know what real exercises are they don't know what real events are they don't understand the threat they don't have role-based training everybody gets the same training so yeah but Trump was talking about the violation email servers and how maybe some of those things should go back to being carried by quarters instead of being on trying and if you have kind of made fun of horses a little vascular I'm curious if there's any actual merit in going back to analog communication and or or things where physical copies are moved in terms of increasing security well there certainly is you have to have that capability as a backup because if things go down and we can't get them back up if you need to be able to communicate yeah you're not going back there as a primary the functionality is just not there everybody's counting on the functionality but that's what sells and to be honest it's what makes us what we are we're innovative we're creative and it's because of our ability to do things fast together if you take that away we just aren't the same country so my again my opinion yeah my favorite student yes so back says we had yeah we had one virtual assure to start okay oh is that I thought that was Mother's drunk not not really part part of the problem is that was the fact that it was a symmetric war and you know the adversary had the same thing to lose that we did it's it's you know we'd say if you're going to say we're going to bomb Russia back to the Stone Age that that's a valid threat if you say you're going to bomb a terrorist organization back to the Stone Age it's not they don't hit they are not a target how do you do that that's that's the problem with the fact that the local high school can take down your grid how do you punish the local high school did there is no that hopefully that's that's why when we ran again the work sighs I always made sure that nuclear response was one of the options not because I thought it was realistic but I knew that the adversary was going to get that war game they were going to see it and wanted them to see that the nuclear option was an option it's too bad individual person on their laptop over same to Vegas national level threatening one of the big threats is we're too concerned with confidentiality and not enough with integrity and integrity is what's going to kill you if information is not like money when you rob a bank and take money out that money is gone when when you rob a company and take their IP that IP is still there they haven't lost it they've just lost an advantage in some sense but if you change the data yeah I'm not worried about somebody taking Wall Street down they'll be back up you won't notice it but if people lose trust in the ability to make transactions on Wall Street then the system will crumble so that the trust the integrity the the the trust that we have in the system in the banking system if you can't trust online banking you don't do online banking and everybody needs to be able to do online banking so I think integrity the integrity of the system is one of the big big problems the other problem is of course that cyber is a weapon and you can do some pretty nasty things with it I'm here so recently the news especially around this election there's all this trouble dodging that mean elevation like that pastors in trouble because I'm wondering how you feel like the current policy makers understand kind of cybersecurity and think they're responsive enough to the current cyber czar understand cybersecurity he's the first one that really has a good handle on it but he's got a real strong background he doesn't have the authority to do anything in general it appears that the so perfect example Congress passes legislation on what DHS should do they're supposed to protect the federal government the last legislation said that they were doing a good job protecting the federal government from known threats but they want now to protect from all unknown threats as well anybody who understands security in any sense knows you can't protect from unknown threats that that's ludicrous so they don't they don't understand it and I've briefed Congress in in classified settings in fact we were doing an interesting briefing where we were showing them how vulnerable cellphones were and the chair of the committee pulls herself on out of his pocket and ask if it says you mean I shouldn't have this with me they're saying yeah it's kind of the whole point of this briefing when it says you have to leave it outside you really do have to leave it outside there is there is a there is a feeling among the very powerful that they are above all those rules and it their convenience and ability to function is much more important than any of those rules and now that happens yeah so I don't I don't think I don't think the understanding is there I'd say I was watching TV one time and they had a a cyber expert on you have a watch these experts they are so clueless it's funny so so she was saying in clearly she was not a cyber expert you're saying and this cloud stuff your information is just off in the air somewhere we don't know where it is it's floating around up there I'm thinking really this is the best you can do as a cyber expert I actually haven't seen her on the air since then so usually they come back I thought I don't think you can come back from that one yeah I ever had real but how feasible music is like what would it take what was moment of this I think if it's a company or something full bundle I don't think I've got a snowball's chance of getting to do that because they lose productivity but you don't have to do it once a month I'd be happy if they did it once yeah so you know we didn't do it very often because it was a lot of money but it was also very instructive when you saw what happened some stuff that we never would have guessed College thing about people to talk even both boys what I just said in that monetization and one speculation I'd go to friends we spelled including a private email server was taken private ing equipment wasn't delivered line since she basically said okay you know I'm gonna fix my own server because that yeah they'll do what I want I what yeah that's right because I think she said up before she knew that the IT department would wouldn't satisfy her that was a going in not a coming out ICS you know security reptilians like now using the word five I see that all the time yeah security is a pain and we we have cross-domain solutions which is supposed to separate classified systems for unclassified and there are a hundred approved cross-domain solutions but when we actually went out look in the field but most often used one is a wire because it happens to be convenient cheap easy and it works it doesn't do what it's supposed to do but it gets the information across from one system to another question other books out there in the sternal chart if you recommend so Sean's got a good book and that it's really easy for me to recommend that one and not getting any trouble at all it actually is very good Sean Smith I think I think that's his real name - I had a friend does his tooth on me his name was Bob Smith and we used to have a lot of meetings together he worked at a different three-letter agency but one time I was walking to another meeting with and we said okay uh by the way my name is Pete Driscoll for this group [Applause]

Info

Channel: Dartmouth

Views: 196,711

Rating: undefined out of 5

Keywords:

Id: h-OGHXUtmto

Channel Id: undefined

Length: 63min 39sec (3819 seconds)

Published: Wed May 17 2017