Assessing The Threat of Cyberterrorism The cyber attack at Google's Chinese headquarters in December highlighted vulnerabilities in US network security. James Lewis, author of Securing Cyberspace in the 44th Presidency explains why terrorists see the Internet as the next frontier and how the Obama administration is responding.
NPR logo

Assessing The Threat of Cyberterrorism

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Assessing The Threat of Cyberterrorism

Assessing The Threat of Cyberterrorism

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


This is FRESH AIR. I'm Terry Gross. The recent cyberattack against Google was a wake-up call about how vulnerable we are. I recently read in the New York Times that Internet-based attacks on government and corporate computer systems have multiplied to thousands a day, and that hackers have compromised Pentagon computers, stolen industrial secrets and temporarily jammed government and corporate Web sites.

The White House director of National Intelligence, Dennis Blair, recently warned that terrorist groups are interested in using cyber-means to target the U.S. and its citizens.

We're going to talk about cyberattacks with James Lewis. He directs the Technology and Public Policy Program at the Center for Strategic and International Studies. He was the project director for the Commission on Cybersecurity for the 44th Presidency, a project started in 2007 to make recommendations to the next president about cybersecurity.

James Lewis, welcome to FRESH AIR. Now, Dennis Blair, the director of national intelligence, has warned that al-Qaida and its affiliates have made it a priority to stage a large-scale attack on American soil within the next six months, and there's a growing threat of a crippling attack on telecommunications and other computer networks. What do you think the odds are of a major cyberattack in the near future?

Mr.�JAMES LEWIS (Director, Technology and Public Policy Program at the Center for Strategic and International Studies): I still think they're pretty low. Al-Qaida doesn't yet have the capabilities to pull off the kind of big, disruptive attack that they really want. So, unfortunately for us, they'll be focused on explosives and kinetic weapons and the traditional attacks.

But, you know, let's not kid ourselves. Over the next few years, they will develop these cyber-capabilities. We might become a little more vulnerable, and we ought to expect something big to happen, certainly in less than a decade.

GROSS: So the crippling cyber-threats that Dennis Blair's referring to, what do you think they are?

Mr.�LEWIS: They exist, and anyplace that is dependent on a computer network that is connected to the Internet, which is almost every place, is vulnerable to some kind of attack. But the biggest one that I worry about is the electrical grid.

It would be possible to disrupt it remotely from another continent, and we know that foreign militaries have done the reconnaissance they need to do to plan for these attacks. So I'm not so worried about terrorists. I'm more worried about us getting into a spat over Taiwan or Georgia and having the Russian or Chinese military do something bad.

GROSS: Do you think that they already have software embedded in our system that they could just activate when they want to?

Mr.�LEWIS: Probably not, because the way that networks are configured changes relatively rapidly. The way that people connect things to them or the software they use changes. So if you put something in place, it wouldn't be any good six months from now.

What I do think they have is they have the capability to rapidly implant something or to rapidly identify vulnerabilities that they could exploit to cripple one of these systems.

GROSS: Now, from what I've been reading, it sounds like Russia largely has cyber-criminals who do a lot of hacking, whereas China might have governmental hacking goes on. Is that your reading of it?

Mr.�LEWIS: No. I think that both of them are using more or less the same model. They have very strong, very capable intelligence services, and in China's case, also the military. And these very capable government services are buttressed by mercenaries, irregular forces, you know, proxies, cyber-criminals who will act at the behest of the state. And that's relatively common.

You know, it's attractive because you can deny responsibility. It wasn't me. It was some patriotic hacker. So I see them doing the same thing - very capable government agencies supported by strong cyber-criminal communities.

GROSS: What's the closest we've come to what is often described as a cyber-Pearl Harbor?

Mr.�LEWIS: I don't think we have come close to one yet. People have worried about it for a long time. Time had the cover story in 1993 on cyber-Pearl Harbors. People have talked about it. They wondered if the 2003 blackout was a cyber-Pearl Harbor.

You know, if you were going to talk about Pearl Harbor, an intelligence Pearl Harbor might be more accurate in terms of foreign agencies, maybe the Russians, maybe the Chinese, maybe somebody else, breaking into DOD computers, breaking into government computers and making off with a treasure trove of secrets.

That's probably happened a couple times, but that's not a Pearl Harbor. That's - I don't know what you describe it as - anyhow, a huge incident that was very damaging to national security.

GROSS: But what you're describing, breaking into a lot of government computer databanks and getting information, that happened in 2007, didn't it?

Mr.�LEWIS: That's true.

GROSS: Would you describe it?

Mr.�LEWIS: It also happened in '98, if you were going to be fair, and probably in 2003.

GROSS: Can you describe the worst of those attacks?

Mr.�LEWIS: Well, the Department of Defense, the Department of State, the Department of Commerce, NASA, the Department of Energy all had significant penetrations. In the case of the Department of State, I was told...

GROSS: Which - this was in 2007?

Mr.�LEWIS: Yes, 2007. In the case of the Department of State, I was told that the unknown foreign intruders - who they suspected were the Chinese - the unknown foreign intruders had made off with terabytes of information. One way to put that in perspective is the Library of Congress, you know, with its millions of volumes, that's probably about 12 terabytes of information. And so somebody made off with the equivalent of a quarter or a third of the Library of Congress - incredible.

Similar episodes at DOD. The secretary of defense's unclassified email was hacked...

GROSS: Robert Gates' email was hacked?

Mr.�LEWIS: Yeah. NASA - I kept hoping they would steal the plans for the Shuttle because that would - whoever it was, that would put their space program behind.

(Soundbite of laughter)

Mr.�LEWIS: But unfortunately - you know, well, it was worth a try. The -unfortunately, they stole the most-recent rocket designs, it is alleged. You know, agencies have not very often come forward and confirmed this - State, Commerce, DOD to some extent.

You know, there was a more-significant problem in late 2008. In December of 2008, another unknown foreign intruder - but a very sophisticated one, so that narrows the suspects - was able to break into DOD's classified networks, so the networks that run CENTCOM, the command that's fighting our two wars. And they were able to sit there for a few days, and what they did we aren't quite sure, but that was probably a good example of a really damaging cyber-intrusion.

Some foreign government broke into the classified networks of our war-fighting commands, and we were unable to get them off for a few days. That's what the future holds for us.

GROSS: And we have no idea who broke in.

Mr.�LEWIS: On an unclassified level, they haven't said anything. You know, on a classified level, we always have our two favorite suspects. One of my rules of thumb in Washington is if your dog is sick, blame China. So, you know, go ahead, blame the Chinese. But we don't know, is the short answer.

GROSS: Now, you wrote a study called - for the Commission on Cybersecurity for the 44th President. And this was a group of more than 50 information technology experts in government, industry and academia. What are the main talking points from this study that you gave to President Obama after he was inaugurated?

Mr.�LEWIS: That this is a serious problem for national security, that we are not organized to deal with it, and the U.S. needs to both organize itself and come up with a coherent and functional strategy if we're going to beat this problem down to a level that we can tolerate it.

GROSS: What progress do you think President Obama has made in that direction?

Mr.�LEWIS: You know, the progress has been mixed. Overall, we're better off than we were a year ago, right? And some departments have done very well: the Department of Defense, the Department of Homeland Security, FBI, even the State Department. It's kind of amazing.

Where we've had a little bit of problem is at the White House itself, because there's been some internal disputes over how important this problem is, what priority it should take, what the philosophy behind our Internet policy should be. And there's a strong community in the White House that believes that we don't want more security because it could hurt innovation, or something like that.

GROSS: Well, there's a privacy question, too.

Mr.�LEWIS: You know, the privacy issue is - hasn't come up as much as the innovation issue. But I think privacy, it always lurks there. You have the unfortunate heritage of the Bush administration that makes it difficult to fix some of these problems.

You can't say, well, it's a crisis, so I'm going to suspend the Constitution and then have people trust you as much as they once did. Even though it's a new administration, the Obama folks have inherited, as with so many other things, the problems that the previous administration created.

GROSS: What problems did the Bush administration create in the world of cybersecurity?

Mr.�LEWIS: Number one was the warrantless surveillance program. You can't spy on Americans in what appeared to me to be contravention of the law and then say, oh, by the way, now we want to do monitoring for cybersecurity. Trust us. We aren't going to be looking at our content. It's a good line. I happen to believe it myself, but you can see how many would be skeptical.

Second, there just wasn't a lot of progress. The Bush administration didn't do anything on cybersecurity for its first six years in office. In 2007, there were major penetrations. It launched a program in response, but, of course, launching a program in the final months of your administration just doesn't help.

Finally, a big emphasis on the private sector and on voluntary initiatives and on doing things that would lead people to all join hands and work together against these problems - and we've been trying that now for more than a decade, and it just doesn't work.

So the inheritance that Obama got was pretty bad. When he was elected, both the director of national intelligence and the chairman of the Joint Chiefs of Staff told him that cybersecurity was one of his top five national security problems.

GROSS: Now, President Obama has appointed a new chief of cybersecurity, Howard Schmidt, and I believe the military has a new cybersecurity command. So does that get us any closer to moving towards cybersecurity?

Mr.�LEWIS: If you were going to enumerate the positive developments, first, Secretary Clinton's speech a couple weeks ago on what we want the Internet to look like, that it should be open and free for speech and that nations should be able to connect and that there should be consequences for misbehavior in cyberspace, that was a great speech and that really helped.

The president's own speech on May 29th, where he identified cybersecurity as a critical national asset that we would use all means to defend, that was fabulous.

So two very important steps have been taken in declaring to other nations, hey, this is a serious problem, and we're going to act seriously.

DOD has done an immense amount of work, partially because they're the big target. Someone at DOD told me that their efforts to penetrate DOD networks total about 300 million times a day, right. So they are constantly being probed by foreigners to see if there's a way in. And setting up cyber-command is useful. It might be a little more efficient. It brings the offenders and defenders together. But we haven't worked out the legal framework that would let us use these new military capabilities for defensive purposes, and that's going to be a hard struggle.

GROSS: My guest is James Lewis. He's a senior fellow at the Center for Strategic and International Studies, where he directs its Technology and Public Policy Program. He also wrote the report for the Commission on Cybersecurity for the 44th President. Let's take a short break here, and then we'll talk some more. This is FRESH AIR.

(Soundbite of music)

GROSS: We're talking about cybersecurity and cyber-war with my guest, James Lewis. He's a senior fellow at the Center for Strategic and International Studies, where he directs its Technology and Public Policy Program.

Let's talk a little bit about the kinds of attacks we really need to be worried about. You mentioned the power grid, that our power grid is vulnerable. What about downing the whole Internet? Do you envision the possibility of a cyberattack where, like, the whole Internet would be disabled?

Mr.�LEWIS: You know, people have talked about that. I think there's probably been at least one probe by somebody - again, we don't know who - to see, you know, what they could do to degrade the Internet. So, clearly, somebody out there's thinking about it. But I don't worry about it too much, for a couple reasons.

First, the Internet, it's pretty robust, a lot of attention to security. It was designed to survive nuclear war, right. So it's not a tender flower here when it comes to this attack stuff.

Second, if you are a cybercriminal or a foreign nation that is getting so much huge benefit from the Internet by being able to steal America's secrets every week, why would you bring it down?

The same is true for terrorists. It's a tremendous recruitment tool, fundraising, training, command and control. It's given them a global presence that they didn't have 30 years ago. They're not going to bring it down. It's just too useful to them.

So the possibility's there. People have looked at it, but I think everyone's going to go through the tradeoffs and say, you know, I'm better off keeping this thing so I can hit the Americans over the head with it than I am in bringing it down.

GROSS: Okay. What about cell-phone networks? Is there a way...

Mr.�LEWIS: You know, it sounded much more diplomatic, but yeah. And the same is true for everyone else. It's the - if we can use the old cliche, the goose that laid the golden egg. Why would you turn off a system when you're able to extract money and value out of it? Could someone else get that capability?

When you think of groups like the jihadis, al-Qaida, Hamas, Hezbollah, none of them yet have this capability. If I was going to bet on one, I would bet on Hezbollah. You know, so at some point...

GROSS: Why Hezbollah, as opposed to al-Qaida?

Mr.�LEWIS: Because they're more like a state. Because they have immense resources. They have a powerful state sponsor, Iran. They control a large amount of territory, and we know they're very advanced. They're technologically sophisticated. The Israelis found that out the hard way.

So Hezbollah's my favorite here for the terrorist sweepstakes. That doesn't mean, though, that some bunch of kids that's going to become disaffected and they're sitting in a room in London or in Pakistan or, for that matter, in the United States and decide hey, let's see if we can bring down the electrical grid or bring down the financial system in the name of jihad.

GROSS: If you're just joining us, my guest is James Lewis. He's a senior fellow at the Center for Strategic and International Studies, where he directs the Technology and Public Policy Program. And he wrote the report for the Commission on Cybersecurity for the 44th President, which was given to President Obama after he was inaugurated.

How did you get into this business?

Mr.�LEWIS: When I was in graduate school, you had a choice. You could either learn two languages - and I wasn't very good at languages - or you could learn a language and a computer program. And one of my professors was - one of my readers was very insistent that I learn how to program a computer.

So I learned how to program a computer, and not very good at it, you know, fairly basic skills, certainly out of date. But when I got to the State Department, the fact that I even knew which end of the computer was up made me their leading expert. So that was how I got into it.

GROSS: Now, you worked with Richard Clarke, didn't you?

Mr.�LEWIS: I did. I was just about to say I worked for a fellow named Richard Clarke, who is the godfather of cybersecurity, you know, the fellow who - if we had done what Dick Clarke had proposed 12 years ago, we would be much better off. But he saw me walking down the hall one day - I worked for him. And he said, you know how to program computers, don't you? And I said, yeah, why?

And he said, well, I want you to go out to NSA and work on this project called DES, which is D-E-S, Digital Encryption Standard. But at the time, I thought it was D-E-Z, DEZ, like the candy dispensers. I'm like, what the heck are they doing with Pez - that doesn't make any - so that was how I got into it.

GROSS: So this was in the Clinton administration?

Mr.�LEWIS: This was actually in Bush 41, in the first Bush administration, right at the end, in 1992.

GROSS: And what do you think - you said if Richard Clarke had done then what he wanted to, that we would be in a different situation. What was he proposing to do then?

Mr.�LEWIS: Well, he was kind of a visionary, and he was one of the people who recognized, in the mid-'90s, that cybersecurity was going to be a big national problem, and we needed to think more about securing.

And he had a vision for the role of government that was more energetic than the Clinton administration and certainly the Bush administration was willing to tolerate. So he wanted a White House emphasis. He wanted White House leadership. He wanted more direction for the business community. So, all these are things that we still need to do 12 years later.

GROSS: We're going to continue our conversation about cybersecurity in the second half of the show. My guest is Jim Lewis. He's a senior fellow at the Center for Strategic and International Studies, where he directs its Technology and Public Policy Program. I'm Terry Gross, and this is FRESH AIR.

(Soundbite of music)

GROSS: This is FRESH AIR. Im Terry Gross. We're talking about cyber attacks and cyber security with James Lewis. He directs the Technology and Public Policy Program at the Center for Strategic and International Studies, and he was the project director for the Commission on Cyber Security for the 44th Presidency. He first started working on cyber security with Richard Clarke in the George H.W. Bush administration.

Youve seen the Internet change so much in the years that youve been working on cyber security. One of the things that makes the Internet so valuable to us - so functional - is its interconnectivity. On the other hand, that's exactly what makes it so vulnerable. So are there parts of the Internet that you think no longer work that need to be redesigned for security?

Mr. LEWIS: You know, that's a good question. We dont want to monkey with it. It's been a fabulous tool. Look at how people have adopted it. I mean the uptake rate - even starting in the '90s. You know, people love the Internet and people love being able to go on their computers. It's reshaping business. It's reshaping warfare, right? So it's worked pretty well. But there's some problems. When it was originally designed, it was designed, as you said, for easy connectivity, right? And it was designed for use by a group of military officials and scientists all of whom pretty knew each other, at least they knew where they worked. So its very bad at identifying who was actually on the Internet. So youve got a system that is easy connectivity, bad at identifying who's who and you create endless opportunities for mischief. So we might have to go back and rethink some of the protocols, some of the rules as they apply to identity, as they apply to what happens when one computer tries to connect to another - difficult to do, might require some investment in research.

One of the problems is that, you know, 10 years ago America dominated this field. We were the ones who could come up with the rules. We were the ones who could say this is what the architecture will look like. Now it's a shared platform. If we come up with new rules, we're going to have to persuade the Europeans, the Chinese, the Japanese, the Indians, the Brazilians that it's a good idea and they should go along and we haven't been so good at that. So, yeah, there needs to be change but it's going to be harder to get than it would've been a decade ago.

GROSS: Have you personally investigated any cyber crimes, cyber attacks?

Mr. LEWIS: Well, I looked at one once that happened to a place I was working at and they, you know, you could - it was one of these denial service attacks. And it was really interesting to me because I was able to track back on where these attacks were coming from and, you know, one was a travel agency in Puerto Rico, one was a small manufacturing company in Michigan, and one was an optical equipment maker in Germany. Does that mean that we'd annoyed travel agents in Puerto Rico? No. What it meant is that whoever was actually attacking us had figured out how to capture these people's computers and was using them as a weapon. So once I got back that far, I kind of stopped because to go further I would've had to, myself, hack into the Puerto Rican or Michigan or German computers and I would've had to, myself, commit a crime, and at that particular moment I thought that wasnt a good idea.

GROSS: So, this means basically turning somebody else's computer into your robot to attack another computer.

Mr. LEWIS: Botnets, there's zillions of them. You can rent them. You can rent them by the hour, the week, the month. They're relatively cheap. The price has been falling. You know, you...

GROSS: Explain what you mean by botnets and renting them.

Mr. LEWIS: Robot network.

GROSS: Mm-hmm.

Mr. LEWIS: Which is a network of computers where the individual computer has, unknown to the owner, had some kind of malware implanted on it - malicious software - that allows someone else to remotely command it to do things. So the botmaster, as it's called, can send out a command saying everyone send CSIS an e-mail and 10,000 computers will send CSIS an e-mail.

GROSS: And that will disable your system because it will be overwhelmed.

Mr. LEWIS: If they do enough. That's what happened to Estonia. People talk about Estonia being brought to its knees and crippled and blah, blah, blah. None of it's true. The Estonians actually did a pretty good job in responding but they were under a lot of pressure and the pressure came from botnets that were launching hundreds of thousands of packets of Internet data against their networks. So, yeah, that's the - its the platform du jour, botnets. That will change but right now botnets are everybody's favorite.

GROSS: What are other favorite ways of attacking companies or individuals?

Mr. LEWIS: The high-end attacks will be more sophisticated and some of it involves what we call social engineering, right? So social engineering is, I get your e-mail address, I get some data about you, or maybe I find out your wife's name or your birthday or something and I send an e-mail - I get your contact list and I send an e-mail to all your friends. It looks like its from you and the header is: My birthday is coming up or something and it has the date. Inside that e-mail there might be embedded or contained some malicious package. The friend sees the e-mail, thinks it's from you, they click on they click on it and open it, hey presto, I've got him, right?

Works great and that's been used - that's, you know, it's a more labor intensive effort but it's used against high-value targets. The other one people know about now, I'm sort of upset it because it was so - it was such a wonderful technique that I'm upset it's become public now and people stopped doing it: Put some bad software on a thumb drive, you know, in three or four thumb drives, drive to the parking lot of the place youre targeting - DOD, some company, a bank - and scatter the thumb drives in the parking lot, right? Now, a good citizen picks up the thumb drive and...

GROSS: These are like little portable...

Mr. LEWIS: Yeah, the memory sticks.

GROSS: Portable memory sticks that you just plug into your computer.

Mr. LEWIS: Yeah.

GROSS: Right.

Mr. LEWIS: Throw - how much - it's not going to cost you that much. Throw four or five of them in the parking lot, someone will pick it up and plug it into their computer. And at that second, if they haven't taken certain precautions, and most people haven't, at that second you will implant your malicious software that will allow you to either take control or to exfiltrate data. So that's a good one too. People are learning about that one. That's how DOD got hacked last year. That's how CentCom classified networks got hacked so...

GROSS: That's how CentCom got hacked - that somebody picked up something from the parking lot and plugged it into their computer?

Mr. LEWIS: The other one I heard about is, of course...

GROSS: Wait, wait, is that true? T0hat's how CentCom got hacked?

Mr. LEWIS: Yeah. It was a memory stick. It was funny for me because I gave a talk once to one of these defense contractor groups about cyber security and at the end they gave me a present for talking. It was a memory stick.

(Soundbite of laughter)

Mr. LEWIS: Made in China. I said you clearly haven't been listening.

(Soundbite of laughter)

Mr. LEWIS: I've heard the same things happened at Justice where somebody scattered them in the men's rooms and Justice was smart enough to figure out that - whoever found it was smart enough to figure out not to fall for the trap. But, you know, look, youve got intelligence agencies with 10,000 employees and multi, hundreds, million dollar budgets who spend every day trying to figure out some way around your defenses. Youre going to come up with something.

GROSS: Jim, let's take a short break here and then we'll talk some more.

My guest is James Lewis. He's a senior fellow at the Center for Strategic and International Studies where he directs its Technology and Public Policy Program. We'll be back after a break. This is FRESH AIR.

(Soundbite of music)

GROSS: My guest is James Lewis. We're talking about cyber security. He's a senior fellow at the Center for Strategic and International Studies where he directs its Technology and Public Policy Program. He wrote a report for the Commission on Cyber Security for the 44th President. This was a report on cyber security that was given to President Obama after he was inaugurated.

Let's look at the story of what happened to Google recently - how it was hacked and see what we can learn from that. Google was one of I think about 34 companies that was recently hacked, mostly in the Silicon Valley...

Mr. LEWIS: Mm-hmm.

GROSS: ...companies in the Silicon Valley. Google's the one that stepped forward and said we were hacked. So did the others the other companies aren't talking. Describe what you know of the damage cost to Google and what the intention behind the hacking was.

Mr. LEWIS: There's always two motives. There's an economic motive, right, which is maybe Google has some neat technology, maybe I can steal that technology. The same is true for the 30 other companies. In this case, there's also a political motive. Maybe if I can get into Gmail and I can find certain people's Gmail account I can find out what they're plotting for Tibet or what they're thinking about other things. So in Google's case it was both economic espionage and traditional political espionage. Not the first time weve seen this.

GROSS: Do you suspect the possibility that China was behind the hacking of Google?

Mr. LEWIS: I've had this discussion with Chinese experts where I've told them that, you know, one of the problems with deniability is you have to be able to name another country that cares a lot about Tibet and, you know, I mean go through the list, Botswana, you know, Venezuela. Sorry, only one country in the world spies on human rights activists in Tibet. And when you see that, it's hard not to leap to the conclusion that that government was responsible.

GROSS: Why are you making that Tibet connection?

Mr. LEWIS: Because in this case, and in at least two earlier cases, part of the hacking involved ferreting out data on human activists - human rights activists in Tibet who the Chinese government had an interest in tracking, detaining and in blocking their actions.

GROSS: Now, why do you think Google went public when most companies dont?

Mr. LEWIS: Well, I mean Google is an unusual company and so I give them a lot credit for doing this. I mean some of it is they have - what's their slogan: Do no evil. Do no harm. Do no whatever, you know. They apparently take it seriously, right? So I think they were probably a little shocked. Second, Google, you know, has a very high regard for itself. They are among the most technologically advanced and innovative companies in the world but they were no match for a foreign intelligence service, right? And I think that shock helped prompt them to talk to - we keep hoping that some big company is going to be able to beat the SVR or the PLA and it's just never going to happen, but I think its a shock to people when they get whacked.

GROSS: Now youve raised the question about something like Google, where is the line between a company that's private, corporate or a public concern? So many people have Gmail, Google's e-mail service, so many people use Google. Google is now working with the National Security Agency...

Mr. LEWIS: Mm-hmm.

GROSS: kind of investigate what happened. They're also working with the FBI. What does it say to you that Google's working with the National Security Agency?

Mr. LEWIS: I'm impressed that they made the decision. They probably wished that it hadn't gone public and I'm still not quite sure how it got out into the public. You know, this isn't the first time that a company has gone to NSA and said to them: Could you do me a favor? Could you look at my code? Could you look at my network architecture? Could you look at my programs and see if there are any vulnerabilities that I should be worried about. This is not espionage. The NSA has two functions: they have a spying function. Sure we all know about that (unintelligible) intelligence. But they also have a security function and I think if you talk to General Alexander, who's the head of NSA, he'd tell you he has two hats. He has his spy hat but he also has another hat that says he's the head of the Central Security Service of the United States, which is the security service that tries to make our networks less open to foreign attackers.

So when Google went, I thought to myself, not a bad idea. Now, with the FBI, I'm sure they're actually doing the investigation of who was responsible, how far they can track it back. One of the things that's improved in the last couple years is the FBI's gotten some really good capabilities at investigation. It's still very difficult because at some point you will need foreign government cooperation - be interesting to see if we get it this time. I'd be happy to take bets with anyone on that. But between the FBI doing the investigation and NSA helping rethink Google's defenses a little bit, it's a reasonable choice for a big company.

GROSS: What does it mean to somebody who has Gmail or somebody who googles a lot that Google was attacked?

Mr. LEWIS: Well, you know, we tend to use this infrastructure and we have an assumption of privacy that it's like the telephone system where if you pick up the phone and call someone, youre pretty sure that with only a few exceptions no one else is listening in, right? But if you do that by e-mail, then you should not assume you have the same level of privacy. You dont have the same level of protection. So I think that's the main thing people need to think about is weve seen this we've seen it with Facebook, with Twitter. You have assumptions about privacy based on the physical world and they do not apply in the digital world. You need to change how you think about privacy.

GROSS: If youre just joining us, my guest is James Lewis. He's a senior fellow at the Center for Strategic and International Studies where he directs its Technology and Public Policy Program.

Jim, let's take a short break here and then we'll come back and talk more about cyber security.

This is FRESH AIR.

(Soundbite of music)

GROSS: If youre just joining us, my guest is James Lewis. We're talking about cyber security. He's a senior fellow at the Center for Strategic and International Studies where he directs its Technology and Public Policy Program. He also wrote the report for the Commission on Cyber Security for the 44th President. This was a report from more than 50 information technology experts and government industry and academia - a report that was given to President Obama after he was inaugurated.

Jim, one of the things youve been doing now is looking at the history of the Internet. And you were telling me before the interview started that the history that youre doing is actually connecting in interesting ways to the counterculture and the anti-war movement. What are the connections?

Mr. LEWIS: One of the things you hear a lot of times is that government should only have a...

GROSS: I should say, counterculture of the 60s anti-war movement - anti-Vietnam War movement.

(Soundbite of laughter)

Mr. LEWIS: Yeah, that's right. Yeah...

GROSS: Better be specific. Yeah.

Mr. LEWIS: One of the things that's interesting is a lot of the times we hear these claims that there's no sovereignty in cyberspace, that the government should have a limited role. And I was wondering, where did these ideas come from, because there's clearly sovereignty. And the notion that government should have a limited role sure, in some places that's right, but in other places, you know, like highways, if there weren't traffic cops and stop signs and stop lights it would be a mess. So how do we get to this place? And in looking at some of the original thinkers of the Internet - some of the original designers and architects - a lot of them were out there in Northern California and a lot of them had links to the anti-war movement or to the counterculture movement or to - one of them was a songwriter for the Grateful Dead.

I mean that's just, who would've thought it? And they had this vision of the Internet becoming a global commons that was open and free, that it was non-hierarchical, that everyone could participate, and that government would not be there. Right? That it would be kind of like Woodstock, I guess. And that was their vision. And, you know, it works in some places and when you look at the Open Source Movement or when you look at the Internet Engineering Taskforce -very open, non-hierarchical, great communities. But a self-organizing community is not the way to go for a global infrastructure that's become critical to business and critical to national security. And the fact that we approached the Internet thinking of it as a self-organizing global commune has put us at a bit of a disadvantage in coming up with solutions.

GROSS: In what way?

Mr. LEWIS: Well, one way is that the - and it's funny, you know, so you have the sort of the Libertarians - the Cyber Libertarians becoming allies, wittingly or not, with the business community. Because the business community also like small government, they dont want regulation, they dont want liability. And I'm afraid if we dont regulate companies and hold them to some standard we will never be secure when it comes to cyberspace. That doesnt mean heavy-handed regulation, but it's like saying we can get rid of the FAA because the airlines will take care of aircraft safety themselves. It's in their market interest. And that's not true. FDA, FTC, any of the regulatory agencies, we need to have some minimal regulations to get companies to do the right thing. A lot of companies do the right thing anyhow but not everybody.

The second problem is, then you get this question of well, where is sovereignty? What should the government actually do? And weve tended to say the government should just sit back and lead by example and exhortation. I call it a faith-based strategy because we have faith that it will somehow work out and weve been doing that now for about 10 years and it hasnt played out quite as we expected. So youve got an initial impulse towards this communal structure - a global community that is okay for some things but it's not the way to organize for infrastructure and national security.

GROSS: Didnt you have like two competing influences in the early days of the Internet, because the Internet's created by the Defense Department and they...

Mr. LEWIS: They had the...

GROSS: And then you have this more kind of Utopian strain when people from the counterculture start designing things.

Mr. LEWIS: It - DOD had very different goals at that point. And DOD, although they had the foresight to see that networks would be useful, they didnt realize - I'm not sure anyone realized what this would become. But, you know, DOD's problem was I want to make a phone call from Washington to Los Angeles and the lines run through Chicago and now there's been a strategic nuclear exchange and Chicago isn't there anymore. That was always very upsetting to me because I lived in Chicago at the time. And so how do I build a network that will automatically correct for these things that will insure continuous connectivity even in the most horrific of circumstances?

That's what they wanted. And they weren't worried about some of these other problems. So you had this strange confluence of events that led us to this notion that we're in a self organizing community. And to some extent there's truth to it. But now we have to ask: Is it time to bring law to the Wild West? The movie I always tell people to watch to understand the Internet is "The Man Who Shot Liberty Valence," right?

(Soundbite of laughter)

Mr. LEWIS: Because you have the bad guys and you have good ol' John Wayne but who does the stuff that you would need to get the bad guys under control. But at the end of the day, it's the wimpy lawyer, Jimmy Stewart, who brings law and order to the West. And that's what we got to do now. Good-bye John Wayne. Hello Jimmy Stewart.

(Soundbite of laughter)

GROSS: Have you heard a proposal that people should have some kind of license in order to be on the Internet?

Mr. LEWIS: Yeah. This gets to two of the issues we had talked about earlier: authentication of identity, how do you prove who you are? How do you enable someone to trust it when you say I'm Jim Lewis? The old cartoon about on the Internet, no one knows your dog, still applies, right? The other problem it gets to is civil liberties, right, which is there are governments in the world that would like to constrain free speech. And if you are firmly identified, that might help them in their ability to do this.

So weve got this tension between the need for greater authentication for security purposes and the need for preserving anonymity for some political speech. One solution has been a driver's license or some sort of permit or digital credential. A driver's license is just a credential, right? And you would use that for transactions that you cared about. You know, like the e-mail you didnt want everyone to read or your bank statement. And then you wouldnt use it for other transactions. You know, when you wanted to go that blog site and make fun of Dick Cheney or something.

GROSS: So do you support this kind of licensing?

Mr. LEWIS: No. I dont think it's a good metaphor because, of course, when you talk about driver's license, you immediately think of test right? And I see a different future for this. I see the computers becoming like telephones. You dont have to program your telephone; you dont have to think about your telephone. You pick up your telephone and you push some buttons and it works. And we're just going to have to move consumers to devices that are that reliable and that secure.

Asking them how to learn how to do things, all the stuff you have to do now to reduce risk, it's just too hard for most people, right? And it's not because it's intrinsically difficult but its how many people want to spend three hours reprogramming their computers so it's a little safer, right? I dont think that we need to be testing people. I think we need to be giving them equipment that lets them get out of being their own defenders. Frankly, just as a footnote, I'd like that for cars too. I can't wait for the days when theyll be a smart device on car or a computer on a car and the car will do the driving, and that way when you have snowy days like this, there won't be so many maniacs doing it.

(Soundbite of laughter)

Mr. LEWIS: So, yeah, I want, fix this problem for me. Get the consumer out of the middle and driver's license as a credential, its a good idea. But as a test or a permit, a bad idea.

GROSS: But you'd like the idea of identification and authentication?

Mr. LEWIS: We have to do that. You already do it now when you go on to your online bank. They ask you, you know, what was your dog's favorite dessert along with your password and your user name? It kind of works. It doesnt work perfectly, but we need better ways to say that a bunch of packets arriving over the Internet that say, I am Jim Lewis really are true. There are some technologies that will let us do that but there are privacy and civil liberties concerns overblown, in my opinion. But we will need for high-value transactions to come up with a better way to authenticate identity.

GROSS: Okay.

Mr. LEWIS: Otherwise, you could be a dog. Not you personally, but I meant one, one...

(Soundbite of laughter)

Mr. LEWIS: You know, we got to get - the dog cartoon, when was that, in 1995? We got to get past the dog cartoon.

GROSS: James Lewis, thanks so much for talking with us.

Mr. LEWIS: Sure. This was fun.

GROSS: James Lewis directs the Technology and Public Policy Program at the Center for Strategic and International Studies. You can download podcast of our show on our Web site, And you can follow us on Twitter and friend us on Facebook at nprfreshair.

I'm Terry Gross.

We'll close with a song that we dedicate to everyone who has been snowed in this week. This is a song by Dave Frishberg which he performs here with Rebecca Kilgore.

(Soundbite of music)

GROSS: On the next FRESH AIR, the story of the surgeon who developed the hernia repair, the radical mastectomy, the use of sterile rubber gloves and the medical residency system. But, through experimenting with cocaine as an anesthetic, he became an addict. We'll talk with Gerald Imber about is new book "Genius on the Edge."

Join us.

(Soundbite of music)

Copyright © 2010 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.