08/18/16 – Jeffrey Carr – The Scott Horton Show

Hey, Al Scott Horton here to tell you about this great new book by Michael Swanson, The War State.
In The War State, Swanson examines how Presidents Truman, Eisenhower, and Kennedy both expanded and fought to limit the rise of the new national security state after World War II.
If this nation is ever to live up to its creed of liberty and prosperity for everyone, we are going to have to abolish the empire.
Know your enemy.
Get The War State by Michael Swanson.
It's available at your local bookstore or at Amazon.com in Kindle or in paperback.
Click the book in the right margin at scotthorton.org or thewarstate.com.
All right, y'all.
Scott Horton Show.
I'm him.
Scotthorton.org is the website with all the archives.
4,000-something interviews now going back to 2003 there.
And sign up for the podcast feed, would you?
Scotthorton.org.
Follow me on Twitter, at Scott Horton Show.
All right.
I'm happy to welcome Jeffrey Carr back to the show.
He is the author of Inside Cyber Warfare.
And he is the CEO of...
I forgot how to say it again already.
TIA Global.
TIA Global.
Welcome back, Jeffrey.
TIA.
TIA.
TIA Global, Inc.
Thank you very much.
Very happy to have you here.
Now, as far as I can tell, you haven't written about this yet, but you gave a comment to Business Insider, so good enough for me.
That means you know something, you're willing to talk about it.
There's a big new thing.
Somebody hacked, question mark, the National Security Agency and leaked, period, at the end, some tools and exploits, as Business Insider puts it.
Hacking tools, NSA hacking tools.
Please tell us everything that you know about this.
Yeah, it's pretty disturbing.
A bit of information, the tools that were released online have caused a lot of disruption for U.S. companies and I think over a dozen of them contained unknown or heretofore unknown exploits by companies like Cisco, Juniper, and others.
This is a very controversial practice where an intelligence agency would, obviously part of their mission is to be able to conduct signals intelligence or gather intelligence electronically.
One way to do that, of course, is to find a way to collect communications from the source or from hardware that acts as a transfer point for messages or for video or for whatever it might be.
Since U.S. companies supply so much hardware, then we're sort of left with this situation, this very unfortunate situation where we have a U.S. intelligence agency finding ways to penetrate the security of equipment made by U.S. companies so that they can do their mission with foreigners that are using that equipment and they don't tell the company when they discover this exploit.
So this is all done very secretively and there was some indication that this was being done when Stoddard leaked his information years ago, but I don't think anybody really was expecting it to be done on the scale.
So what you're saying is you're saying that in the technology world, the professional technology world, there are basically shockwaves going around because they can see now with these published tools just the degree to which they can, I guess, now assume that the NSA is inside all of their major backbone components, whereas before it was speculation.
But right now everybody's kind of freaking out.
Now does that mean Cisco's engineers will be able to come up with patches for this or maybe not?
Yeah.
They will, but just a matter of time?
Yes, and they're already starting to do that.
So you can go online and you can see, and I don't have a current list in front of me, but you can see announcements made by these different companies as they release the patches to their customers.
So the problem, of course, is when you have these unknown vulnerabilities in U.S. hardware and the government is sort of discovering them and saving them or storing them for use in their espionage activities, if they have an insider that releases that information or if they are hacked or in some way or make an error, an operational error, and this information is exposed, then we now have really an untold number of vulnerabilities out there around the world that all of a sudden have become exposed.
So that's the tradeoff.
And I expect to see policymakers requiring the intelligence services to reexamine their use of zero-day exploits and how they determine whether or not a company needs to be advised about this vulnerability that they've discovered.
Elaborate.
What's a zero-day?
I just recently saw Alex Gibney's movie about the Stuxnet virus where they explain the zero-day.
Yeah.
So it's sort of like I think it comes from the term patient zero, you know, when you find the very first victim of a disease.
So a zero-day implies this is the very first example of a vulnerability.
And so when- Oh, I see.
I had it wrong.
I thought the way they explained it in there was it meant a kind of virus or worm or something that you didn't have to open an attachment.
You didn't have to do anything wrong for it to infect you that it would be so good it could get right into your system or something like that.
Yeah, no, that's not the definition.
Well, I'm glad I asked you.
Yeah.
So yeah, so zero-day is basically an unknown or patient number one, you know, the very first known vector of a vulnerability or an exploit.
And so that's what's so dangerous because when you have discovered, you know, let's say a new way to break a piece of software or hardware to break into it, right, to get to extract the information that you want from it and the user will never know.
When you've discovered that, that's worth, you know, it's worth a lot of money to a lot of people.
Criminals can use it.
Intelligence agencies can use it.
So, you know, you either store it.
If you're an intelligence agency, you either store it so that you can use it for your own devices or you try to find a buyer for it if you're a shop that sells these things.
And there is a market, you know, around the world for zero-days.
So now is there much danger that hackers can look at these NSA tools and say, wow, so that's how the professionals really get it done and actually, you know, find.
Because, you know, the things exposed in these tools now are going to be patched up, right?
But in other words, is this going to be sort of like a Ph.
D. course for hackers everywhere to see the highest level version of virus code to copy, you know, change slightly but use later on?
Yeah, so that's a great point.
So what this has done is it has – this is now an example of a nation-state level – of nation-state level malware.
In the past, we've never really had, you know, a concrete example.
We've had theories.
So – and unfortunately, in the information security world, when reports come out, everybody claims sophisticated, everybody patches.
You never, ever, ever see a single – comes out and says, we've discovered this really unsophisticated basic, you know, malware that's being used by this team.
You never see that.
Everything is labeled sophisticated, and everything is blamed on a nation-state, right?
And speaking, you know, just for myself, but I know that others agree with me, we generally look at that and just call bullshit on it because it's so obviously not sophisticated.
But here is now – we now have a concrete example of something that is very sophisticated, clearly within the realm of a nation – of what you would expect from an intelligence service working for a foreign government or working for the U.S. government with unlimited budget and unlimited capabilities.
And so this is really – it's great from the point of view of security research, because it sets a – finally, we have a verified bar that we can measure other malware against, you know?
But it's terrible because, unfortunately, it has exposed the scale – the scope and scale of what the U.S. intelligence agencies have been engaged in for many years.
And this is just a tiny – you know, it's just a tiny piece.
So your imagination can – will take over, you know, from there.
Right.
All right.
Now, of course, all the original reports were, the Russians must have done this.
And in fact, I guess I didn't really read about it, but I think I saw a headline that said, that's what Snowden says, too.
But I wonder, because when I read this Business Insider article, they talked about how this stuff is nothing that could have been hacked from the outside.
This must have been leaked by an NSA employee, in this case meaning certainly not Snowden, but someone else.
What do you think of that?
Yeah.
So, unfortunately, there has been sort of this – well, all along, there's been sort of this knee-jerk reaction to stir the pot and increase tensions between the U.S. and the Russian government.
And I think that's just the unfortunate side effect of having an Internet where everybody has an opinion and everybody is looking to get a retweet or grab some new followers.
So they just spout, you know, the first thing that might be controversial or gain a little attention.
And then you have other folks that genuinely are phobic about a Russian hiding behind every bush.
This was really a good example.
I mean, a lot of folks looked at this and thought, this is clearly just some made-up text by someone trying to sound foreign.
And I thought the same thing.
You're saying that the text where they originally posted the leak here.
Yeah.
Yeah.
It was almost comical, you know, the errors that were deliberately inserted.
But, you know, that's just an opinion.
So, fortunately, Thai Global has – our chief scientist has an international reputation for linguistic analysis, even though it's not necessarily a product that we sell, or at least it isn't currently.
It is something that we have done several times in the past, once with the Sony hack, where we showed through linguistic analysis that the hackers were more likely to be Russian-speaking than Korean-speaking.
And, again, with Guccifer 2.0, where we were able to show that whoever that person was, was not Romanian, which is what he claimed, but was more likely Russian.
Well, in this case, we were able to show that this was not a foreign language speaker at all.
It was a person who spoke native English and was deliberately inserting errors to make it seem like he was a foreigner.
So that sort of supports the idea that this might be an insider that's responsible for the release of this collection of malware that was developed by the NSA.
Well, and they're saying – they have a quote in here of a guy saying that these kind of tools would be on a computer system that has no connection to any outside network whatsoever.
So, even if you were the GRU or the KGB from the mists of the ancient communist past, you still couldn't get these tools from the outside.
They're just not available.
You hate government?
One of them libertarian types?
They just can't stand the president, gun grabbers, or warmongers.
Me too.
That's why I invented libertystickers.com.
Well, Rick owns it now, and I didn't make up all of them, but still.
If you're driving around and want to tell everyone else how wrong their politics are, there's only one place to go.
Libertystickers.com has got your bumper covered.
Left, right, libertarian, empire, police, state, founders, quote, central banking.
Yes, bumper stickers about central banking.
Lots of them.
And, well, everything that matters.
Libertystickers.com.
Everyone else's stickers suck.
Does that sound right?
Well, I don't have direct experience in this, so I can't really, you know, I can only tell you what I've read.
And I've read both things.
That it might have come from a staging server or a launch platform, where they'll load the malware and then attack a victim from that forward staging server.
And then after the attack is over, they're supposed to remove the malware.
And so maybe in this case, it was just an operational error, and they left it on the server, and somebody discovered it.
So that is one theory.
The other theory, which seems to be more popular, is that an insider had access, that the computers that these are stored on are not connected to the Internet.
An air gap, which this is known as an air gap computer.
But it's also important to note that an air gap is not a 100% secure means of keeping your information safe.
That, in fact, other malware, also developed presumably by the NSA, was designed to jump that air gap.
So yes, it makes it a lot more difficult, but it doesn't make it impossible.
All right, and then something you mentioned there about Guccifer.
Did I read you right that you are now satisfied that it really was the Russians behind the hack of the DNC, etc.?
Oh, yes.
So, yes.
I never disputed that it wasn't a Russian speaker or a native Russian that might be responsible.
My dispute is that it wasn't the Russian intelligence services that were responsible.
There are a lot of Russians in the world.
I worked with Russians when I was at Microsoft.
I have friends from Russia, relatives from Russia.
You know, Russian is, I think, the second most common language used on the Internet.
To say that Guccifer is a Russian speaker, sure.
That means it tells you nothing.
I'm glad I followed up on that.
I want to make sure that, because I wasn't sure if you were saying that now you had changed your previous view about that, when everyone else had jumped to their conclusions so quickly.
Yeah, no, no, no.
But, you know, thanks for bringing that up, because really that's the prejudice, right?
So if we say a Russian did it, well, you know, we assume, we make an immediate connection in our mind, that if you mean a Russian government official or a Russian soldier or a Russian, you know, an employee of the GRU or the FSB or the Russian police, well, no, no, that's a huge leap.
Right.
To say a Russian did it could mean a Russian living in New York City or in Seattle or anywhere in the world.
You know, just a native Russian speaker is all that we're really able to say.
Yeah, and really, even then, they could be from Argentina and just be really good at speaking Russian.
Or that.
Yeah, or that.
You know, they're so fluent that they fooled some computer experts into thinking that they were native Russian speakers, when actually, no.
Well, and, you know, my wife, she's from Ukraine, but she doesn't speak Ukrainian.
Only her aunt speaks Ukrainian.
She speaks Russian.
Everybody in Ukraine speaks Russian.
So you wouldn't even have to necessarily be from Russia at all.
There you go.
She must have been.
She must be.
Yeah, I think she must be the one.
I have trouble keeping track of her sometimes.
Okay.
All right.
No, so, okay, good.
Yeah, no, I'm glad we had a chance to go back over that.
See, my confirmation bias is the other way.
Anytime anyone accuses Russia of anything, I assume it's a damn lie.
Because that's all anybody in the American government does, is lie about Russia so they have an excuse to start a new Cold War.
But there's no question as to who's the evil empire this time and who's starting the Cold War this time.
And it's clear to see that their incentive is to pin it on Russia, even if Russia had nothing to do with it, even if it was a native, you know, Swahili speaker.
They still want to blame Russia.
So that doesn't mean that Russia never does anything.
But that just means, boy, you better prove it beyond a shadow of a doubt if you want to convince me now.
Well, the interesting thing here is it reminds me a lot of an unfaithful partner in a marriage.
So if a husband is cheating on his wife, sometimes that person who is actively cheating is also the most suspicious, you know, when it comes to being cheated on, right?
You're even more suspicious than an average person because you're actively engaging in the behavior you assume that other people are doing it to you.
And it's true in intelligence because we are so active, right, in breaking into systems and collecting intelligence and doing it successfully.
And there's so many organizations around the world that, of course, you're going to be immediately suspicious of others doing it to you.
So when you talk to people in the intelligence community, even anonymously, their inclination is, well, it must be the Russian government or it must be whomever.
I think that's just a characteristic of people that spend their entire career, you know, attack, surreptitiously attacking others.
So that's what happens.
But my concern as a citizen and a taxpayer and as just a human being is to lower the hostility in the world.
Most people don't want to live in a hostile, violent environment.
They simply want to enjoy their life.
So let's not jump to conclusions without evidence and make life even harder for innocent people outside of our borders or inside of our borders, our own borders.
If it's not Russia, then it's China.
It's just ridiculous that we continually have to be in this state of conflict, you know, unnecessarily.
Right.
And, you know, one doesn't have to be a fan of Vladimir Putin at all to simply just recognize that the Soviet empire is 25 years gone, that both sides still are armed with hydrogen bombs and that therefore we can and must be friends with the Russians.
That's it.
We've got to find a way to get along.
Simple as that.
And so this goes to my next question, which is, does a cyber attack on somebody else's economy, infrastructure, etc., does that really count as an act of war like a Pearl Harbor actual series of high explosives, you know, sinking boats and this kind of thing?
I'm sure you've seen the movie Zero Day here about the Stuxnet, but he breaks a story in there, Gibney breaks a story in there about how, forget Stuxnet, man, they had infiltrated code into virtually Iran's entire infrastructure and that if it had come to an actual war with them, I think they were saying if Israel had started one and dragged us into it, that they would have been able to basically flip a switch and shut down the entire economic infrastructure of the nation of Iran, that they were basically ready to go.
And I saw, I think Die Hard 7 or something was about this, right, where somebody is able to basically just turn off everything.
And I kind of think, well, that's just Hollywood, right?
It's not like every single, every dam and every electric company and every telephone company and everything is all just hooked to one internet that can be taken out that easily by some Zero Day exploits.
But then again, what the hell do I know?
They sure seem to be bragging about it in that movie.
What do you think?
Well, honestly, I haven't seen the movie.
Oh yeah?
It's on the pilot, right?
Yeah.
No, I mean, I know it's out.
I just haven't seen it.
I don't have a lot of interest in seeing it.
But I can tell you that it's not that easy, obviously.
Die Hard was silly.
That was silly Hollywood stuff.
And there is no such thing as an active war.
There is no sort of legal term of art called active war.
What you have is, what you have are rules of war and you have the right of self-defense.
And so the question is, if, let's say Russia, if at the DNC hack and an attempt to manipulate the American political system or our election system, would that be sufficient, right, to allow us to respond against the Russian government in some way?
And so if the response has to be proportionate.
So if we were to make that leap and say, yes, we've decided that you have deliberately attempted to interfere with our critical infrastructure, which is the election process, and our response is to drop a bomb on you, then we'd be in upshits creek.
That's not proportionate by any stretch of the imagination.
So we might do something like what we did with Sony and say, we've decided that North Korea is responsible, and we're going to respond by initiating some additional economic sanctions.
It's not war.
It's just in a proportionate response.
If, on the other hand, a cyber attack was launched against the air traffic control system, planes collided, lives were lost, a huge amount of damage and harm was caused, then yes, proportionate response could be a war.
It could be a kinetic attack.
So it's got to be proportionate.
That's the key.
Right.
Yeah, that's an important point to make.
And it seems like – well, and this would be the same with kind of any new agency or whatever, but we have this cyber command, and from their point of view, they would probably like to consider lower degrees of attack that you and I would consider less dire.
They would probably try to rank those high up there, because I hear this talk all the time about a cyber Pearl Harbor and all this kind of thing.
This is the fancy new thing to be involved in in cyber warfare, so they have an incentive to kind of get in one.
And then that means all the other officers are jealous, basically.
They want some action, too.
So why not go ahead and treat a cyber attack as an actual attack, especially if, as you're saying, it's on something – air traffic control or maybe they open some floodgates they're not supposed to and drown a town or whatever.
I don't know, some kind of thing I hadn't thought of.
Well, we're actually going to explore that.
So I hope you don't mind, but we do – we hold a conference in D.C. called Suits and Spooks, and in January – we're holding one in January.
And we're going to explore with Mike Schmidt, who's an international authority in the area of cyber warfare and international law, what the new rules are around attribution, around countermeasures, around appropriate responses to different types of attacks.
There actually – there has been a book out now for a few years called The Talent Manual, and Mike has been busy working on Talent 2.0, and so we'll be exploring these questions.
They're important questions, and this is all a new field for soldiers and lawyers and governments.
So we hope to have more clarity on that at our event.
Yeah.
All right.
Now, I guess the one last thing would be about – if someone, the Russians or whatever boogeyman, really did try to do the worst cyber attack that they could, what kind of defense do we have against that kind of thing?
You know, I saw Michael Hayden say if this was a soccer game, the score would be 390 to 412 or whatever, you know, this kind of thing.
Offense does great.
Defense is basically terrible when it comes to getting into one of these kind of conflicts.
So the key is to build in resiliency.
So you're not relying on any one system.
You have alternative systems, like when it comes to the power grid.
The Department of Defense a few years ago – possibly still today, I'm not sure – but I know a few years ago, the GAO reported that the Department of Defense had approximately 32 very critical networks around the country that needed to be up and running, regardless of a power outage.
And I think only – at the time, only two of them were able to do that.
So they were heavily dependent on the public grid.
So an initiative began where they would build green-powered microgrids, you know, that were solar-powered or wind-powered or some other alternative energy source.
And that way, even if the public grid was down and stayed down, they would be up and running.
So resiliency is what is critical to mounting a good defense.
All right.
Good deal.
Well, listen, I won't take up any more of your time, but I sure appreciate you giving us some of it today.
Thanks a lot, Scott.
I appreciate it.
All right, y'all.
That is the great Jeffrey Carr.
Check out his book, Inside Cyber Warfare.
You can get it at Amazon.
And he is the CEO of TAIA Global.
That's T-A-I-A Global, Inc.
You can find his blog at medium.com slash at Jeffrey Carr.
And you can find his comments in this new article at Business Insider, businessinsider.com.
Experts have two theories for how top-secret NSA data was stolen, and they're equally disturbing.
That's at Business Insider today.
All right, y'all.
And that's The Scott Horton Show.
Stop by scotthorton.org to check out the archives and sign up for the podcast feed.
Stop by scotthorton.org slash donate to help support.
And I still have that special going on.
Anybody who donates $50 or more to help support the show gets a copy of the brand-new Murray Rothbard book of long-lost essays from 1967 and 68, all about LBJ and Vietnam and civil rights and all kinds of stuff.
And that is at scotthorton.org slash donate, $50 or more to help support the show.
And you get yourself a copy of that.
So check that out.
And thanks very much.
Follow me on Twitter, at Scott Horton Show.
See you.