Michael Hayden, Richard Clarke on greatest cyberthreats facing America

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I'm Craig Tim Berg I'm the national technology reporter at The Washington Post beside me we have two of the giants of cyber security and intelligence in Washington for long we root for decades now this is how we meet means we're old this is this is general Hayden he's the former head of the NSA and the CIA Richard Clarke here has been a top White House adviser counterterrorism adviser to presidents for for some years now and I wanted to dive right into the news that has been occupying all of us at the Washington Post and other news organizations for a while and get their perspective on this we've been writing a lot about Facebook and propaganda that emanated from the Russians and having covered cyber security for the past few years this is something of a novel take on the issue right I think we all think of cyber security as hacks penetrating systems and here we have you know a foreign adversary essentially using tools that Silicon Valley created to influence a u.s. election so I'm curious if we should think about this as a cybersecurity issue and what sort of lessons we should take away from what's happening when we saw general Hayden sure first of all thank you for your reporting and and as I as I follow it along I know the wheels start to turn here as to what does this stuff in the foreground mean for how we should think about the deep background and and Craig what I'm reminded of I I kind of got dipped into this cyber thing in the mid 90s I'd come out of the Balkans where there was a war that was medieval in cause and conduct and I'm dropped in to San Antonio to take command of the air intelligence agency and we're we're kind of leading-edge thinking about this within the Department of Defense and and a lot of things that happened today you can see the roots back and security Hill in San Antonio in the 90s Cyber Command cyber is a domain those concepts which are now American organization American military doctrine we we had a debate I still recall this AI a the Air Force unit I commanded and I also headed up something called the joint command and control warfare Center which is a by definition a joint body and the philosophical discussion and we look like Jesuits and a medieval University okay as to what is it we're talking about and there was a body of thought that we're talking about cyber you know land sea air space cyber it's the domain it's an operational environment we're gonna go fight there and then there was a body of thought that what we really were talking about was information right and so if you thought it was the latter then all of a sudden what it was you need be concerned about was not just the the your network not just your computer not just digital things but information things looking backwards it included defense suppression electronic countermeasures looking forward you you would actually bring in psyops or what we're now calling me so psychological operations we even thought you probably had to bring the public affairs guys into into this bubble alright so we had this grand debate I think I think history will judge we broke over here we broke over here with with cyber and that's how you get a cyber command and that's been quite successful and there's that's a good news story but this is not that the Russians went here and if you read the writings of general Gracia mahfouz now the chief of the general staff he talks quite plainly polite quite openly about combat in the information domain and now we see the Russians performing modely against our political structures in the information domain but even even now we are still trying to look at it through our lens over here which is cyber they stole our stuff when when the Intel community finally got up to Trump Tower on 6 January and you had Jim clapper and and Mike Rogers and Komi and they finally laid out all the case that no the Russians stole the DN c-- data and then they did this and then they did that the Trump campaign no longer able to kind of deny fact of redefine what they had just been briefed on as we really got a cyber problem it's a bad cyber problem you know the Russians the Chinese that 400-pound guy we really got a cyber problem and that is a reflection I think of our lack of definitional expertise we we think about this as a digital thing the theft of data the firewall all important and we'll get to that directly but what the Russians are doing is taking the game to a completely different level they are trying to dominate in the information space it's just not a cyber issue and mr. Clark does he have it right he does but let me frame it as two distinct points this is a Venn diagram between cybersecurity in which is clearly an aspect of this and psychological warfare which is clearly an aspect and they overlap the Russians are using cybersecurity techniques as a way to conduct their psychological warfare operations but it's not new the Russians have been doing what they call this in from Altea and active measures since the Russian Revolution and before and again let me compliment you on your great reporting thank God for the Washington Post I can't get a t-shirt that I actually have one that says something about American intelligence says thank you was a first time ever but I do have a slight criticism of your reporting I think you know it's it's very tactical and we want those tactical stories and revelations but we need to step back and look at the strategic issue here what's going on what's going on is that Russia has decided that it's going to be aggressive and regaining its standing in the world and what happened in the United States is a piece of that what continues to happen in the United States piece of that they seek to have countries divide into little bits they're very you know probe brexit I'm sure they'd may be supportive of California breaking off in fact they were they're very supportive of putting one faction against the other and that's why they're behind the Facebook ads and whatnot they're trying to create chaos and as we go forward as Bob Muller comes out with the results of his investigation we need to recognize that their goal is chaos in the United States and Western Europe we have to constantly remind people of that and we need to think about that in everything we do we don't want to give them the goal that they seek and when they're involved in manipulating things to advance chaos in our society here and in Western Europe we need to call them out that's the first point the second point is that this presidential election was the first presidential election after social media became probably the major way in which American voters get news that's an important point the majority of Americans can get news from social media they don't watch the ABC news at 6:30 but they should since I worked for ABC News CNN is good too about that I wouldn't know it's on some cable but most Americans get their news now from social media and therefore it's not surprising that this was the first election in which social media were used as a weapon by a foreign foreign government because foreign government foreign government has now decided to get involved in our elections both through social media and through hacking of political campaigns political parties and state election offices we can no longer afford the approach that Federal Elections and we left up to county commissioners as much as I love County Commissioners and I know they're trying to do a good job on a small budget Federal Elections cannot be the security of Federal Elections cannot be their responsibility the federal government needs to reassert and under the Constitution it can and the Constitution says the federal government can designate the manner of these elections the federal government needs to reassert its priority control of federal elections and monitor them for security and adequately fund their security and not give that over to County Commissioners who don't have the expertise or the money you know it's interesting to hear you say that back a year ago I was working on a story about you know could the US election be hacked right and I and I was looking at those issues the the voting machines and paper ballots and and those touchscreen ballots and looking but looking back on that reporting and are thinking about at the time we really kind of missed the boat right the election wasn't gonna be hacked in the formal kind of count yeah the count wasn't gonna be hired but the election apparently affected yeah it could be affected by these by these forces that we didn't perceive adequately adequately at the time and it makes me maybe a tiny bit more sympathetic to Facebook's account that oh we just didn't see this coming right so Mark Zuckerberg famously says a few days after the election that it was a pretty crazy idea to think that this this that fake news could have altered the outcome the election maybe he's right but I I think it is very clear now that they had trouble conceptualizing of the kind of attack that actually was leveled on them and on and on the US political system and which which makes me wonder what is it reasonable to think that somebody should have understood this sooner and put up alarm alarm brows in a more forceful let me start with you mr. Clark Lindsay you know I've just written a book called warnings in which I look at 14 case studies across a whole variety of disciplines asking why didn't people pay attention when an expert gave a warning that later turned out to be true and I have a little methodology for figuring out which experts are likely to be true the bottom line is this happens in every field of endeavor mmm that you miss warnings there are institutional settings that look for warnings sometimes they're good sometimes they not this one I think people can be forgiven from for not seeing coming general hey you were warning before the election about the prospect of the Russians influencing the earth did you conceptualize the kind of attack your your reporting your reporting suggest to me that they had gotten their game to a point beyond which I had assumed all right so so let's parse out what happened they stole the data all right well I think that's general general agreement that's a baby step about by the way I got to tell you stealing the DNC emails okay hacking into that that is actually honorable international espionage all right okay all countries do that all right if I were putting hours we may do that yeah if I were director of NSA and we could penetrate United Russia just Putin's party and we actually really care what they said that would be a legitimate foreign in type of target oh yes yeah it would be a legitimate target under under accepted international practice what happens next then all right that's the big deal that's the term we've been using is weaponizing the information so it's WikiLeaks it's DC leaks it's pushing it forward okay that's kind of linear you guys kind of expect that then the army of trolls who touch the data all right and who kind of convinced the Google algorithms that these stories these stories are trending whoa no wow that's that's not linear that's the discontinuity that's getting more interesting and now what your stories are reporting is micro targeting of specific groups in the American through a process hello alright I mean you can you can see that the revelations growing here that that sophistication of the Russian effort with was I think far greater than even I've talked to John Brennan and Jim clapper that they kind of got wind of this isn't right about April May it was different of a kind than we've seen in the past by August they they were urgent ok that this is different in scale it's different in style and it's different in that it's approved at the highest level of the Russian Federation they had a little trouble getting the political attention and that they needed because frankly it forced the president with a really ugly decision all right it never happened before yeah and the instinct is well make make sure you're really sure before you force an ugly decision on me so you lose some time so in August John gets to throw a brushback pitch at bortnikov who is his counterparts and knock this off September the president does the verbal warning to Putin at the g20 and then in October Jim clapper and Jay Johnson go out with the kind of the facts of the case but even the facts of that case don't get to what it is you're now you're now reporting right if you look back for the warning yeah I think the warning was in again American journalism great piece in 2015 in another newspaper Sunday magazine very good piece about the internet Institute in Petersburg and a fascinating story about the trolls about the bots and the key to this story was that the internet Institute in Petersburg had run a story in u.s. social media that a refinery had blown up in Louisiana and it was very well done very convincing look like CNN's stories and whatnot and of course the refinery had not blown up and the article asked why would they have done that why would they have tried to convince people that a refinery had blown up in Louisiana and I remember sitting at the dining room table on a Sunday looking at that story and saying this is an important story and I don't know what's going on I don't understand why Russia would want to convince people that a refinery had blown up in Louisiana but we need to keep thinking about this and I forgot about it Kenny before about art critics I just had and this is getting harder all right but because there are Americans who are using everything we just talked about here to challenge the legitimacy of the current President of the United States and I think it's really important intellectually for us to separate those two things did the Russians affect the election I think the answer is absolutely how much have no idea it's not just that I don't know it is unknowable so we just have to cabin that'll put put that away there's no question about legitimacy and now we've got to get on with this all right now there is much portents there is a question about collusion and we'll find we'll find more about that yes or no I think we will yes well as fascinating us is let let's pivot to another issue that's been in the news it's more of a classic cybersecurity issue the Equifax hack one of the worst in history by various measures one hundred and forty five million consumers now seem to have wrapped up in the incredibly personal data social security names birthdays credit card numbers and such let me start with you mr. Clark aside from like the obvious stuff like you need to patch your software I mean at a policy level what are the what are the lessons learned with the Equifax hack well so there's policy level within companies and then there's policy level at the national level let's start with company's policy level within companies is you have to have a good risk profile of your company know what could go wrong that matters and you have to have a governance structure that monitors that so it cannot be the case that you get hacked and the CFO doesn't know that day so the CEO doesn't know I'm a member of corporate boards and I'm not surprisingly the guy is supposed to be keeping an eye on cybersecurity for these at the board level the I need to know the day one of my companies gets hacked that day so they had a governance problem but part of the governance is knowing whether or not you're doing enough they weren't obviously they were not doing enough they didn't have Network discovery they didn't know what was going on on their own Network they apparently didn't even know they had machines on their network that hadn't been patched companies need to realize that you need to spend money to do this beginning in the 1990s we underpriced information technology we put information technology into companies across the board every kind of company we did it quickly American productivity went through the roof as a result and we said wow we can do things so much more cheaply now that we have information technology wrong the calculation on how much information technology cost never priced in security and companies today are on average spending between three and five percent of their IT budget on cybersecurity that is a recipe for disaster if you're spending three to five percent I know it's a gross metric but if that's where you are you're gonna get hacked you cannot do all of the many many many things you need to do to secure a network today we know how to secure networks today there are companies that do not get hacked there are government organizations that do not get hacked we know how to do it it takes a lot of skill a lot of skills people and a lot of software and it costs money and it costs much more like 8 or 10% or 12% of your IT budget then three to five so that's at the corporate level at the national level we do agree with Rob we do need and that I think when I overheard him say we need a national standard for breach notification we do yeah that national standard cannot be less than the existing California standard the last time we tried to do this at the level with a Chamber of Commerce and people like that came out of the woodwork and said oh yes let's have a national level and that's let's make it meaningless we do need a national breach notification law and it needs to be at least as good that's the best state law number one number two companies like Equifax will continue to screw up until there is a penalty for doing so my colleague Rob Kenickie he used to serve at the White House said the other day the way we solved oil spills and and made it something on oil company really doesn't want to have happen oil spills is we charge them by the gallon for what they spilt by federal law and after that federal law oil spills plummeted if we charge people by the data loss if public information publicly identifiable information is lost you should pay for it by the person you should pay ten dollars for every one of them multiply that times one hundred and forty three million if you pass that law this problem will go away I was just going to Paulo and I was going to bring up Rob janaki's article as well and and Rob reasons by analogy with the Exxon Valdez all right all right and after the Exxon Valdez has passed indeed Congress says you're gonna pay for it by the drink all right if it goes out you're gonna pay for it which then led the oil companies to look for insurance yeah and so there's a private sector motivator and insurance requirements yes came in yeah you're gonna get insurance you have to do X so it's not the government saying thou shalt write or how you should do it it was here's the cost for doing it exactly and then they want to go get insured and then the insurance company said well let me let me give me the number here we're gonna do it real quick there's your number if you just do it in single held tankers on the other hand if you invest in double hulled tankers let me give you the insurance and everyone move to double hulled tankers and so what Rob is suggesting is a government roll that doesn't compel how you do this sets up a penalty and American business models with insurance will take you to a very happy place a way it did with oil and in that example an insurance company would have said to Equifax you have all this data you have to encrypt it if you want to be insured and encryption doesn't work unless it's paired with good identity access management the multi-factor privileged access management so have a multi-factor Pam system have encryption and will insure you if that had happened we wouldn't have an Equifax problem but you see the you see the the government rather than you know whistle Red Hat clipboard walking in and giving you a check marks the government sets up a structure that drives the business case over a long term to be responsive and responsible but that will never happen as long as the Congress thinks that regulation is a four-letter word we need additional regulation all regulation is not bad and this nonsense that we have to get rid of two regulations every time we put one in is just so e we need to do regulation like the one we've just discussed so here we all agree that we haven't always seen that the new threat coming other than mr. Clark who's made a career of and missed I missed the last one so tell me what aren't we seeing now like what what are the threats that are coming around the horizon that you all in the business can see you know it always director I usually give this question what do you think's going to surprise you next year so directly what's gonna surprise is the difference between intelligence and fortune tell ya you know Craig I I don't have a good answer and I didn't have a good answer for that question to what you're gonna surprise you next year I just kind of made a face you know from the last several years in government I will offer a couple of thoughts kind of factors bearing on the problem that this is it's just it's my best shot yeah there there is a tendency particularly within government where the walls are high and you keep the secrets in there is a tendency in government to underplay discontinuities there there's a tendency in government to think tomorrow is going to look a lot like today I had the phrase used to me recently by an intelligence veteran we're not so good looking around corners okay and and what you get what you get is the tyranny of expertise so one very concrete example you have a poor unfortunate setting fire to himself in a mid-sized tunisian city recall and and and in the original estimate out of the American intelligence communities that Ben Ali the dictator of Tunisia then there done that saw the movie he knows how to deal with this it they'll hit white water for 710 days but in the end Benelli will still be there well not only was Ben Ali gone there were a million people in Taher Square in Egypt within five or six weeks the the it was the tyranny of expertise the the projection of continuity that captured this one way no I'm asking and answering this Craig as a government guy one way the government might be able to reduce that danger is to actually open the doors to to the views of the broader American society who actually has some interesting perspectives on things going on out there as your morning sunday magazine guy had a thought out there no intelligence no purloined secrets no less but no less Pia Nagy but just because he's not trapped into I got to get the PDB out by tomorrow is able to look at these alternative scenarios so so I don't have a good answer but but I do have a way to to perhaps get us to a better place and then that is a far more permeable membrane between our security services and the wisdom the broader society examine mr. Clark well that's you know that's what I call for in the book warnings which is available on Amazon I have a book there too but it's not the same title the the things that we look at in warnings for the future are the Internet of Things artificial intelligence gene editing CRISPR caste 9 among others of those appropriated for this audience I think is both AI and the Internet of Things if the numbers that Gardner for example uses on the Internet of Things are right we're going from approximately five billion devices today on the Internet of Things to approximately 30 billion devices in the next three to four years that's an extraordinary revolution a quiet revolution one that will occur without your seeing it but to use the jargon of the cyber world that vastly increases the attack surface and most of those devices are being rushed to market without embedded security and every time that has happened in the past it's been disastrous so if I were to forced to make a prediction which I don't like to do anymore than you do I would at least think about things that could result as consequence of the Internet of Things and then on AI that there's a whole debate going on about whether or not we need to control regulate limit AI while I'm in favor of some regulation and I don't run away when someone says the word regulation I think the idea of regulating AI right now is crazy and we need to see where that innovation can take us keeping an eye on it and you know maybe the people who worry about AI are right I doubt it about keeping an eye on it but please do not suppress the innovation that can come from a on and just take the thought that Richard had here about artificial intelligence Internet of Things I mean just just we're just gonna get more of this right all right so so the so the broad assumption I think and go back run the clock back 10 or 15 years as you get more and more immediate intimate communications between and among human beings all right I think there is a natural instinct that that would lead broadly you know over time in in the direction of greater understanding because you know will we get to know each other better it has led in the opposite direction it is it is driven most of our species back to tribe back to family back to faith and in a way from from a convergence in in terms of a common unity human identity that was unexpected and I guess one of the questions I would ask is do we continue down that path all right which is kind of nativist nationalist populist do we continue down that path or is that just the byproduct of first generation drivers in in the new domain and as we become more experienced drivers says what we had expected in the beginning become more and more prominent I don't know but right now this thing that connects us magically technologically seems to be most useful as a tool for those who would divide us and is that a permanent condition or not thank you both gentlemen I really appreciate the robust discussion we've had if I'm looking a round of applause for just thank you you're not to disagree more next time so up next is my colleague Brian Fung and a panel of experts to keep up the discussion thank you all for being here with us today and we'll we'll do this again sometime soon Thank You general
Info
Channel: Washington Post Live
Views: 4,846
Rating: 4.9259257 out of 5
Keywords:
Id: FdiAQBXGsMg
Channel Id: undefined
Length: 30min 13sec (1813 seconds)
Published: Fri Oct 06 2017
Related Videos
Richard A. Clarke, "Pinnacle Event"
Politics and Prose
7.4K
Space Force Association Interview with Academy Superintendent Lt. Gen. Richard Clark
U.S. Air Force Academy
1.6K
Retired Gen. Michael Hayden, former Director of the NSA, and Director of the CIA
USArmyWarCollege
21K
Richard A. Clarke: Warnings | Real Time with Bill Maher (HBO)
Real Time with Bill Maher
300K
CIA-GW Intelligence Conference: "Leading CIA: A Conversation among Former CIA Directors"
McCrary Institute
21K
John F. Kennedy (USA), General Assembly (20 September 1963)
United Nations
60K
CIA-GW Intelligence Conference: Panel on The Shared 21st Century International Mission
McCrary Institute
29K
Keynote Conversation featuring George F. Will (HD)
National Constitution Center
22K
Life Lessons From 100-Year-Olds
LifeHunters
23M
Intelligence Wars: A Discussion with General Michael Hayden
World Affairs
19K
Rethinking Series 2016-17: Rethinking China's Economic and Military Rise
JHU Applied Physics Laboratory
16K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.