tv Washington This Week CSPAN November 21, 2015 6:30pm-7:01pm EST
led approach to bring intelligence to the core of how they are thinking about an resourcing against threats. most important, building an they are looking at the money to deploy resources next year and then revisit next year. that does not work when the threat is changing every day, so you have to have an adaptive constantly shift. they have taken a lot of talent from the commercial sector. it's hard as a security vendor former intel officers, former military intel officers, government practitioners, coming out of the military, into the commercial sector. you have almost seen a complete shift of military capability, a lot of this stuff, into the commercial sector, and they are
leading in the same way the government has always had. it's the intelligence approach, but it's finally getting here, he step in the right direction. john watters, do you use the public internet for your system? you are worldwide. mr. watters: as little as possible. on the research front, yeah. mr. slen: is it an overbuilt type of thing? mr. watters: the mechanics of how you communicate anonymously and maintain some level of anonymity and operations from an overseas perspective, that is kind of the dark secret trade. and tries tos it anonymize who they are and what they do. mr. slen: so if somebody is on their computer, chrome, safari, whatever, how secure are they? mr. watters: i think technology
companies do as good a job as they can with the ability they have to manage their own infrastructure. the weakest link is always people. if you have somebody in front of your house giving you the key to the house and telling you the combination to the save every day because you walk up as the safe repairman and say, hey, junior, your mom said to stop by and fix the say for you, could you give me the code, she left it under the mailbox, how do you protect against that? so these technology vendors, a lot of them get the brunt of the problems, it is google, microsoft, or whoever, but a lot of times the frailty is the people, the users themselves. a lot of it is just awareness, what is good behavior on the internet itself. the friction point that we are seeing today, which is beginning to prioritize security over efficiency. it is a pain if you have to log into the online bank and remember all these passwords and
they send you a text, but you know what, security takes priority. so you will take some inconvenience now to be secure with your assets. that is another big tipping point we are saying, which is good. mr. slen: what is the dark web? mr. watters: it's basically a part of the communication that goes on that is not open to google. it's basically communication forms where people are buying and selling illicit cyber tools, s forer they are cyber merc higher, or selling stolen credentials or selling exploit kits or bot infrastructures or selling access to customary environments, there is a whole dark web that goes on with this illicit trade. you cannot just build machinery to go listen to the dark web for the information. you actually have to have somebody engaging on it to be
able to pervasively stay there and gain anything positive from the intelligence perspective. some commonat are forms or uncommon forms of malware. severalers: there are common forms. there is destructive malware that tries to destroy your operation, your operating system where you cannot reopen it. with theome of that sony breach, basically destroy your ability. there is encryption now, a locker type of attack. we will encrypt your data and if you send me a thousand dollars, i will send you the encryption key to use your data. is to distraction, one encrypt it with a third party. the most common is apt, advanced persistent threat, which is constantly on your system and cannot be detected and it is trying to gain access to files and information and things of
value from an information perspective to exfiltrate that from your entity. of slen: with the advent wireless, has that made security more difficult or has it made it easier? mr. watters: i think it has made it more difficult. it is just another access point. you talk about trying to maintain the protective layer without the idea of the threat, if you're not saying here are the threats that are active, how do i protect against those, if you do not look at the world through that lens, you say i have all these things to protect them, how do i protect them, and you go to all the access points. devices,net, all the the connectivity with the vendors, the channel partners, you are so connected, and all the wireless connections, there is no way to protect everything. wireless is just another expansion point of the ways into your environment from a threat perspective. instead of trying to protect everything, the view that shifts
and really shrink's the problem from the defenders perspective, what are the threats am concerned about, how are they executing those threats, not hypothetically but really how they are doing them, and how do i protect against those threats. wireless nexis or wireline or a vendor or a particular type of malware, you should know what they are trying to do and protect against that. a finite, structural thing, not this infinite thing called anyway in works. you cannot just protect against the radicals as the actual probables. , on your john watters website, there is an article , sayingabout the fbi you might as well pay the ransom because we cannot figure out how to get rid of this malware. mr. watters: yeah. it's an interesting turn, isn't it? the whole "don't negotiate with hostages," "don't negotiate
with terrorists." at the same time, you are a little business, you cannot pay your bills or meet payroll because you cannot operate and for $1000 you will regain your operational efficiency until they do it again, at least it buys you some time. i think their point is probably that. if you need to operate your business and that is the underway to do it near term, by some time and we will figure out a solution long-term. the ransom kits are pretty well written. the small defenses against them are tough. they can just change the code just modestly every time where the malware detection routines may detect the last version but not the next version. again it's a pace of defending against things that have happened, not understanding what's going to happen. mr. slen: we recently talked
with jim lewis of the senate for security of international studies. that the main state actors, china, russia, north and iran, are there other actors out there or nonstate actors that are becoming real threats? ost watters: i think m national apparatus have a capability they are using. the examples that jim gave, almost everyone of them to my knowledge are intellectual or intelligence position officers. they operate on two fronts. it might be china or ran or orsia or north carolina -- north korea. if you look at the sony breach, the north korea government is saying we did this or somebody
in the north korean military or the guardians who say, it is not us, it is just some interest of a group affiliation that got together to cause damage at sony , they try to remove themselves from it, so there is plausible a layerity and there is between the national apparatus and the executioner of the threat. lot of these countries operate through third-party fronts, teams, groups, activists -- ka hacktivists that gives them deniability. it is attribution, and executing it on that behalf. in your building, you have a dark room with a lot people on computer screens. what are they doing back there? mr. watters: analysis. it's easy to say you have the puzzle pieces, put together the puzzle, it is actually harder to do.
the technical piece is technical skills, reverse engineering the malware, how it operates, how it compiles, how to break the encryption. the operate in the darkness and they sit there and analyze the problems to help customers simplify what they are looking at. our customers send us malware they do not understand, we are not sure how this operates, and we break it down and say this is how it operates and that is connected to this group and here is what they are trying to do. soon i you go from a technical problem to understanding the risk issue to make good decisions for the enterprise from the defensive perspective. the guys in the room, the technical guys, when the lights are off, it is usually analysis of a product. mr. slen: why does the room stay dark? mr. watters: i don't know. when i got in this business, it was the craziest thing, when the lights go out, everybody likes to work in the dark. i think it is just easier for the guys to sit in a dark room
in front of a bright screen. , it's ays work a lot passion working here or anywhere, they would be doing the same kind of thing. they love their job. mr. slen: do you ever higher ex-hackers? mr. watters: we do not hire any black cats that have gone good. we are not in that business. hackers tote hat try to protect against black hat don't hire the guys who were bad who now want to be good. that is just too risky. mr. slen: in our conversation with jim lewis, he talked about what he thought were the greatest threats, including an electrical blackout, such as we saw several years ago. where do you see the biggest threat? is it financial, where fair, etc.? mr. watters: that's a good question. the latest one is really
disruptive -- destructive malware, excuse me, like we saw in the sony breach. now your data is gone come you cannot operate in your environment, your ability to operate and q medicaid is out there, they have overwritten the databases, and your operational ability goes away. that is a scary moment. any business that is connected, destructive malware, near-term, the effect, whether it is applied to take out electricity or take out a database or impair your ability to communicate, different ways to use destructive malware and disruptive malware. where it gets and is really a function behind why. i don't think a lot of countries ostensibly want to bring a rebuttal from us because people are textbased in their thinking. if a country means to take out our grid, in theory it is like, well, they took at a physical capability for a country, so the
response will be the same level of effects. ok, we can drop a bomb and take out theirs and we are even. people are still trying to figure out the policy on this, the cyber element that is used to create physical damage, can you go back and create physical damage? therules of the road and rules of engagement are still unfolding on the national side. perspective,iminal they don't want to take out our ability to operate. that is their lifeblood. that is how they make money. you shut down the internet, you destroy datacom you destroy the ability to operate, they have richreduce the target environment for stop they want to keep operating in expanding the flexibility and fox nullity of our banking system, give them more places to go. the criminal interests have no want to destroy us. that would be a nation or terrorist group.
, what arejohn watters the mechanics of malware and the actors who put them out there, how does it operate? is watters: the malware or just a component of it. the entire phase, you have to get into somebody's environment. unless you are sophisticated or have unique proprietary access to raise he read dave on her to some have to participate, they are just passively hacked, a lot of times it is an e-mail that says, hey, check out this cnn article on whatever, the c-span clip, just click here for stop you click on the link and by doing so you just allow the malware into your environment. mr. slen: into the network? mr. watters: onto your desktop. now i'm able to become you. now that i'm in your environment, i can still your passwords, you probably use the same passwords over and over again, so my malware will persist and try to expand as far
as i can into the rest of the network to gain access to something of interest. so you have to persist, you have this the virus and all these things that are trying to scrape the malware, so it wants to hide in look like it's good. so it does not draw attention to itself. then the malware tries to proliferate in your environment until it find something of interest. now it is harvesting the different data files, pieces of information that would be of interest to ever the adversary is. you now need to get that information out in a way that is not detected. so it takes a huge file, tries to send it somewhere, the alarms go off. so it says, ok, how do i get into the regular slip stream of traffic, if you are busy sending files between 9:00, 10:00 in the if 6:00 at night, it will go at those times so it looks like your network traffic. now it has gained information outside of the environment. now it has to get back.
so it goes to drop servers, to dump all the files. then it has to get back to the host location without it being traceable. there are ways to clear its tracks, going three navigation phase. that is how malware works. the now where and the spear phishing campaign, some of a has to say, who creates the malware, because the guys do not create all their own tools. they go by the fools, who do i hosted with. as soon a shoe click on a spearfish, i have a server that will download the malware. so i have a spearfishing malware , i have to buy it from somebody. you have different actors in the whole ecosystem. you have the person behind it, and was the mastermind, who has the objective. you have the tool providers, the infrastructure host or's, the people coming up with the spear sh, the people hosting the
servers to exfiltrate the data to, and then all of the routing components. it is an entire ecosystem. what makes the intelligence executable is a lot of those are handled by third parties. who are justts, selling malware or just hosting infrastructure or just hosting command and control, just hosting drop servers, or outsourcing the hacked themselves to gain access for you. let me just get the data for you. there are so many bit players in this ecosystem, the mastermind sits back and says come you know what, it's a lot easier to maintain my anonymity if i use all these people to do it for may. so they put together the puzzle pieces and execute the strategy and get what they want for the least amount of money possible. mr. slen: give us a snapshot of who that mastermind might be. a college student somewhere, a mathematician? muchatters: it varies very
by the type of cyber threat. tivist, it isck different from a cyber espionage campaign. cyber espionage may be a national interest that is not what to operate through the apparatus to target the energy sector of another country or the defense industrial base. a degree of separation and plausible deniability. there will be a group of folks affiliated with the national interest that operates as a team or group saying, hey, we don't like energy companies, so we will try to steal their stuff. so they will create cause for action. the tools may be partially provided by the government. the for structure may be partially provided by the government. but it is an independent group. so the mastermind is typically somebody either currently or previously in that military capability. that is the national cyber
espionage operator operating three front. if you move into cybercrime, they use partially national tools, partially privatize. varies.crime groups you have a lot of organized crime spillover, traditional organized crime groups have a cyber division, which will have some of you says, ok, here is where we are going after to pick up a information for identity theft, online banking theft, online payment systems, all those various flavors, and you have a vp in charge of each one. then you have the service providers. the effort structure providers you want to use, the vendor list. the tools you want to use, the malware manufactures we want to purchase code from, who are the want tomules if we steal things out of the country and we need some of you to pick up an envelope to ship us money.
they build the whole ecosystem of suppliers to their strategy, but they sit very well removed from that. are almost never involved in the activity themselves. they bear the majority of the profits from it. mr. slen: are you reverse engineering? are there fingerprints throughout this entire ecosystem? mr. watters: yeah, the fingerprint are any one of the suppliers in the supply chain. if your infrastructure provider, somebody who sells malware kits, selling and merchandising stolen credit card credentials or ids that were harvested, all of ande bit players buy from sell to. they are getting their tools from somewhere. they are getting their code from somewhere. they are getting their data from somewhere if they are stealing it. you have who they are buying it from and who they are selling it to. you have this whole ecosystem of to was compromising a victim
who is actually selling the tools to do it to who is actually selling the stolen goods that come out of it to who is monetizing the credit cards, who is taking the actual monetization and going to western union and sending it back. if you track all those different pieces, who they buy from and sell to, you begin to build a pretty good ecosystem understanding of the campaign. mr. slen: how are these bad actors, as you call them, john watters, how are they financially compensated? is there actual cash ever exchanging, or is it all via wire? mr. watters: almost always virtual currency, so bitcoin and currency exchanges. some barter systems. i will trade you this for that. so a barter system to virtual currency to bitcoin. there is a whole variety of mechanisms. western union or cash in a box like the traditional criminal assets you
think of. the same dollar volume you're thinking of either. that credit card may be worth a dollar, $50, anywhere in between. .hese are volume operators the actual bit players do not make that much money. the masterminds make a fortune. the guys behind these things could make tens of millions of dollars per quarter. the actual mule might make tens of thousands of dollars per month. may create code over a month and sell his exploit kit and make 20,000, $30,000. againste kit used retailers, that was $6,000 he was selling it for. so a few people bought it, there is no honor among thieves, and that these give it to their buddies for free. next thing you know you're not getting $6,000 anymore because it's free. they sell it for the first
couple folks, it's leaked, then there is no market. so different players have different amounts of money they make from it. given the fact it's a lot a virtual currency or electronic currency, does that make it easier to track? mr. watters: it makes it harder to track him actually. people can load the virtual currency on their credit card or bank account. there is a whole myriad of ways to mis-attribute who wants the various currency. notoin by its nature has it attributable to the currency and transactions. most of the virtual currency is the same. so the way it is loaded, you may have 10 people who each load up $100 each into a virtual currency and you just pay cash to those 10 people to get it in there, so there is separation behind it. all the people who operate in those currencies have tradecraft that is not attributable black to them. mr. slen: we have been talking
to john watters, who is the director, ceo of isight partners. thank you for your time. mr. watters: you are welcome. c-span, created by america's cable companies 35 years ago and brought you as a public service by your local cable or satellite provider. it is called the crossroads of new york state, and this weekend cities tour, joined by time warner cable partners, will explore the history and literary life of syracuse, new york. the specialwe visit collections library at syracuse university and learn about the antislavery movement through the papers of abolitionist garrett smith, local author discussing her book "prelude to prison,"
exploring the link between school suspension and incarceration in the u.s. then we will talk to jeff hemsley about his book "going viral." >> when something goes viral, it's a process of social sharing. we tend to think of a viral video comes something that has a million views, but it's more the process by which that happens. the reality is what happens when people share content into their own networks. oftentimes, somebody has a lot , a lot of followers or people paying attention to them, like an important blog, and that spreads the content. then it reaches a wide audience. >> we will visit the eureka now museum to learn how the canal influence the growth of syracuse, central new york state, and the nation. then harriet tubman's home,
where the antislavery abolitionists acted as a conductor on the underground railroad. our trip to syracuse also takes us to the matilda joshua engaged home, one of the first women's rights champions. her speech at a women's rights convention in 1852 launched her into national prominence on the subject of women suffrage. >> she was 26 at the time with four children. she learned at the convention is going to occur, she writes the speech, and she travels to syracuse, bringing her oldest daughter with her. had not contacted any of the organizers. she was not on the program. they said you have to be involved in this, they do not do that, she just showed up. she sat in the crowd. when there was a quiet moment, she marched up on stage and,
trembling, takes the podium and begins to speak. and she gives this incredibly moving speech. , she goes on to become a leader in the women's movement. cities weekend, c-span's tour, tonight at 8 p.m. eastern on book tv, and sunday afternoon on american history tv on c-span3. with our cable affiliates and visiting cities across the country. the national archives recently heard from a group of political cartoonists about their work and how technology has impacted their profession. among the speakers was david, yorker." for "the new >> just a few words about what i'm doing. i may "new yorker" cartoonist.
in a political cartoonist is a tricky business because of the limitations that come down from up above. we cannot advocate directly for anything. we cannot point fingers at any particular politician or policy. -- basicallyust go we just go, is in that all ridiculous? are, there arees no caricatures and "new yorker" cartoons and no texts to explain anything. i have developed some strategies to deal with that. when is i use the archetypes of "new yorker" cartoons to funnel my point of view. one of them is the figure of the king that are used to represent government itself or a particular politician. i have chosen one to show you tonight, one i did in the 1012 election when there was a lot of
chatter about what the president had to a competition water to affect the way future generations would view his presidency. i also chose it because i think it's appropriate for this venue, the national archives. "i'm concerned about my legacy." there is more from that discussion on political cartoons later tonight at 8:35 eastern. original series "landmark cases" is next. today's program focuses on the 1952 decision in youngstown sheet and tube company versus sawyer. [captions copyright national cable satellite corp. 2015] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org]
cases," exploring 12 supreme court decisions. >> the petitioner versus arizona. >> good evening and welcome to "landmark cases." our series that explores the people and stories behind some of the supreme court's most important decisions throughout our history. this week the 1952 seizure case. it's officially known as