Former White House senior advisor Paul Kurtz and James Lewis, director of technology policy at the Center for Strategic and International Studies talk about the state of cybersecurity readiness at the federal level. Prior to joining CSIS, Lewis spent 16 years at the Departments of State and Commerce. Kurtz is currently executive director of SAFECode and a partner at Good Harbor Consulting. The two cybersecurity experts said lawmakers are finally starting to "get" cybersecurity and why the threat of cyberespionage is a major national security issue. Congress is currently considering measures that could give more authority on cybersecurity issues to the Department of Homeland Security or create a new office within the White House. Lewis testified April 28 in front of the Senate Committee on Homeland Security and Governmental Affairs. The video interview was conducted by Information Security magazine's Michael Mimoso in April at the 2009 RSA Conference.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact email@example.com.
Federal efforts to secure cyberinfrastrucure
Mike Mimoso: Hi, I'm Mike Mimoso, the Editor of Information Security magazine. And joining me today are Paul Kurtz and Jim Lewis. And we're going to talk about the state of cyber security and the country's critical infrastructure. So, thank you both for joining me today. So, our first question today. With the recent news of the attacks on the country's electrical grid fresh in our minds, can you both characterize the state of the country's cyber security?
Paul Kurtz: I'll start. Why this is a surprise is probably a surprise to both of us, because this shouldn't be news. They're not really attacks. They're more like penetrations, preparations for attacks. Electrical grids are always a popular target. If you're an Air Force, you want to blow them up. And cyberspace just gives you a new way to attack them. And our opponents have mapped them out. Found their vulnerabilities. And should they ever need to, they'll be ready to launch something. That's where we are. That's a little bit of a disgrace twelve years after The Marks Report. But, you know.
Jim Lewis: There are three nightmare scenarios that I have. It's an attack against the power grid. An attack against the financial infrastructure. An attack against air traffic control. Unfortunately, in all those cases, we have significant vulnerabilities. It is depressing that we're still trying to come to grips with this. And as we're coming to grips with it, we have these, if you will, preparations for attack. Preparation of the battlefield for what may come in front of us. The adversary could be a Russia, it could be a China. It could be a small organization that's well funded. So, we do have a poor state of our infrastructure today.
Mike Mimoso: So, as you both mentioned, these attacks are not new. Yet, there's a lot more awareness about the frailties of the critical infrastructure today. What do you attribute that to?
Paul Kurtz: We've been on a trend for probably the last decade of moving towards greater and greater dependence on the internet. On internet-based technologies. On computer networks. And it's become, certainly in the last five years, a central pillar of our economy. At the same time, our opponents have realized what a woeful job we've done in securing this network. And for them, it's like a free day at the supermarket to come in and tromp around and take things. So, you've got two things going on. Greater reliance on our side. Greater opportunity for our opponents.
Jim Lewis: And I think the nature of the threat has changed as well. Four or five years ago it was the hacker nuisance. Then it evolved to criminal organization. My sensitive personal information. My credit card information, and that was all the rage. Now we have nation states as adversaries. We have other organizations who are taking a look at all of our infrastructure. Mapping that infrastructure and exfiltrating intellectual property. Different than your credit card information. It's intellectual property about plans, programs that the private sector has, as well as our defense industrial bases. So, that's all coming into tune today. Finally, government is starting to wake up to the severity of the problem.
Mike Mimoso: What do you believe that the overall problem is? Is it a lack of resources or are there just too many legacy systems involved here? Or are the system operators just in too much of a reactive mindset?
Paul Kurtz: Yes.
Jim Lewis: Yes.
Paul Kurtz: Part of it is we've been sitting around waiting for a Godzilla movie, where a giant reptile squashes the United States. And that's not going to happen, right? What we really should be waiting for is a spy movie, and that happens every day. And so, we do have legacy systems that aren't secure. We've had a woeful lack of attention, both in the boardrooms and in the government. We've had people say, "You know, my mission is healthcare. Why are you bothering me about this security stuff?" So, it hasn't been a national priority and we're paying for it.
Jim Lewis: We're slowly losing our qualitative military and economic edge through cyberspace. While cyberspace has been an amazing economic engine for us, now it's become a very large vulnerability. The vulnerability can be managed. We're beginning to come to terms with that. But it's like the air is slowly going out of a balloon right now. We need to arrest the situation with greater cohesion and coordination in the policies in the United States. But, also working with people overseas. This is not just a U.S. problem to solve.
Mike Mimoso: So, is it just too much of a sci-fi kind of problem right now?
Paul Kurtz: When you have the front page of 'The Wall Street Journal' today talking about attacks against defense industrial taking the Joint Strike Fighter or the F-35 plants out from under our nose, that tends to capture people's imagination a little bit. The article a couple weeks ago about the vulnerability of the power grid. We're finally starting to see the skeletons come out of the closet, and until we start to hear these stories, it's been difficult for people to focus. And for people to say, "Not my problem. Not my problem. Somebody else's to deal with."
Jim Lewis: I call it the conversion experience. People haven't thought about this. They don't worry about it. It's like your phone. You pick it up and you don't think. And then when they get the threat briefing, you can see them. They come out and their eyes are like this. So, we're seeing people go through the conversion experience as Paul said. And the Chairman of the Joint Chiefs, the Director of National Intelligence and apparently the President have all had that conversion experience. We need a few more people to have it. But, we're in okay shape in moving towards a realization that this is one of our greatest national vulnerabilities.
Mike Mimoso: The Obama administration has made a lot of high profile comments about cyber security. Ultimately, how would you both like to see this administration address the problem?
Paul Kurtz: Well, the President in his campaign said he was going to have a national cyber advisor reporting to him. The administration is going through the mechanics now of setting that up. Naturally, inside any administration there are a lot of things that have to be aligned. I'm optimistic that we will have that national cyber advisor in place. I think the point that is really critical is that that decision being made sooner rather than later. We're well beyond the point of study. We’re well beyond the point of trying to understand the problem. We know we need leadership. We know we need to rack and stack the priorities. That needs to happen soon so we can actually start taking more aggressive and bold measures in order to get the problem under control. And put in place a more resilient information infrastructure.
Jim Lewis: Yeah, you need an advisor. And to go with that advisor, you need a real strategy. And the advisor has to have the authorities, as Paul said, to carry out that strategy. Right now we don't have an advisor. We don't have a strategy. We don't have authorities. We have money, which is nice. But, it doesn't work unless you have the other three things. So, now's the time to move.
Mike Mimoso: So, is the advisor's ultimate challenge right now competing with the problem of the economy and other issues that the administration has to address?
Paul Kurtz: The challenges are steep. And there are a lot of pressing needs that we need to tend to now. Having a leader in the White House is not a panacea. It's not going to fix the problem. However, it is going to help pull the pieces together so we have a more common vision. In order for that individual to succeed, as Jim just said, the individual must have the authorities and the budgetary oversight in order to make sure we're spending our money, taxpayers' money, appropriately. Now we're just, if you will, drifting a bit. We don't have that senior person in place and until that person is in place, we're not going to accelerate the pace of conversion that Jim referenced earlier. We need to accelerate the conversion of people actually understanding the problem.
Jim Lewis: Yeah. You know the default position for government is inertia, right? So the advisor, whomever it is, will have to struggle against that, on top of all these other problems. The economy, the foreign situation. All the mess that's been inherited. But, that said, I'm not that worried about it. Because if we don't get it right this time, we can wait three months and our foreign friends will whack us in the head with a board again and we'll decide it's a big problem.
Mike Mimoso: So, there's been a lot of speculation about the responsibility for cyber security moving into intelligence or some other government agency and out of DHS. Do you both think that that's the right approach or ultimately what would you like to see happen?
Paul Kurtz: Ultimately, the Department of Homeland Security and agencies like the National Security Agency ,have a role in cyberspace. National Security Agency has the ability through its authorities to collect information overseas. To gather, if you will, a broader view of what's happening in cyberspace. But, what NSA doesn't have is necessarily that picture of what's happening inside the private sector. That's where the Department of Homeland Security becomes important, because of their relationship with the private sector. Ultimately, we have to fuse this together, we have to fuse the data together with the proper oversight. Making sure that we're not invading personal civil liberties. But, until we have that synoptic view of what's happening inside cyberspace, we'll take it on the chin. We'll continue to not necessarily understand where the attacks are coming from and these become exceptionally important questions that we need to solve. For example, if we do have a significant attack, can we really put together where it came from? Because we may be faced with questions of response. Not just recovery, how we put the system back together. But how do we respond? What if we have a situation where it looks as though China has attacked us, but it's really not China. Unfortunately, spoofing in cyberspace is all too easy. So, it's really important we gain that synoptic view of what's going on today in cyberspace.
Jim Lewis: Yeah. This is an intelligence problem. This is a law enforcement problem. It's is a military problem. It's a regulatory problem. And it's an emergency problem. If you like the idea of FEMA getting involved in this. We've got all those players involved. It's a commercial problem. You've got to have the Department of Commerce. It's a diplomatic problem. You've got to have the departments of state. No one agency has the capabilities that you need to solve this problem. We're weak in some areas as we're strong maybe in one or two. But, basically we're behind the curve. And that's why we keep coming back. Or at least I keep coming back to this idea. You really need the White House to pull this together and start moving out. Because there is no one agency that can do all the things that need to be done.
Mike Mimoso: So, you mention Capitol Hill. How is awareness improving there around cyber security?
Paul Kurtz: Growing but limited. With the awareness on Capitol Hill, you have a few members of the House and a few members of the Senate that are really tuned in. But, once again, when you have articles on the front page of the paper talking about the vulnerability of the power grid, the loss of the F-35 plants, captures people's imaginations. They've been briefed on some of the problems we've had and they're tuning in. When you have the Chairman of the Senate Intelligence Committee really turning up the heat to do something, when you have the Chairman of the Senate Commerce Committee turning up the heat to do more, that's a lot more recognition than we had just, I would argue, 16 months ago. A year and a half ago.
Jim Lewis: A couple months ago one of these Tibetan activists, the woman, was arrested when she tried to sneak into Tibet, and the Chinese slipped up when they arrested her. Because they said, "We know you're involved. Here's the email from some Senator's office that we've got." Well, one way to focus the attention of Congress is when they wake up and realize that foreign friends are sitting on their network and reading their traffic. That's what going on now. And it's really funny to see when Senators realize that foreign intelligence agencies are on their network. They get very excited and that helps us. Because it focuses their attention.
Mike Mimoso: The final question then. How and where can government do a better job with information sharing and cooperation with the private sector?
Paul Kurtz: The government has struggled for several years to put in place a framework which would allow for securer sharing of information between the government and private sector. It's not to say that it's all the government's problem, though. I think the private sector for its part needs to have that feeling, or that security, that if they share information about a vulnerability, it's not going to end up on the front page of the paper the next day. Government for its part, especially those involved in the intelligence world, need to understand the value in sharing information about potential vulnerabilities in the tax as, if that is not shared, then our information infrastructure and critical infrastructure remains vulnerable. And it's that debate, offense informing defense, that I think everybody's struggling with. A fusion center needs to be established. And by a fusion center, that doesn't mean everybody is co-located in the same physical space. At least virtually, we need to be sharing information more between government and the private sector. And interestingly enough, Senators Rockefeller and Snow, in one of the bills that they put together, talk about the need for a clearinghouse. A public/private sector clearinghouse for sharing vulnerability information and helping to facilitate action in the event of an attack. That's really the first time we've seen that off Capitol Hill. And Capitol Hill typically is very reluctant to suggest such fusion. But, I think they're starting to recognize we need to connect the dots in cyberspace. And this is a good place to start.
Jim Lewis: Yeah. Information sharing was the great idea of 2002. So it's time to get over it. Right? There are mechanical solutions. We need to build trust. We're stuck with things. We were laughing about it the other day in that we're still working off a diagram that Paul and a couple other people put together in 1998. For goodness sakes. It's time to move on, you know? Find some way to get companies to feel comfortable sharing. Get some way for the government to feel comfortable sharing. And then move on. Because this is a boring debate.
Mike Mimoso: Thank you both for joining me today. Once again, I'm Mike Mimoso for Information Security magazine, and thanks for watching.