Interview with Darin Andersen on KPBS

“Midday Edition”
Interview with Darin Andersen, Chairman/Founder
March 8, 2017 

Topic: WikiLeaks releases what it calls CIA trove of cyber-espionage documents
Maureen Cavanagh (host): Joining me is Darin Andersen. He’s a member of California’s Task Force on Cybersecurity, chairman of CyberCalifornia and chairman/founder of a cybersecurity company. Darin, welcome.

Q: The cybersecurity world wasn’t really surprised by the information in this leak, was it?

A: Not really. We’ve seen some WikiLeaks for quite a while now, starting with the Chelsea Manning documents, for example. So it wasn’t too big of a surprise.

Q: You talk about “depth of scrubbing” – that area being somewhat of a revelation in this WikiLeaks stuff. What does “depth of scrubbing” mean?

A: Well, what I mean is, the level at which you scrub depends on the level at which you see a threat occurring. As the threat level goes up, you may dig a little deeper into the data. And I think that’s what may have happened here. It may have triggered these latest dominoes. The CIA is looking more actively and harder than ever – because the threat level for the nation is increased.

Q: Is there anything in this information that indicates that the CIA is using this technology on Americans, here in the U.S.?

A: What you have in this latest set of WikiLeaks is the expose of the CIA’s “cookbook” for how they actually hack into accounts. What they do is they have a series of tactics and techniques that they use to break into different kinds of accounts, be it smart phones – they’ve been able to exploit both Apple and android phones – traditional laptops and servers, as well as some new devices, the “Internet of Things,” what I like to call the “live-ables,” “wear-ables” and “drive-ables.” What’s new about the information is there’s definitely information being gathered on American citizens. How that information is used, foreign and domestic, is what’s in question.

Q: Are there laws that prevent the government from snooping on average U.S. citizens?

A: There are privacy laws that do exist, and historically, Americans have had an expectation of privacy that’s somewhat unique to the Western world. Europe values privacy more strongly. Americans, I would argue, give away our privacy by clicking that checkbook to get the latest application. But in the Far Eastern countries, there’s really not an expectation of privacy. So yes, there are laws that do protect U.S. citizens and our privacy rights. A lot of that comes through the SEC and credit reporting agencies that have to lay out their ability to look into our personal information. And the government has guidelines, as well.

Q: I’ve read that the espionage hacks described in the WikiLeaks dump are things a lot of hackers might be able to do. You wouldn’t need the CIA to come up with it.

A: You know, we’ve seen tactics and techniques that are familiar to us. Don’t forget that we are battling with foreign adversaries, nation-states that are well-funded, extremely motivated to take our intellectual property, steal our national security security secrets and compromise our defense. So the CIA would – and does — rationalize this kind of activity as defensive, or in some cases, an offensive response. Typically, only the U.S. government employs and deploys what I would call “offensive” cybersecurity tactics, which is what’s described in this WikiLeaks “cookbook.”

Q: What’s the difference?

A: Well, typically, we play a lot of defense in this country. I call it the “100 Door Problem.” We’re trying to defend 100 doors, while nation-state adversaries and hacktivists are trying to find that one open door, that one way to exploit and find a way in. The offensive is the opposite of that – where you’re actually looking at your adversaries’ systems that are trying to break into your systems. So you’re playing defense to protect, and playing offense to go on a more aggressive tact.

Q: So far, the CIA has not responded at all to this latest WikiLeaks information. How much credibility does WikiLeaks have in the cybersecurity world?

A: I think it’s a love/hate relationship. Again, they expose tactics and techniques that are pretty familiar to us in the business. We are aware of their capabilities. As you may recall, it was a private company, an Israeli company, that was brought aboard to broke into the iPhone in the San Bernardino massacre. Again, the private world is familiar with many of these tactics and techniques. But I think what’s novel here is that it’s another big display of information to the general public, that the government is watching.

Q: Since ordinary hackers can already breach security on some phones, TVs and computers systems and so forth, what can people do to protect themselves?

A: I like to propose and suggest what I call practicing good cyber hygiene. It’s the simple things of changing your password regularly, don’t share your password to the Internet with your friends. Out-run the person who’s hopefully behind you with the bear behind him. You’re what I call the “hard target” and others are the “soft target.” So if you outfit yourself by keeping your passwords updated, by updating your software to make sure that any security holes are being patched, you’ll have a much better chance that hackers will move on to somebody else who’s more vulnerable.

Interview with Darin Andersen on KOGO News Radio

March 7, 2017


Host: Ernie Brown

Topic: WikiLeaks’ massive release of highly sensitive documents that allegedly reveal the CIA’s covert, global use of software designed to hack smartphones, computers and internet TVs around the world. The release is regarded as a serious setback for U.S. intelligence agencies, which use cyber- hacking to carry out espionage against foreign targets.

Q: We’re joined by Darin Andersen, chairman/founder of CyberTECH, a San Diego-based coalition of tech-inspired companies. Darin, do you think we should be surprised about all this?

A: Well, it’s true that the involvement of the CIA, the NSC and other government agencies in such covert actions has been well-known for a long time. But I’d say the extent, the depth, may be surprising to some.

Q: Do you think this will cause damage to the intelligence community?

A: I would say that probably among the public, this has some impact on their comfort level with the government in general, especially with the Intelligence community. I think we all have to look across government now and suggest that there are certainly questions about our government’s ability to prevent leaks. But in particular with the Intelligence community, there’s definitely some loss of confidence. This isn’t the first time this kind of information has come out. For many people, this reinforces the fears they may have about our government.

Q: Where did they get this information?

A:  That’s hard to say. It may have been  through a physical breach, but I suspect that you had a leak here by somebody who’s an insider that’s passing along sensitive information. Alternatively, they might have broken into government systems, which is not unprecedented, but in this version seems unlikely. If you look at any of the information provided by WikiLeaks, a good deal of it comes from insiders. Bradley Manning would be a good example of that – the leak of tens of thousands of classified documents to WikiLeaks.

Q: Is it possible anymore to keep secrets at the governmental level?

A: Within the government, ironically, is where a lot of secrets are kept, because they have a very strict system about how they information- and knowledge-share within their organizations. What we’re seeing more and more of, is people because they consider themselves to be conscientious objectors, they’re starting to leak this information out to watchdog organizations like WikiLeaks. You’re always going to have those activists that put this information into the public domain, and actually think they’re doing the right thing by doing that.

Q: Is there a way to stop that from happening?

A: Yes, there’s a way to stop it, of course. You could, for example, make penalties for sharing that kind of information very stringent. You could put them in the brig. You could put very harsh consequences into law. But the reality is, there is forces in government who regard this as part of our democracy to leak out this kind of information. Then there’s another school of thought inside our own government that thinks this type of information needs to be protected and that it can damage our own personnel and our own national economic well-being.

Q: I know we’ve seen so many businesses get hacked, Sony, famously, was hacked a couple of years ago. Are people now taking this more seriously, that no matter what your security systems are, there may be a way to get that information out?

A: I think people are taking things more seriously, but I put a caveat on that. I think people feel somewhat helpless to do much about it. So while it’s closer to the middle of their radar, it’s not necessarily something they think they can do much about. And I think, historically, we believe in government as being the “fix” for this, if not their employer. I think people are understanding more and more that, if they want to protect their own identity, that they have to take matters into their own hands. By that, I don’t mean any vigilantism. I just mean that people need to start to protect their own security, by practicing good cyber hygiene, by doing things to protect themselves, things that make them more strongly protected than the person next to them.

Q: It’s interesting that the government would be looked at as the answer to all of this, when you consider that the Pentagon was hacked, the State Department was hacked, the White House, the IRS – all the government agencies, to some extent.

A: Yes, I would say that historically, there’s the belief that government could do anything, right? The government could take us to the Moon. The government could defend our borders. The government could protect our power overseas. But I would say, more and more, that confidence in our government maybe has eroded and our personal security has followed suit.

Q: Does the CIA need to start over again and come up with new ideas, now that this information is out there?

A: Well, that’s not going to happen. So really, we have the deck of cards and the hand that we’ve been dealt here. What we need is a reform movement within the CIA. But the biggest change needs to occur at the macro level: What is our expectation for security and privacy as citizens? Do we have the right to expect that our government, our employer, other institutions, will actually look after our security? Or is it something that we have to take care of ourselves? Like preventing forest fires. Fastening our safety belts. These are public-social issues that individuals have to contribute to — for the well-being of our society.

Q: What can we do as individuals? What should we do?

A: Well, we can practice our own good cyber hygiene. What I mean is, it’s like out-running the bear that’s chasing you. And there’s somebody that’s slower than you between you and that bear. What I mean is, by changing your passwords, by not giving your passwords away, by making sure your data is not at-risk, that you’re careful about what on-line services you use. That you’re attentive to what emails that you answer, so you’re not getting phished or scammed in some way. There are all things we can do as individuals to protect ourselves. The new area of threat is the Internet of Things – what I like to call the “wear-ables, live-ables, drive-ables” – all those things are connected to the Internet and to our lives. The things we’re driving, the things we’re living inside of. Those things have serious security vectors. We’ve heard recently about cameras that are home-based that have been hacked, about baby monitors, the smart vehicles that we drive all have vulnerabilities, even our medical devices. So we have to demand from our leadership that there’s a public-safety expectation that should come along with that – that my car shouldn’t be able to be driven off the road and into a ditch. And that the manufacturers of these products have some obligation in that.

Q: Would you take a lot of these products off-line?

A: I don’t think that’s possible. We’re part of a global economy now. We don’t product all the innovative products in the world. We have competition in Europe, especially in Asia. And those products are innovative because they’re connected up to the Internet. And we’re creating, let’s say a smarter infrastructure of devices – things again that we live, wear and drive –  are becoming more knowledgeable, smarter, and more customized to what we use. It’s really hard to put the genie back into the bottle. Now, we have to be more attentive to how we build our own security posture and also how we protect those devices and make good personal choices.

Q: Who’s winning this battle these days? The hackers? Or the people trying to protect themselves from the hackers?

A: Clearly, they hackers are in the lead right now. They’re highly motivated. In some cases, they’re highly funded. There are many hacker “types” – whether they be state-organized and government-funded adversaries. Or it could be “hacktivists” who have some political agenda that they want to settle with the West, that they want to  change our way of life. And you have just plain criminals – they’re either funding the first two activities or they’re trying to create financial gain for themselves. So they are highly motivated and highly skilled – they have busted out of the shadows and it’s now a global industry. And we should expect a great deal of hacking activity from our adversaries, foreign and domestic.

Q: Speaking of adversaries, is WikiLeaks in bed with the Russians?

A: I think you would have two or three different arguments about that. Nobody really seems to know. If you look at (Julian) Assange’s past, to his situation of not being locked up in an American jail, that you could argue that the Russians have some hand in that. Whether it’s the Russians or the Chinese, that gave him some shelter in a time of need. Maybe there is a kind of  allegiance, some sort of alignment, with the policies of those governments.

Q: I suppose that the person who leaked this information from the CIA knew that once it got out there, that the Russians would pick it up at that point. What do you think their motivation would be?

A: Well, the Russians are extremely sophisticated hackers. In some ways, I consider them more technically adept than our Chinese adversaries. And their motivations, which go back now many generations and decades, are about de-stabilizing our way of life in order that their way of life could actually predominate and have a larger impact on the planet. It’s about changing the balance of power, realigning the global vision – from one that looks decidedly West to one that looks decidedly East.