The cyber war arms race

>>> owe the stuxnet cyrus, which was covered -- the story was broken by david sanger , precip dated by a department of justice investigation and who talked to david sanger about the stuxnet program, it does seem to me as a precedent. it's different when data is interrupting data. you're stealing data and it's all staying in the world of data. this is physical destruction precipitated by a hack. so you and your co-author looked at attacks thus far, but to me the issue is in the future, right? if this can be done, what is deterring, what's the logic of det deterrence that's going to stop us from seeing more attacks like this.

>> i term it restraint. basically the precedent is collateral damage is a real problem. that was certainly an aspect that david talked a lot about in his book that was excellent. the other thing is blowback and replication. that if we use these weapons, they can come right back at us or they'll be let loose into the wild , so that's the real problem with cyber attacks. it's not like a missile, you shoot it, it's gone and blows up. the cyber attacks can come right back at you.

>> and stuxnet did get out into the wild , like you said. david, was the white house aware, was that part of the logic thinking about what kind of precedent are we setting for blowback and possible revenge attacks?

>> well, chris, as i reported in the book, president obama in the situation room meetings that he had held was quite concerned about the fact that when the word of olympic games got out, and he knew eventually it would, that it would be used by others who might not follow the same rules the united states does to justify attacks on the u.s. or others. and one reason that you knew that the stuxnet virus was written by a state with lawyers involved is that it had a sell by date in it. it actually expired in mid- 2012 . that's something that hackers don't tend to do. let me get back to your point about deterrents. there's a great tendency here to overanalogize with the nuclear world, and of course that doesn't always work. on the one hand, a cyber weapon is not going to do the kind of damage that a nuclear weapon will, at least to human beings , right, in the first order, unless there's a complete wipeout of a country's emergency response systems and electricity and so forth. but secondly, they are harder to trace the source than a nuclear weapon . you could sit in a mountain in the nuclear age in colorado and watch the incoming soviet missile or the mistaken view, but in a cyber attack it runs through many servers and it may take weeks or months to determine who the ataerk is.

>> that's a super important point. so the mandiant thing probably took weeks or months to put together that report and they're talking about an attack that was five or six years in the making. the servers had been taken over and you look through the log files and do forensics to get to the bottom of it. when a cyber war attack, things will happen fast, in fact at super human speed . so this notion of watching the missile come in and taking 20 minutes to figure out what to do about it, that's not going to happen in a real cyber war attack. i want to get to the point of deterrents, though. i think that we do have a real possibility for deterrents and in the united states we're one of the only countries that can do it and it would be building systems that are much harder to attack that have much fewer vulnerabilities and that would kill all three birds that we were talking about in the beginning of the show with one stone. you know, so to speak. cyber war , cyber espionage, cyber crime , they all have the same root cause and that is systems that were built without security in mind. we have to fix that. we have to realize we're living in a glass house and fix it.

>> the takeaway to me, when you get beneath the hype, is that the thing that seems inescapable a lot of our systems are super vulnerable.

>> yes, they are.

>> as a matter of fact, whether the cyber war threat where state actors exploiting those vulnerabilities has been hyped up, the actual state of how open our systems are is pretty haggard.

>> that's really an important point, you know, because a lot of people just get so stuck in the hype that they don't think about the actual risk and the actual vulnerability. instead it's all this apocalyptic nonsense. so we have to realize there's some truth to this risk and some truth to the threat and we have to deal with it like adults.

>> two things on it, though. i think absolutely that we need to raise the bar of our security standards, of our -- the security in our systems. some industries are much better than other industries, but some industries are woefully inadequate in this space and we need to get the security defenses where they need to be. but at the same time, if it is a state-spaurn state-sponsored attack by a nation state actor, they're going to get in no matter what the level of security is. so keeping in mind that even if we had a state-of-the-art security system in place at a commercial entity, if you're targeted by unlimited resources by a nation state actor, they're likely going to get in.

>> i want to get your response, brandon, and you, gary, and talk about one of the strange things about this is the kind of blurred line between public and private, both in targets being private firms by state actors and also in the world of cyber security which seems to me there's quite a monetary interest for a lot of firms to hype the threat.

>> yes, there is.

>> so i want to talk about that right after we take this break. there is