00:00:01
[Music]
00:00:08
[Music]
00:00:21
uh Professor Amos Gora thank you so much
00:00:23
for joining us today thank you so much
00:00:24
for having
00:00:25
me on October 12th Leon panetto is the
00:00:29
former head of the CIA and now the US
00:00:31
Secretary of Defense spoke at a meeting
00:00:35
uh in New York organized by business
00:00:37
Executives for National
00:00:38
Security and he warned in that meeting
00:00:41
that the US faces a pre- 911 moment as
00:00:45
far as cyber security is concerned he
00:00:48
spoke about the possibility of a cyber
00:00:50
Pearl Harbor in which cyber actors could
00:00:53
launch attacks on the country's
00:00:55
infrastructure in conjunction with
00:00:57
physical
00:00:58
attacks uh do you think do you agree
00:01:01
with this assessment uh and how
00:01:03
vulnerable is the US today to such a
00:01:05
threat and what could be its
00:01:07
consequences I think first of all that
00:01:09
secretary paneto was spoton in terms of
00:01:12
highlighting the danger posed by cyber
00:01:14
security as we were talking before we um
00:01:17
started the interview I think cyber
00:01:19
security has gone under the radar and if
00:01:21
secretary Panetta intended to you know
00:01:23
make it the Bold headline Pearl Harbor I
00:01:26
think he was um effective and successful
00:01:28
in that in terms of the threats posed by
00:01:31
cyber security I don't think there's any
00:01:32
doubt that the dangers and risks are
00:01:35
enormous and if he intended this
00:01:37
headline grabbing moment I think he was
00:01:39
right to do that and I think it I think
00:01:41
the discussion subsequent to that has
00:01:43
shown how important it is to have this
00:01:46
discussion now if such a Cyber attack
00:01:48
were to happen where might it come from
00:01:51
and who might the attackers be well I
00:01:53
think first of all those who are engaged
00:01:54
in cyber terrorism are seriously smart
00:01:58
sophisticated people so it's a different
00:02:00
kind of terrorist than say 9911 it
00:02:02
requires a different skill set it can be
00:02:05
from within it can be from without it
00:02:07
just simply requires having a pretty
00:02:09
sophisticated understanding of
00:02:10
Technology of how the systems work and
00:02:13
ultimately how to impact them and God
00:02:15
forbid how to shut them down and whether
00:02:17
again as I say comes from in within or
00:02:19
without I don't think there's any doubt
00:02:21
that if one thinks about down the road
00:02:23
threats that cyber security cyber
00:02:25
terrorism poses an enormous threat but
00:02:28
would the threat come from
00:02:30
say nation states or would they come
00:02:32
from lose groups of U hackers like
00:02:37
Anonymous I don't know about Anonymous
00:02:39
but I think it would probably come from
00:02:41
I would think more from non-state actors
00:02:43
than from State actors um and hackers
00:02:47
yes but obviously really sophisticated
00:02:49
hackers because if you think I mean they
00:02:51
don't if you think about the kinds of
00:02:53
dangers that they pose whether it's
00:02:55
shutting a system down whether shutting
00:02:58
cities down impacting banking systems
00:03:01
impacting the water flow of a system of
00:03:03
a city I mean it just goes on and on
00:03:05
because we are all obviously totally
00:03:06
computer dependent uh think about
00:03:09
airplanes in the air right um it just
00:03:11
goes on and on and I think in that sense
00:03:14
the dangers are so extraordinary one of
00:03:17
the things that worries me and I think
00:03:18
that's why it's important to have this
00:03:19
discussion is I'm not sure to what
00:03:21
extent we as a society fully and truly
00:03:25
understand the threat posed by cyber
00:03:28
security but depending on whether it was
00:03:31
another nation state that was launching
00:03:33
an attack or uh non-state actors as you
00:03:36
mentioned uh what might the defense
00:03:38
strategy be and and how would it differ
00:03:40
in each of those cases I think if it's a
00:03:43
nation state that's engaged in a Cyber
00:03:46
attack not cyber terrorism because
00:03:48
nation states don't engage in terrorism
00:03:50
right it would be a Cyber attack I think
00:03:52
that'd be equivalent to an act of war
00:03:54
and I think an act of war is an act of
00:03:56
war and according to article 51 of the
00:03:58
UN Charter that would certainly enable
00:04:00
the attacked nation state to respond to
00:04:02
the attacking nation state if it's a
00:04:04
non-state actor then it would be in the
00:04:06
context of counter terrorism and the
00:04:08
response at least from a legal
00:04:10
perspective as I as I advocate would
00:04:13
justify the nation state responding
00:04:15
aggressively to non-state actors who are
00:04:17
engaged in cyber terrorism which is yet
00:04:19
another form of
00:04:20
terrorism now to your mind which is uh
00:04:24
which are some of the most uh dramatic
00:04:26
examples of cyber Terror attacks in
00:04:29
recent times uh and what might be some
00:04:31
of the lessons that one could draw from
00:04:33
the way the situation played out I'll
00:04:35
give you an
00:04:36
example I number of years ago met with a
00:04:40
senior vice president of one of
00:04:41
America's largest
00:04:43
banks the bank had been infiltrated
00:04:45
slash hacked um by one guy who was able
00:04:50
to wire an extraordinary amount of money
00:04:53
after having set up approximately 400
00:04:55
fictitious
00:04:57
accounts and the kinds of money that
00:04:59
this one guy I through these 400
00:05:00
accounts was wiring was lots of money
00:05:03
all going to terrorism so there's a
00:05:05
direct link between cyber security cyber
00:05:09
terrorism and the financing of terrorism
00:05:12
that is deeply troubling and it was very
00:05:14
clear after the conversation with his
00:05:16
vice president that his bank huge Bank
00:05:18
in the United States was wholly
00:05:21
unprepared and unequipped to respond to
00:05:23
this that for me was a sobering moment
00:05:26
in fact it's it's very interesting you
00:05:27
mentioned that example because even in
00:05:29
his spe
00:05:30
Mr Panetta mentioned that there were
00:05:32
some us financial institutions major
00:05:34
institutions that were very recently
00:05:36
targeted for uh cyber attacks can you
00:05:40
give us a little I mean the the the kind
00:05:41
of attack they faced was the distributed
00:05:44
denial of service variety of attacks uh
00:05:47
could you speak a little bit about what
00:05:48
damage such such attacks can inflict
00:05:50
upon the institution well first of all
00:05:53
the fact that somebody is wiring or
00:05:55
first of all setting up fictitious
00:05:56
accounts and then wiring hundreds of of
00:05:59
millions of dollars to terrorist
00:06:01
organizations obviously impacts all of
00:06:04
us but I think maybe more than that it
00:06:07
shows how vulnerable the systems are and
00:06:10
I think if I go back to secretary
00:06:12
Panetta's comments about Pearl Harbor if
00:06:13
you go back to think about Pearl Harbor
00:06:15
itself how extraordinary vulner how
00:06:18
vulnerable the United States was in
00:06:20
retrospect and I think if and his using
00:06:23
the phrase Pearl Harbor is like a claran
00:06:25
call to understand our vulnerability and
00:06:27
to begin baby steps to more effectively
00:06:30
protect ourselves than to answer your
00:06:32
question and I think that probably is
00:06:34
the most important service he could have
00:06:36
provided no unlike um Ground Zero in the
00:06:40
case of a physical attack a Cyber attack
00:06:43
doesn't leave a crater no uh and even
00:06:46
when the private sector firms like the
00:06:48
banks you mentioned have their
00:06:50
intellectual property stolen very often
00:06:52
they are not even aware of the fact uh
00:06:56
how can firms get around this problem if
00:06:59
it
00:07:00
all I think the first thing that that
00:07:03
the private sector needs to do and
00:07:04
frankly also government is to recognize
00:07:07
that cyber terrorism even though it
00:07:10
doesn't leave a crater maybe leaves a
00:07:12
larger crater and to more effectively
00:07:15
begin the process of protecting
00:07:17
themselves and their assets against some
00:07:19
really sophisticated
00:07:21
hacking it probably doesn't have the
00:07:23
extraordinary appeal right of an attack
00:07:26
at the 9911 the building is blowing up
00:07:28
it's dramatic a cyber security attack is
00:07:31
not dramatic there's no there's no real
00:07:33
Visual and visuals are important but I
00:07:35
would think that from the perspective of
00:07:36
the private sector and the example I
00:07:38
give you about this bank if I were CEO
00:07:41
of an American major American financial
00:07:43
institution I would say to my relevant
00:07:46
vice presidents that in many ways our
00:07:48
vulnerability is less or no less our
00:07:50
building than our intellectual property
00:07:52
our accounts the money and that we need
00:07:55
to um take a pretty serious look at how
00:07:58
well we are protecting in ourselves with
00:08:00
the understanding that perhaps the
00:08:01
answer is we're not protecting ourselves
00:08:04
and then to undertake the process to
00:08:05
begin the process of protecting
00:08:06
ourselves from the Cyber attack the same
00:08:09
way we're protecting ourselves against a
00:08:10
physical attack Now American firms are
00:08:12
hardly alone in in facing these attacks
00:08:15
for example there have been reports
00:08:17
about a virus called shamun that
00:08:19
infected computer systems at aramco
00:08:22
right the Saudi oil company and similar
00:08:24
attacks have also been observed against
00:08:26
Ras gas in in uh a major energ producer
00:08:29
in Qatar right U so Al although cyber
00:08:32
warfare can take place take place
00:08:34
anywhere in the world sure which
00:08:36
countries and companies do you think are
00:08:38
the most vulnerable uh to such threats
00:08:41
today well if One Believes the various
00:08:43
media reports with respect to cyber
00:08:46
attacks against Iranian assets last year
00:08:48
and the previous year the studnik then
00:08:50
it shows that indeed as you correctly
00:08:52
mentioned that both States and
00:08:54
Enterprises are vulnerable and Iran
00:08:56
raises obviously important questions
00:08:58
because of the nuclear program and how
00:08:59
to convince the Iranians not to go
00:09:01
forward with it and as tnik showed they
00:09:03
are vulnerable um I think they probably
00:09:07
present a pretty compelling example of a
00:09:10
nation state engaged in an act creating
00:09:12
a nuclear industry that according to
00:09:14
some countries poses a threat to World
00:09:15
security world peace and then the
00:09:17
question becomes how do you convince
00:09:18
them not to go forward and if a the
00:09:20
penetration of a virus through cyber uh
00:09:24
is effective in dissuading them from
00:09:26
going forward then I would say a shows
00:09:28
their vulnerability and B maybe that
00:09:29
shows the effectiveness of some kind of
00:09:31
a Cyber attack well I'm glad you brought
00:09:33
up stack stack net because I I was just
00:09:36
about to ask about that uh as you may
00:09:39
know uh have seen recently there was a
00:09:41
huge article in the New York Times about
00:09:44
the fact that uh uh that that mentioned
00:09:47
that perhaps the US and Israel had had
00:09:50
collaborated to create that uh uh the
00:09:53
computer worm right with the goal of
00:09:55
crippling the Iranian uh nuclear
00:09:57
facility in natans
00:10:00
uh now under international law uh as it
00:10:03
exists today are such attacks by the US
00:10:06
and Israel legal on the assumption that
00:10:09
indeed the US and Andor Israel were
00:10:11
involved in right that's going to be the
00:10:12
Assumption then I think you can make a
00:10:14
pretty viable argument in the context of
00:10:15
self-defense that the introduction of
00:10:18
this worm or virus would meet various
00:10:20
standards of of international law for
00:10:22
the following reason Iran has been very
00:10:24
clear about two things one is creating a
00:10:26
nuclear industry and two a pretty clear
00:10:29
articulation of their desire to use that
00:10:31
the nent bomb if it were to be developed
00:10:33
against Israel I mean right and then the
00:10:36
question becomes how does Israel protect
00:10:38
itself and what are the limits of
00:10:39
protection protecting itself in the
00:10:40
context of self-defense so if there's
00:10:43
this industry being created nuclear
00:10:44
program and these threats then I would
00:10:46
think that an introduction of a virus
00:10:48
would meet this test a of self-defense
00:10:51
and B of limited self-defense and so I
00:10:53
think from the perspective of
00:10:54
international law I think that meets
00:10:56
those tests okay now St net was detected
00:10:59
when it quotee unquote escaped uh from
00:11:03
Iran and found its way to the West uh
00:11:05
according again to according to the New
00:11:07
York Times uh us officials blamed Israel
00:11:10
for this but regardless of who was
00:11:13
responsible and who's at fault what are
00:11:15
the chances that digital bombs like
00:11:17
stuck Nest can fall into the wrong hands
00:11:21
and then end up being used against the
00:11:23
creators uh is there anything that can
00:11:24
be done to protect uh people against
00:11:27
that's why one hopes that those who
00:11:28
create the world or the viruses are
00:11:30
sophisticated enough to also introduce
00:11:33
firewalls to make sure that it doesn't
00:11:34
bounce back right you don't have a
00:11:36
boomerang effect and therefore you don't
00:11:37
have what you know what's good for the
00:11:38
goose is good for the gander that
00:11:40
obviously is going to depend on on the
00:11:42
the technical skills and competence of
00:11:44
those who are creating the viruses but
00:11:46
there's always a risk whenever you
00:11:48
create some kind of an aggressive
00:11:50
mechanism U if it falls into the wrong
00:11:52
hands you know it can you never know
00:11:55
where it's going to potentially end up
00:11:57
now countries like China and Russia are
00:11:59
said to be actively developing their
00:12:02
cyber
00:12:03
capabilities uh now as cyberspace
00:12:05
becomes a war zone is it realistic to
00:12:08
believe that International regulations
00:12:11
could be developed to bring about
00:12:12
greater
00:12:13
transparency uh and given the global
00:12:16
nature of cyberspace and competing
00:12:18
national interests who would oversee
00:12:21
compliance that's a great question and
00:12:23
it goes to a larger issue let's call it
00:12:26
the the changing nature of international
00:12:28
law to what extent is international law
00:12:31
relevant to changing forms of technology
00:12:33
and
00:12:34
Warfare no doubt the issues you're
00:12:36
raising here at China Russia cyber cyber
00:12:39
cyber cyber space is probably going to
00:12:42
require various International
00:12:44
organizations um to be more involved in
00:12:46
this in terms of international
00:12:47
conventions International treaties
00:12:49
regulating the use of
00:12:51
cyber here we are 2012 and the verge of
00:12:54
2013 I think we're a long way off from
00:12:57
really fully standing a the the
00:13:01
dangerous post and B the benefits
00:13:03
perhaps and it's going to take um
00:13:06
Scholars academics the International
00:13:09
Community Technical people computer
00:13:11
experts to work together to a understand
00:13:13
the limits and then to create it need as
00:13:15
you say some kind of regulatory
00:13:16
mechanisms to ensure that these new
00:13:18
means are not used
00:13:20
nefariously right now in the US uh some
00:13:23
efforts are being made to deal with the
00:13:25
legal issues also through initiatives
00:13:27
such as the cyber Security Act of 2012
00:13:31
which was co-sponsored by Senators
00:13:33
liberman Collins Rockefeller and
00:13:35
Feinstein uh now the legislation has
00:13:38
bipartisan support as far as I
00:13:40
understand but it has fallen victim to
00:13:42
legislative and political
00:13:44
gridlock uh could you explain what some
00:13:46
of the major hurdles are and what the
00:13:49
implications will be if the ACT becomes
00:13:51
law well first of all let's begin with
00:13:53
the gridlock there is um here we are in
00:13:56
election day right there there is
00:13:58
something called politics in the United
00:14:00
States um and issues like this even
00:14:02
though there's bipartisan support
00:14:03
there's always a political end to it a
00:14:05
political aspect to it a lot of it
00:14:08
obviously needless to say is related to
00:14:11
the politics of Washington at the moment
00:14:14
two going back to how we began our
00:14:16
conversation I think there's still
00:14:17
question to what extent we all
00:14:20
understand the dangers
00:14:23
posed I think also there are questions
00:14:26
in terms of who's going to be your
00:14:27
question about regulat mechanisms and I
00:14:30
think probably this stage 2012 2013 with
00:14:32
a new Congress coming in on January 20th
00:14:35
I think we're unfortunately a long way
00:14:37
away from as I said earlier
00:14:39
understanding the benefits and
00:14:40
understanding the dangers and even there
00:14:42
has been even if there has been
00:14:43
legislation introduced I think
00:14:46
unfortunately we're more at a beginning
00:14:48
stage than even at a middle stage in
00:14:50
terms of understanding this and I think
00:14:52
to that extent the the work ahead of all
00:14:54
of us is is extraordinarily complex but
00:14:56
simultaneously extraordinarily critic
00:14:59
critical like to end with a hypothetical
00:15:01
question you could be a law
00:15:03
professor what are the chances of an
00:15:06
allout cyber war between the East and
00:15:08
West developing into a conventional War
00:15:11
and what would it take to precipitate it
00:15:13
so I don't know about war between East
00:15:15
and West I think you know that Paradigm
00:15:17
um hopefully came to a crashing end in
00:15:18
December of ' 89 when the wall when the
00:15:20
Berlin Wall came down but I do think
00:15:22
that that cyber terrorism State
00:15:25
non-state cyber War state state um is
00:15:30
perhaps a more realistic option than we
00:15:32
would like to think it is a realistic
00:15:33
option and certainly more than it has
00:15:35
been had been five years ago and I
00:15:38
think something that as I say ear said
00:15:41
earlier and I want to emphasize we need
00:15:43
to be much more sensitive to and much
00:15:45
more proactive with respect to in terms
00:15:47
of establishing very sophisticated
00:15:50
firewalls to protect ourselves there's
00:15:53
no doubt that going back to I like your
00:15:55
the term of the crater the crater left
00:15:58
the crater right left by a Cyber attack
00:16:02
um in many ways is far more dangerous
00:16:05
than a physical
00:16:06
crater one because you don't see it
00:16:09
there's something um very disconcerting
00:16:11
about that and shutting down cities
00:16:14
shutting down systems shutting down
00:16:16
Banks the long-term ramifications of
00:16:19
that are extraordinary and um again as I
00:16:22
said earlier to what extent we have
00:16:24
begun the process of adequately
00:16:25
preparing oursel I think that's an open
00:16:27
question uh Prof Amos G thank you so
00:16:30
much for joining us today thank you so
00:16:31
much for having
00:16:36
[Music]
00:16:54
me
