 I'm Robert Famosi and by day I'm an analyst at Javelin Strategy and Research where I do security risk and fraud for the financial services industry. I'm also a blogger at Forbes.com. I'm a contributing editor at PC World Magazine. I write a monthly security column for Windows Secrets and I do a couple other things on the side. I've also written a book which I'll get to in a moment. This is of Bites and Bullets. This is the author's panel here at DEF CON 18 and I'm joined today by Joseph Mann, Jeffrey Carr and Robert Kanaki and they've all written books and in a few moments they'll get a chance to talk about their books. My book hasn't come out yet. It will come out in March of 2011. It's called When Gadgets Betray Us, the dark side of our infatuation with new technologies and it's basically a real world look at hardware hacking. And to give you an example, in chapter one I start talking about how criminals are using laptops to steal cars and I use a very real example of a gentleman named Radko Susick who is in the Czech Republic and when he was 11 he started stealing cars using the traditional tools of a screwdriver and pair of scissors and around 2006 he switched over to a laptop because he found that he could get more cars quickly that way and I published the story in 2007 and got a lot of blowback from the auto industry, particularly the insurance industry that cited numbers saying that the car thefts were actually going down. So how could I explain that? Could you actually steal a car with a laptop? So I felt challenged to pursue that. Did it in fact exist? And there are a few things that I found along the way and this is a good time for props I think. So at the moment most people have two ways of protecting their cars. One is the entry, the remote entry where you press a button and your car doors pop open and car lights come on, a few other things. That's primarily made by key lock and then you have the DST which is in the key and that's something for the ignition. It's got to be very, very close to the ignition in order to unlock the ignition and unlock the steering column and so forth. So there's two things you got to crack. Well it turns out in 2004 Johns Hopkins team cracked this, it's a 40-bit algorithm so that was pretty much easy to do. And then 2007 somebody cracked key lock. So you've got two cracks out there and you've got somebody like Rat Kosusik out there with the laptop. Could he in fact do this by himself? Well it turns out it gets a little easier. We've moved away from having two of these now where we just have one and we have remote key and remote ignition and you just press a button and boom the door opens and a button lights up and you can start the car. So once you figure out that code you own the car. So I think that's what's happening and we did see some real examples of that. There's a case where David Beckham, the soccer star had two BMW X5s stolen off the streets in Madrid, one in broad daylight and it's widely suspected that a laptop was used to steal the car. So there have been some examples of that and then in the book I look at other more personal examples because really this is gadgets that we use every day and it affects us very deeply and just briefly I'll go to the one that affects us near and dear to many of our hearts and that is medical devices. There are movements now to move some of the electronic devices that we use in our bodies to the internet for calibration purposes for remote diagnosis and whatnot and they're not being secured properly and so here it's kind of brilliant because you can just throw a piece of garbage at it and it's enough to defibrillate the pacemaker and send the heart into arrhythmia and if it's not corrected soon it can lead to death. So there's some very real consequences. Now who might be interested in doing something like that? Well certainly organized crime could do that. You could target say the CEO of a large computer company that hasn't declared a successor and you could go after that individual and threaten to disrupt any medical devices in his body. You could even charge a ransom for that. That would be something for a criminal enterprise to do. And then certainly you could have a rogue nation state go after political leaders who are known to have these devices in their body. So there's some real consequences to not paying attention to hardware hacking and I bring them out in my book and as I said it'll come out in March of 2011. So to talk more about some of the criminal organizations and what they're doing and rogue nation states I'll turn it over to the panelists. I'll start with Joseph. Hi, thanks a lot. So I'm Joseph Mann. I've been a mainstream newspaper reporter for 20 years and I must be doing something right because I'm still employed. And my book is called Fatal System Era, The Hunt for the New Crime, Lord to Bring Down the Internet. It came out a few months ago. So it's gotten very well received. And I've been covering tech security since 99 and I've always felt that smart people like the folks here know what's going on and even some people in Washington understand what's going on. But one of the many reasons that cybersecurity is so terrible is that the general public has no idea what's going on. And part of that's because it's genuinely complicated technologically and as I found out politically and legally. But in parts because nobody has an incentive to explain it. You know, the software companies want you to buy their stuff and computer companies want you to buy your stuff and the banks want you to do stuff online because it saves them money and so forth and so on. And so what I worked for years to do was to try and find an adventure story, a true adventure story of good guys and bad guys that would cut through that. And so I could educate people in a fairly painless, I hope, fashion. And this, my quest began in like 2003 when I was at the LA Times. And that's when, as most of you probably know, viruses became really commercial. And it was a really major change. And initially that was because the spam block list were working and so they wanted lots of bots to send spam from safe IP addresses. But probably the second easiest thing you can do once you have a botnet is DDoS folks. And so one of the first things that they did was, and they is, in this case, Russian organized crime, the other folks who are doing it, was DDoS extortion. And they would start knocking over websites and say, please to send $40,000 to Latvia by Western Union, you can have your site back. And I like this because this showed that it was, OK, this is serious organized criminal activity that's now taking over, is responsible for a lot of the bad stuff on the internet. And my grandmother can understand somebody knocking over a website. I don't have to go into zero days. I don't have to talk about patch cycles. The people can understand that. So I called the first companies that were getting knocked over. And as it happens, they were offshore gambling sites directed largely to US customers, which seems weird. I mean, why would a mob pick on another mob? It doesn't seem like it's sensible. But it is sensible because they had generally poor bandwidth, they are cash rich, and they are highly unlikely to go to the FBI for help, seeing as the FBI thinks they're a bunch of crooks. So I called those guys to try to make my story better and even more readable. And I was looking for human beings to put around it. And they said, well, you should talk to this guy, Barrett Lyon. He really saved our ass. And Barrett Lyon was, well, I didn't know him at the time. I called him. I assumed he'd be some boring 40-year-old white guy surrounded by PR people that wouldn't let him say anything interesting. But I asked if he'd come to my office. And he said, yeah, sure. And he was 25. He's wearing flip flops and shorts. Totally unassuming. And so I said, OK, so tell me how you warded off the denial of service attacks. And he told me some stuff about the Scripsy Road and the additional bandwidth that they glommed on and everything else. And I said, well, try to make the story a little better. I said, did you learn anything about the attackers? And he said, yeah, I chatted with him. He said, really? And he said, yeah, yeah. I traced back some of the, it turns out a lot of the bots were running SNMP with the default configuration so that I could trace back where they're getting their traffic, where they're getting their orders from. And I joined this IRC channel in Kazakhstan. I pretended to be a bot rider. And I was thinking, why are my bots connecting to your channel? What's going on? What's happening with the code? And maybe I can help you and combine forces. I said, wow, that's pretty interesting. You didn't get their actual names, did you? Yeah, yeah, I actually got one. And over a couple months, pretending to be a bad guy, he developed a rapport with some of them. And one of them screwed up and let out his real IP address when he did a file transfer over IM. And then he made a couple other screw ups and he got his actual name. So I said, wow, I don't suppose law enforcement cared, did they? And he said, well, the FBI, not really, but England sent somebody to Russia for three years to chase these guys. And the story just getting better and better. So I wrote a big front page story about him. And then later, I checked in with him and he'd gotten out of the business in kind of an interesting way. What happened was that the gambling guys thought he was so wonderful that they paid to set him up. They invested in a new business called Prolexic Technologies, which is still around, still doing DDoS mitigation. And he checked back with the bots after a couple years in this business protecting blue chip companies. And the bots were no longer doing DDoS as they were sucking dry financial information. And the same bad guys were doing mass identity theft. So he couldn't really protect against that because they're going after consumers. And he's like a business infrastructure guy. The other thing that happened was around the third time that he had to meet payroll by going to a parking lot of a drug store and meeting a guy named Vinny. You had a Manila envelope for the 20s. He thought maybe his investors weren't such great people either. So in the manner of the Bridge over the River Quay, he went back to the FBI and said, you might want to take a look at my own guys. And he wore a wire against people who were backed by the Gambinos. And the book outs him for what is essentially a subplot, so props to him for that. He's still alive. He's a good alarm system. So that's the first half of my book. The second half is what happened in Russia. And the British agents, they stand over there. And it's really dramatic. And it's a happy story because they actually got three of these gang members. And they're in jail now for eight years, which never freaking happens. And I got really lucky because the British never put out a press release about it. And the guy is like, he came back with one of the wonders of the criminal justice world. And they blocked it in a warehouse, like Raiders of the Lost Ark. The reason was that his agency, which was these really great investigative guys, got taken over by some other agency. And they were ex-intelligence guys and didn't believe in telling anybody anything. But anyway, when he was over in Russia, the bad guys tried to kill him. They tried to kill the judge. They tried to bribe the judge. And like I said, that's what we creative types call a narrative arc with a happy ending. But it's all a trick. The real point of the book is why he couldn't go further upstream and not to spoil too much of it. But shockingly, very, very bad guys are protected by Russian intelligence, in part because they're used for cyber war in places like Estonia and Georgia. It's the same servers. It's the same people. It's the same everything. I mean, the garden variety corruption in Russia is absolutely mind blowing. You can't really understand unless you've been there. But this is beyond that. This is military state policy. And I'm sort of happy that I think there are things in Washington that are starting to address this. But anyway, a friend of mine at Google said the book is a public policy document disguised as a crime caper, which I like, because it's this fun plot, which happens to be all true. It's investigative journalism. And then towards the end, I get to state sponsorship. And then the last chapter is all policy proposals and stuff like that. And that's what I got. Jeffrey. All right. My name is Jeffrey Carr. I wrote it inside Cyber Warfare, mapping the cyber underworld. It was a book that was spun from the Russia-Georgia War of 2008. My background was originally Microsoft as a working on their business intelligence platform. And I have always been interested in data mining and semantic analysis of unstructured text and basically just trying to mine the web for little nuggets, little jewels of information in a sea of words, mostly having to do with national security. So because Microsoft wasn't interested in anything like that because it wouldn't make them any money, I went ahead and continued the research on my own, wrote a blog called Intel Fusion. And underbeknownst to me, it became a popular blog within the intelligence community. And then when I started writing about the Russia-Georgia War, in my opinion, which was contrary to what was normally being written about, which was that this was a landmark example of how Russia conducts its cyber war for operations, I was offered the use of an intelligence platform called Palantir. And I thought, well, why waste it just on me? I might as well try to enlist lots of people to use this platform and see if a bunch of motivated people with nothing but open source tools could uncover a link between the Russian government and these Russian hackers. So that's what we started and we called it Project Gragers, named after the French vodka. Because I thought it was funny if we named a project looking into Russian hackers after a French vodka and not a Russian vodka. And the project went very well. We produced a couple of reports. And out of that, I wrote this book. The book really discusses a lot of what Joseph just mentioned, although actually none of the details of a Joseph just mentioned. But the underlying principle is that Russian organized crime creates, maintains, and innovates upon a platform which the Russian intelligence services can utilize from time to time through the use of what we would call plausible deniability and initiates opera operations that would ensure the continued success of the current president and prime minister against opponents, against opponents within Russian Federation and against member states of the Commonwealth of Independent States like Kyrgyzstan and Kazakhstan and Georgia and so on, Estonia. But it's so much more than that. China has its own methods of enforcing power through cyber operations. Many states in Africa have the same adoption in Middle East. And you name the country and they are embarking on some type of cyber operation in order to ensure power or to grab power. And that's what we mean by cyber war. It's not necessarily war fought by bullets. In fact, if you're referring to China and Russia, they would prefer not to have any war that's fought by bullets. It doesn't serve their interests at all. Much better would be a war that could be one without firing a single shot. And that is, in fact, the advantage that the internet has brought to the world. It has become the great leveler, the great equalizer. No one in the right mind would want to face the US military in a conflict. However, fortunately, because of the internet, no one has to do that any longer. The 31 out of 34 of the Department of Defense's most critical assets are powered by the public grid. Public grid is so incredibly unstable that it's mind-numbing, actually, when you think about it. The interests of the Chinese military are to be able to penetrate that grid so as to interrupt a possible attack by the United States or by another power should an attack be eminent. Well, of course, an attack is not eminent, so we don't see the physical manifestation of that. But that has been and continues to be a policy of the Chinese military. And even in the Russian Federation, and again, my book covers a lot of this in detail, Russia is eager to go to the table on treaty negotiations to control the use of cyber arms. However, they will not even consider a treaty which would allow for cross-border law enforcement. The reason why is because exactly the reason that Joseph mentioned. Russia uses its organized crime elements to further its political ambitions when it's appropriate. A cross-border law enforcement treaty would ruin that. So therefore, that's not going to happen. On the other hand, Russia's plans to develop cyber weapons, they're potential plans. It's a potential weapon. And so they're happy to negotiate an arms control treaty. And what I've tried to do is really just write this book, the series of real-time events covering a broad geographical range so that it would inform the discussion. The book has been well-received by certain parties and then criticized by others. Mostly the criticism is that it's not a cohesive arc. There's not a beginning, a middle, and an end. There is no end right now. This is an ongoing development. So it would be impossible to write it, unless you're writing a great story like Joe. Regarding the state of cyber warfare, who knows what's going to happen tomorrow. That's what makes it so endlessly fascinating. Currently, my business is to provide cyber intelligence on non-state actors, to clients in foreign governments, US government, and to private corporations. In my opinion, what we're missing in cybersecurity is intelligence on the actor side. We have lots and lots and lots of intelligence on the malware side. But the malware side in and of itself doesn't reveal attribution. Attribution, in my opinion, will be a combination of the malware with information on the actors and who that malware would serve and who has the means, motive, and opportunity to launch that type of an attack. So that's the focus of my enterprise. Hi. My name is Rob Kanaki. I am a researcher at a foreign policy think tank in Washington. And the focus of the book I wrote with Richard Clark, the former White House counterterrorism advisor and former White House cybers are, really is at that level. It's looking at conflict between nation states in cyberspace and the future prospect of conflict between nation states in cyberspace. Some people have said that the book really is a call to arms. What we wanted it to be was more of a conversation starter. We threw out a lot of ideas about how to deal with that problem. But what we were looking for was a response back to say, you guys got all these technical issues wrong. You're missing this dimension. You're missing that dimension. And really try and do for cyber warfare what happened in the 1950s and early 1960s with nuclear warfare. Develop doctrine, develop strategy, move away simply from a technical problem, a scientific problem, and employ all the methods that states can bring to solve international conflict and to reduce the likelihood of international conflict. Within the tech community, one of the things that's really happened with putting this book out is a lot of backlash to the idea that even something like cyber war could ever really exist, that nothing that we've seen today, even the George example, even the Estonia example, really is warfare. That's a judgment call. But I think we looked at it and we said there are at least three things that are going to make it so that in the future if we haven't seen a cyber war yet, we will see one. And the first, some of what Jeff has talked about, is that at least over 100 militaries are setting up cyber offensive warfare units. And the second one is that if you look at US military strategy in this space, there was a recently declassified US military strategy for cyber operations. And that strategy is overwhelmingly offensive. It says we must have superiority in cyberspace the same way that we have superiority in the air and dominance in the sea. And so that said, we've got to attack first. We've got to go on the offensive that we can't defend. That creates a very destabilizing situation internationally. If you look at a history of warfare, the times in which offense is dominant are when wars are more likely to occur. And so that means that looking out in the future, we're likely to see more wars start in cyberspace and they may not stay in cyberspace. And then finally, I think we looked at the issue of what people call cyber espionage. And in Washington right now, this is really the big concern because the level of espionage taking place is far above anything that ever happened in the Cold War. There's so much more activity taking place under the guise of cyber espionage than ever took place in human intelligence. And really, though we know that the NSA is responsible for our cyber intelligence operations, it's not really signals intelligence. It's a lot more like human intelligence. It's just replacing the actors, the humans, with computers. And it's a lot easier to turn a computer than it is a human. And it's also a lot safer because you can do it remotely. And so for that reason, the level of espionage taking place is really, I think, causing harm in our relationships, particularly with China and with Russia. And in recent dialogues I've had with the Chinese, it was very clear to me that they had that view, that they thought that what was taking place between our country and their country and cyberspace was one of the reasons that relationships had been deteriorating. So that, I think, lays out the problem of cyber war and our concern about what could happen in the future. And then I think we came up with maybe three basic things that we needed to do in order to combat that problem. Our first problem that we really see is that the US is more vulnerable than China, than Russia, than any of these other countries. And that's really because our government has less of a role in protecting cyberspace. Effectively, government is out of that picture. And it's the private sectors and even individual consumers who are left to protect themselves. So we said we need to find a way that government can provide that protection while not intruding too far into the space without hurting innovation, without harming commerce, without becoming overly burdensome. And that's a real risk anytime government gets involved in the private sector. And the second big point that we had on what to do was to say that you're not gonna be able to defeat a persistent nation state threat that's military in nature, that's disciplined, that's operating around the clock through technical means alone. So you have to look at what you can do to shape the international system. What you can do to establish norms in cyberspace that say this kind of behavior isn't acceptable. That's not espionage, that's preparation of the battlefield. That's destabilizing. You need to look at other treaty options than what the Russians have proposed, which would essentially trick us into limiting our capabilities so that they could develop theirs. And instead find ways that you can protect strategic assets that make the internet function without compromising our ability to carry out offensive operations when we need to. And then finally, the really most crucial point that Washington's facing right now is a need for a much larger cyber workforce within government and more broadly within the private sector that really it confuses a lot of people in Washington who think that this problem is all about automation, it's all about bits and bytes, when actually if you're gonna go up against a dedicated team that is going to persistently target your networks and systems, you gotta have an equally dedicated team around the clock 24 hours a day doing that, and we simply don't have enough people in government right now who have the kind of capabilities that you guys have. So that was our final point and probably the one that we've been stressing the most since publication of the book. So we're gonna stay with this theme of cyber war since it unites all of these publications and I'm gonna direct the first question to Joseph here. You start with a very good explanation of how cyber crimes are organized, cyber criminals are organized and accomplish their goals and then you move towards the nation state toward the end of the book. And somewhere toward the end of the book you make a statement that there might be a point when the Russian business network could be hired by someone like Al Qaeda to do their dirty work. And it almost implies to me that there's a point in the future where there might be criminal organizations that operate as mercenaries for various political interests. Would you agree with that or have any insights around that? I think that's an interesting question. I mean, everything that the Russian business network, which if you don't know is the locus of all evil in the universe, everything they do is blessed. They don't do anything that's gonna make the Kremlin mad. And it would depend on whether Russia thought it would be too much of a diplomatic risk to take on a client like Al Qaeda. So organized crime is bad and organized crime backed by one of the most powerful countries on earth is worse, but it has some advantages, I guess, and that they're not gonna do anything that doesn't work from a cost-benefit perspective. I mean, the reason they've been able to do this stuff so far is that the benefits have outweighed the costs. There hasn't really been any punishment against Russia for their harboring some of the worst criminals in the world. And the benefits have been demonstrated in places like Estonia and Georgia. Not to mention the bank accounts of numbers of people in Russia. But I don't know if Al Qaeda'd be worth it. I also think that the cyber terror stuff so far I think is overblown. I haven't seen any really impressive capabilities demonstrated by those guys. Mainstream crime is what's going on right now and it's true that some very bad guys including jihadists have raised money through fraud on eBay and various other places. So that's a more pressing concern right now. But yeah, it is bad to have organized criminal groups floating around and having a wonderful capitalist ecosystem where they would rent out botnet time to whoever. So I wouldn't look to the RVN. First I would think that other people would rent out botnets to Al Qaeda. They felt like it. Lesson known groups. So for Jeffrey, in your book at some point you make a comment along the lines that denial of service attacks are not criminal, they're acts of war. And I hope I'm reading that correctly but that's what I got from that section of the book. And I was wondering how something like the DDoS attacks that we saw in 2000 where Amazon, eBay, at the time I was working for ZDNet we were all hit with this sin flood attack and it turned out it was caused by a 16 year old in Canada. So you had this foreign agent attacking U.S. interests. Does that rise to the level of the cyber war? No, honestly I'm not sure which part of the book I said that in, but. Okay, then there was a misread in my part. I think that denial of service attacks tend to be more noise than more bark than bite. I'm not really too concerned about them as much as like a sequel injection type of an attack where data is act, where the backend web servers are actually compromised and user names and passwords are extracted. And for example, a Turkish hacker crew on Veterans Day tacked the U.S. Army's human resources division and they published hundreds of names of soldiers, their email addresses where they were stationed. And this was all extracted from the web servers at the human resources. And on the same day they also defaced the U.S. Army website that attached to a base that held base design information, base architecture information. So that's much more worrisome to me when you're combining data which identifies individuals and data which identifies base vulnerabilities and you've got the same Turkish hacker crew doing both, much more serious than a DOS in my opinion. But does it rise to war, to a state of war? Probably not. There really isn't a legal definition for an act of war. It's a, that's a misnomer. There are, you know, a state has the right of self defense. The state has to show that harm has been incurred and generally speaking it's always been an armed attack. So the legal scholars are still debating today what constitutes an act of war. I think, and in the case of China and Russia, as I said earlier, in my opinion, when I have the chance to speak to the U.S. Army War College or the Air Force Institute of Technology, which I was just at both of those in the last 30 days, I'm trying to communicate that we need to redefine what we mean in terms of war because if the goal of an adversary is to accomplish, is to succeed in establishing a superior position without the use of bullets or bombs or bloodshed, and that they're able to succeed in that through the use of espionage and through other nonviolent means then they've achieved their political objective. Well, that is by definition war, the extension of politics by other means. So in that regard, then yeah, it would be, you know, we need to think about it in terms of political strife and warfare. Okay. And Robert, in your book, you co-wrote it with Richard Clark and Richard Clark is famous for a lot of different things, but he coined the phrase digital Pearl Harbor shortly after 9-11, and you cite a number of different specific examples of where cyber warfare has been used in conjunction with land warfare and example I'm thinking of is the Israeli military attacking Syria and the nuclear plant there. There are a number of examples in the book. How come none of them rise to a level of a digital Pearl Harbor? What keeps them from being that? Well, I would say first off, in the case of the Syria attacks, Pearl Harbor was the event that got the United States into World War II. We haven't been attacked with any of those weapons. The second point I would make on that is really that attack was an evolution of just electronic warfare. It was a more sophisticated form of jamming and a much more effective form of jamming, but if you're not familiar with that incident, basically the Israelis using probably US technology were able to take over the air defense systems of the Syrians so that they did not see the planes that the Israelis were flying into bomb their targets and the Israelis came in, they dropped their bombs, they left. Now, that certainly shows the vulnerability of those kinds of systems, of network digital systems to this new kind of warfare. But it wasn't what we were thinking of in terms of a Pearl Harbor-like event, which would be an attack on the United States domestically focusing on our critical infrastructure and targeting civilian systems. That, I think, is the area where we haven't seen anything like that yet. Right now, that really is in the realm of Hollywood, but the possibility is really out there that a nation state with the right incentives and the right capabilities could carry out that kind of attack. Now, I know not everybody was at Black Hat, but on the second day, the keynote speaker was retired General Hayden, and he laid out sort of a military perspective on this whole subject of cyber war, and he was talking about the four domains that were very well experienced with land, sea, air, and space, and then he was talking a little bit how it's a bit undefined around the internet space. Is cyber war going to break out and be a fifth domain, or will it just be an aspect of those other four domains? I throw that out to all of you. The latest, I think the latest publication that I read from the Army, while it does specify it as a fifth domain, but it also clearly defines it as one that permeates the other four, and I think that's an appropriate definition, because cyber, if you read my analogy, is refers to a Japanese book called The Book of Five Rings. In that book, written by Swordsman, there are four rings representing four elements, and then the fifth was the void, which sort of permeates the other four. I think that's a good example for how cyber should be viewed as sort of a part and parcel of the other. I suppose that when you're dealing with the Department of Defense, they have a certain way of looking at things, and so cyber has to fit within that traditional way of defining warfare, and maybe that's why it has to be in that fifth domain, but yeah, I tend to prefer it as a part of the fabric of all of the domains. I would say absolutely from a US military and government perspective, cyber is the fifth domain or the fifth commons that permeates the new national security strategy and that permeates all military thinking currently. For a long time, the Air Force in particular has been looking for a new mission since the Cold War, and they've picked up on this one, and they are going to make sure that this is a domain that they can dominate the same way that they dominated the skies in the Gulf War in Desert Storm, so absolutely. I think actually the, I can't speak for the Air Force, but I know for sure that at least one publication for the Army has clarified that they do not believe that they can dominate that domain. So I think they've backed away from that concept, which in my opinion is not possible. I don't think anybody can dominate cyber space, but. I mean, I wouldn't endorse that view, but I think it still does exist. Anything to add? No, I think that said, it's hard to me imagine, I can't imagine a major conflict between serious, at least regional powers, not having a cyber element to it. I think there can be some cyber things that have no air, land, sea, space stuff. I think that's happening all the time, but I don't see it going the other way. I think cyber will be an element of any major conflict. Okay, in a few moments we'll take questions from the audience, so if you wanna line up, there's a microphone right over there. Another question for the panel. How distinct is cyber crime from cyber war? I work in the financial services industry and I've been told over and over by the US government that they consider the financial services industry to be the vulnerable pillar and that's the one they're going to protect the most. So an attack on our financial services, if it's for profit, is that necessarily an act of war? If I could take a stab at that one. The definitions aren't all serving us very well because this is murky in part for purpose. I mean, if the internet was built for deniability, it couldn't have been done better. I mean, it's really, really wonderful, perfect attribution. I mean, my book writes about a case of perfect attribution, but it was kind of a pain in the ass. It took, I don't know, a million dollars and multiple years and got a confession out of some guys. That's perfect attribution, not ordinarily the case. I think that one of the many reasons that the Russian government has tolerated and encouraged the organized crime figures who are mainly going after our bank accounts is because that's really handy research to have and it's nice capability. And there could be destabilizing things in any number of ways. And one of them would just be loss of confidence, which maybe should happen sooner rather than later, even though that wouldn't do wonderful things for our economy. It's not safe now and it's getting less safe. Rambling answer, but there you go. Any other comments? I would just be happy if we shelved the act of war phrase since it doesn't exist. I mean, it's impossible to define it. It doesn't have any legal standing. An economic attack could have military consequences depending on the motivation of the actors, or none, again, depending on the motivation of the actors. So on the other hand, it's also a laboratory. So the day job for a technologist working on behalf of a state government might be a crime, cyber crime, that's what pays the bills, but it also serves as a laboratory to refine tools. And the virus, the same Zeus Trojan that's used to steal from banks was also in February used to obtain login information from US government and foreign government employees. Same tool, you know, but it was used for a completely different purpose. So I think it all comes down to the actor side again. I think the only thing I would add to that is that while cyber crime does not rise to the level of warfare, the level of cyber crime does have national security implications at this point. It is a national security issue. I think if you look at the most recent national security strategy and you compare that, the interest that it defines an economic prosperity in the development and strengthening of our technology base as our main export, that incidents like the hacking of Google and the loss of that IP really do rise to a national security concern. And that's why in that area, I'd say we really want to treat that as a major cyber crime rather than as a case of industrial espionage perpetrated by a state because more likely than not, that was about profit motive than anything else. I just agree with you on that. If you're talking about the Google attacks that they went public in January, I don't think that was largely about money. And I think it was very interesting how Google made it public and what they said, but one of the things they said is that they were trying to crack, they were cracking email accounts or other accounts of dissidents. And so I think there was clearly political motivation, motivation there as well. I mean, I think they wanted IP as well, but I think national politics was a big part of that. I think that's just a question of which is the red herring. Is the red herring the targeting of the emails of the dissidents or was it the IP theft? And my answer, the IP theft is really a much bigger concern to the national security of the United States than the hacking of Chinese dissident emails. Yeah, I have to agree with you. Joe, I don't think it had anything to do with Chinese dissidents. There was a million ways it could have gotten information on that. They didn't have to have such a sophisticated approach to targeting Google plus another 30 companies. In my opinion, and this is purely my opinion, the target of that attack was cloud technology, cloud source code related to the cloud, the companies that came forward and said yes, we were part of this, a handful of companies, we're all one way or another involved with cloud services. And Google, the very first thing that a Google executive said was this has nothing to do with the cloud. It has nothing to do with the Google cloud. So to me, that's immediately tells me that that's exactly when it had to do it. But that's just my opinion. All right, so we've got some questions from the audience. We have the first gentleman here. My question is, a lot of times when you bang the drum about war or talk about a Pearl Harbor type incident, there's some context of losing privacy or losing something in response, right? People have to take a sacrifice to stand up to war. And I wonder if this is putting us in a context where we actually could still do a civilian approach rather than a military approach to critical infrastructure and to cybersecurity that would not require the loss of rights or would not have the same sacrifice attached to it. So for example, in 2003 when we had the major blackout in the Northeast United States, that was related to utilities or other examples of major catastrophes like Katrina, if we focused a civilian approach, would it be less likely to cause harm? And we would be less likely to want to give control to a military infrastructure. I don't think anyone is suggesting that there's, I don't think anyone is suggesting that the military would have any control over civilian infrastructure. Anyway, it would be illegal. I don't even think that could be done. Yeah. Well, in having them lead the cybersecurity emphasis or having them run the department. Yeah, I'm not, I don't think that's been proposed. Well, they're not. I mean, Howard Schmidt, as much as anybody's running it, it's Howard Schmidt and he's a civilian White House. And DHS is in charge of protecting domestic assets to the extent that anybody is. It'd be nice if I think the government was more in charge of protecting civilian infrastructure it's in private hands. So I think it's kind of a bugaboo. I mean, I don't think it's a big, that's not a, it doesn't keep me up at night. I think it would be nice if the government did some more stuff in this area quickly. I would say that the, what I recommend when I have a chance to talk to somebody at DOD is that they act as a customer, that they understand that they are a huge customer for the civilian power grid and that they require, they should require that that grid be secure and that either the civilian power grid needs to make it secure or DOD should just create their own power source, their own internal grid, one or the other. I would probably take it a step further and I would say that right now there's a lot of emphasis in Washington about how we can use those other instruments of national power so that we don't have to regulate in the private sector, so that we don't have to intrude on privacy. How can we create cyber deterrence, which is something that there must be a conference on every month in Washington and do that in order that we don't have to make the investments domestically in protecting our infrastructure and protecting our network. So it's almost the opposite argument. It's a lot like after 9-11 when the Bush administration basically said keep shopping and traveling, we'll take care of it, we'll fight them over there so we don't have to fight them here. I think that is currently the military's approach. It's really a water's edge out approach. I'm not sure it can be effective, but I think that's what DOD is looking for and I think right now that's what a lot of the discussion in Washington is around. So we go to the next question. Yeah, Segway in your comment about cyber deterrence, I completely agree there's not enough debate in that area and I wanted to get the panel's opinion upon. So all these actors, they rely on operating the dark, cyber crime operating the dark, cyber espionage operating the dark. In order to do their mission, they need to be in the darkness, unattributable. Well, the whole red herring of these actors not being able to be attributable is in my opinion, bullshit. And I think there's enough expertise in this room and core of the people in this room to actually know who does cyber espionage and cyber crime. So from a disruptive and deterrence strategy going to your cyber deterrence thing, I'd like to know how you feel about the community or communities opening up and releasing that attribution as a method of disruptive social attack where essentially you name actors, their full names or ages or data births, their locations or friends or families or employers or car title. And the strategy being that you put so much emphasis and you basically turn them into Paris Hilton. So they have like fanboys chasing after them all the time. They have paparazzi. You may risk turning them into martyrs or heroes or whatever. But the point is that you attack them in that way to put so much emphasis on them that it's disruptive to them actually doing their jobs. So mob bosses don't necessarily want to hire hit men who have a bunch of fanboys running after them and like paparazzi. It's a very disruptive attack and I'd like to see what you guys think of that unconventional strategy. I'd love to take that one. I spent a fair amount of time in my book going through some of the really good work that private security researchers have done. Some of them anonymously, some of them without, many of them without any pay. But there's been terrific work, particularly in collaboration, on a lot of identifying specific bad guys, some of whom I named for the first time in the book. There needs to be a lot more of that. I mean, it seems like if this stuff should be published, you really gotta get it right though. If you name somebody and you're wrong. Who wrote so big was a really important paper. And then there have been others like that, where they, right, this is the evidence, why we think it's this person and so on and so forth. I mentioned that so big was one of the first major scary commercial viruses though. It got cut off. But it was, the lead researcher who's anonymous traced it to Russian Spammers. And he said, I think it's this guy. And that guy publicly was interviewed later and said no, it wasn't me. But he privately wrote to this guy and said, very, very interesting paper. If there's enough moral, people feel like a moral compulsion to contribute to Linux and to Mozilla and stuff like that. It seems to me that this is a much higher calling. And that exposure, not only to bad guys, but of the legitimate commercial enterprises that help the bad guys, the ISPs that serve them, the hosters that serve them, that's the way to go. That is absolutely the way to go. The only thing I would add to that is I think it's a great approach. I don't really think we have an attribution problem. I think we have a response problem. I don't think we know what to do when we reach a level of attribution. We're at a minimum. We can say, hey, we know this with somebody in Russia. We know this with somebody in China. Will you help us track us down? And the Russians and the Chinese say, no, we can't. Russians say it would be a violation of our sovereignty. The Chinese say, we have a huge hacking problem and 1.3 billion people and we're a developing country and really there's just no way that we can possibly help you. So we need a broader range of how we respond when we figure out who is doing something and that's no more so true than espionage than in any other area. What do you do when you're the Target of Intelligence Collection? We have rules on that for real world. We had that during the Cold War. We don't have that yet in cyberspace. The only problem I would add to that as a journalist, I'm tired of seeing Albert Gonzalez's picture everywhere and he's sort of the poster child for robbing credit cards all over the world and there are some people that are just gonna be in countries where they're untouchable and so by outing them and making them famous for one reason or another, there's just gonna be a problem because they're gonna continually get press and there's gonna be no repercussion for it. They're gonna be safe in whatever haven they've settled in. I don't get that. I think so Gonzalez was working with in the indictment hacker one and hacker two, which they don't like to talk about at the press conferences when they brag about how much time Gonzalez got. But their handles are Annex and Greg. At least one of them has been known to the FSB in Russia for years because he's also 76. These are serious dudes and the FSB news knows who the hell they are and it puts pressure on the government of Russia and embarrasses the government of Russia if we say these are the guys. The FBI in particular over the years has always said they're turning over they're cooperating, they're turning over new leaf, they're really gonna help us on something and once in a blue moon they actually arrest somebody. But it's not gonna happen and we need to be calling, if not the Department of Justice, then the general public, the security community, the press needs to call them on this shit. We'll move on to the next question. All of you talk about entities ran by foreign states or foreign nationals but has it ever been talked about or considered legitimately about non-foreign entities such as the public, albeit rather limited to the success of the anonymous group where you have a collective of people from countries all over the world focusing on a specific item or objective and carrying through that objective in a almost militaristic precision. I haven't had a lot of experience with that. The only experience I've had was some contact with Australian authorities and they just consider the anonymous group a joke. They're not even, it's not even treated seriously in Australia. I don't know if it's the same individuals that were responsible in other anonymous attacks but I'm not well versed really in their activities. Lots of people can do, I mean anybody can be a bot herder these days seems like you don't even have to, I don't think you only have to be a coder, you can just, you know, get time on it. The most bizarre sort of public thing I saw was Israel was mad at the Palestinians and about something and some Israeli group said, here download our software and become part of our bot so we can deed us at some Palestinian sites and people did it. People voluntarily turned their computers into bots. So yeah, people do all kinds of crazy stuff. Any other questions from the audience? Great. We've reached the end of our time. I wanna thank the panelists today. Thank you.