The State of Cybersecurity

A Live Chat with Professor Paul Rosenzweig, Ph.D.

On March 23, 2015, Professor Paul Rosenzweig sat down for a live Q&A session with his fans from across the globe. The chat is over, but the transcript is posted below for you to enjoy.

Photo of Professor Paul Rosenzweig
Professor Paul Rosenzweig

ROSENZWEIG: Hello and thanks for joining me to talk about surveillance and cybersecurity. I am very excited to be returning to The Teaching Company to do another one of The Great Courses. One of the reasons I like it so much is that the viewers/listeners are such engaged participants through things like this Chat opportunity. I enjoy the opportunity to talk with people who are interested in the topics I’m passionate about. So let’s get started – any questions you have about “The Surveillance State” or “Thinking About Cybersecurity” are fair game. And if the conversation lags, feel free to ask me about my beloved Washington Nationals – though I have no great expertise on that score.

PEREZ: Dr. Rosenweig, what are the three most important Windows or browser settings a person can use to protect their file information from being compromised by a hacker. How can we be sure an intrusion to our file information has not occurred?

ROSENZWEIG: In your browser disable autorun. If you are doing something confidential disable the history function and use an anonymous browser like Tor. As for detecting an intrusion, keep and run good anti virus programs like Norton or Malawarebytes. Scan regularly.

PETE: What tools should an individual use for their communications online to protect them from cyber threats?

ROSENZWEIG: If you want to communicate confidentially with someone on line, you both need to be using the same sort of encryption program — something like PGP (which stands for Pretty Good Privacy). In addition, if you are browsing online you can and should use the private mode for anything that is confidential.

R. LANG: When did stuxnet damage the Iranian centrifuges? How does the treaty with Iran deal with their current centrifuges? What is your view of the treaty in terms of reducing the ability of Iran to become a nuclear weapons power?

ROSENZWEIG: Stuxnet was first publicly discovered and disclosed earlier this decade, around 2010 or 2011. Nobody is sure though how long it had been in the Iranian system before then. It damaged an estimated 1000 centrifuges setting back the program by roughly 2 years. As for the treaty and Iran’s current capabilities — I’m not really qualified to answer except to say that their cyber systems are now more secure and Iran is much more cyber capable than it was 10 years ago.

COVERT: Your take on the Apple/FBI issue?

ROSENZWEIG: Wow. Tough question. I did a podcast on this for TGC that you can listen too at length. Short answer: I can’t see how the Apple backdoor, if they build it, would be a US government ONLY backdoor. It creates lots of new vulnerabilities — what we call a broader attack surface — and I’m worried that malicious hackers could exploit deliberately created gaps. That would be a bad unintended consequence. PS — Great screen name.

LEANDERPEARSON: Have the recent attacks in Europe heated up the government vs privacy encryption issue?

COVERT: Thanks. I’ll definitely listen to the podcast. BTW — I’m watching your course and love it

PATSY STONE: What do you consider to be the most significant current issue within the realm of cyber-security and how do you see this impacting the future of cyber-security? Side note: LOVED your previous and new courses!!! Thanks for all the amazing information you provided!

ROSENZWEIG: Glad you liked the courses. You just made my day. In my view the biggest cyber issue facing us today is the systematic vulnerability of important critical infrastructure — things like the electric grid and/or the transportation system. Second would be our rush to put cyber connectivity into consumer goods — what we call the Internet of Things. What happens when your car gets hacked??

JEFF JOHNSON: How can one know if a pop-up is safe? It would seem to me relatively easy for a hacker to copy the logo and look of a trustworthy name like Microsoft and incorporate that into his pop-up design. Might he even design the No Thank You button or even the Close button (X) to be the activation button for a virus?

ROSENZWEIG: Good question. First off, be sure and run an active program that checks for malware inside your browser. Second make sure that the web site you are browsing to is secure — it has the little https in the top corner and a lock. If it only says http (without the s) it isn’t a secure site and you are vulnerable to this type of trickery (what we call spoofing). If it does have the “s” that’s possible but much less likely.

RODERICK TATOM: Dr. Rosenzweig, I’m senior in college finishing my last year in Management Information Systems. Since listen to your course on the Cyber State and over the last several month I have developed an interest in pursuing a career in cybersecurity. My question to you has two parts, first would you please name a few specialization/skills most needed at this time in the field of cybersecurity and do you think a doctorate degree is necessary in the field?

LEN: Take advanced education in mathematics, get a PhD, then apply to the NSA.

ROSENZWEIG: Most of the entry level jobs are not ones that require a doctorate. They require some good coding experience. I think you will be well positioned with an MIS degree to get a position in one of the start ups — they need program managers as well as coders. I would go get a doctorate only if you had longer term plans to be more “academically oriented” or if you were going to transition to a cryptography job — in which case math would help (as Len says). Finally, consider getting some understanding of hardware. People who know both code and silicon are in high demand

 

 

BRADLEY STEEG: You talked about the Stasi in “The Surveillance State” and the implications on culture. Obviously, we are headed toward increased surveillance simply because sensors and computing is becoming less expensive. Not necessarily criminal surveillance, but surveillance of crops for agriculture or to improve transportation services. Which contemporary cultures (Nordic, Anglo, Asian, etc) do you think will most successfully adapt to a world with increased surveillance? I’m wondering where around the world we could look for good legal structures to help us make decisions in the USA.

ROSENZWEIG: Wow … what a fantastic question. If you are thinking about constraining surveillance and limiting it, a good place to look would be Europe. On the other hand, some people think we should embrace surveillance get used to a transparent society — if that is what you are looking for I tend to think the cultures of more “community-oriented” societies (Africa for example) are a good guide. Finally, if you are looking for a place where the answer is not “privacy” or “surve the rules” then the US-Anglo common law system has a guide. For myself, the real answer is — wherever it is so long as the society gives the answer rather than the government/leadership. WE are the ones who need to answer

BSA: How much metadata would constitute an intrusive mosaic about a person? Are there any new insights into measuring such quantities for the purpose of modernizing laws?

ROSENZWEIG: I have seen demonstrations that can de-anonymize anonymous data with as few as two data points (date of birth and zip code — which works everywhere in the US except college towns). Current data holders probably have on the order of 2000 pieces of data on each of us — which is more than enough to create a good mosaic. Latanya Sweeny at Harvard (I think — it may be MIT) is doing great research on this. It doesn’t work, BTW, in college towns because 20,000 kids all share the same zip code and birthdates within 4 years of each other ..

MICHAEL F. STROBEL PROF: Dr. Rosenzweig, my research interest is around decision theories related to “AI” in the computer science/information science areas to include cybersecurity. With the success of AlphaGO are there any relevant references concerning learning systems you are aware for referral and do you have an opinion about learning systems impact on defeating static and dynamic cyber defenses? –

ROSENZWEIG: I do have some research references from IBM on AlphaGo and from the Standford computing group on machine learning. I think the future of cyber conflict is going to pit sophisticated AI attack programs against equally sophisticated defense programs in an sort of arms race to speed and adaptivity. We may not even be able to control or understand them

MICHAEL F. STROBEL PROF: Great, IBM and Stanford. These systems may in fact create and employ new techniques not the product of the programmers.

GEOFF: Drones. They come in all sizes and from what I understand, little ones built like bugs, can fly into a room of your house. Is there any legal recourse if one could find out the operator?

ROSENZWEIG: If a private party sends a drone onto your property and you can identify the operator then you have a suit for trespass probably — it will depend on the laws in your state of course. If it is the government, then they will need a warrant to come into your house.

LIBERTY UNIVERSITY STUDENT: I’ve heard stories about people shooting drones down because they are on their property. Is this legal?

THE GREAT COURSES: Dr. Rosenzweig touches on this in his most recent course, The Surveillance State: Big Data, Freedom, and You.

LIBERTY UNIVERSITY STUDENT: I will! Thanks!

ALEXIS DIX: Since I am currently in a rehab center, I use my Droid Maxx for literally everything. How can I protect the data on my smartphone?

ROSENZWEIG: I assume it is pretty new, yes? If it is, your Droid will have a disk encryption setting under security functions in the setting tab. Use that and encrypt the entire phone — and then use as long a passcode as the system will allow you to have …

GJS747: Prof. Rosenzweig – do you consider the hack of OPM (allegedly by the Chinese military) an “Info Hack” on the order of bragging rights or do you think there was something more to this?

ROSENZWEIG: More than bragging rights. General Michael Hayden, former director of the CIA says it was the most catastrophic intelligence failure of our government ever — the Chinese (assuming it was them) now have the entire background investigation for all of our security personell. Ripe fodder for extortion. In addition, they stole the digitized fingerprints on file — including mine — so I can no longer use a fingerprint scanner as a biometric protection device and be 100% certain it is secure

GJS747: I’m in the same situation. None too happy.

MICHAEL F. STROBEL PROF.: I have my letter from OPM framed. My TS/SCI data is in the cloud and they offered me 18 months free LifeLock. Also, as it was TS, my wifes data went with it and she does not even have a clearance. Unintended consequences.

ROSENZWEIG: My wife lost her data too — as did the friends I have who live overseas. It was not a good day for the US govt.

LIBERTY UNIVERSITY (LU): Were you able to recover the lost data?

GJS747: OPM apparently failed to follow even the most basic security procedures around their systems. Unbelievable. We now have people on our teams refusing to work on government projects and I don’t blame them.

NAILO1: do the subjects you cover in your lectures represent a particular favorite area of interest (of yours) at the time, or how did you decide those topics over others (that you could cover)

ROSENZWEIG: This one is an easy question. In the post-Snowden era, I think the questions of surveillance are the most important ones that the American public needs to think about. We are on a knife’s edge between surveillance, security, privacy, and liberty — the problem is more real today than it has been at any time since the 1970s. The American people need to talk about these issues and I wanted to be part of the conversation.

LEANDERPEARSON: HMI systems seem to be very vulnerable to outside attack as they control many critical systems throughout the world, yet industry is reluctant to invest necessary capital to harden systems. Will it take a disaster to change attitudes, or are there other incentives to nudge business to take action. Tax breaks for compliance, perhaps, or other carrots?

ROSENZWEIG: The problem with cybersecurity is that it is a classic case of market failure — there are externalities whose costs are not embedded in the price. What will change the calculus is a reform of the liability laws, so that operators bear the financial burden of correcting their mistakes. That may be prompted by a law change — or by a disaster. I hope for the former — its a much safer way to have change!

MEG: What do you think of the growth of cyber currency…bitcoin first and now onecoin? Do you have concerns for the use of cyber currency?

ROSENZWEIG: Well, in one sense it is inevitable. The math behind the currency is elegant, and once discovered, it can’t be undiscovered. I like crypto currency for the same reason I sometimes like cash — it leaves no record. But that is also the concern — it is a favorite of criminals on the dark web who use it as the medium of exchange for drugs, guns, murder etc. The tech is neutral — the uses are good and bad depending on the user.

LIBERTY UNIVERSITY (LU): I think cash is good in the right hands. Why should a good person need to be tracked? However, my dad got tricked by a criminal. The criminal used PayPal to see if he could steal my dad’s watch. He sent a fake deposit email and asked for the watch to be sent before it would be released. My dad almost fell for it. How can we best tell if the email or payment is a fraud?

 

 

T@BITH@: Dr. Rosenzweig, what has been your favorite part about lecturing for The Great Courses?

ROSENZWEIG: Working with the folks at The Teaching Company. My editors have been great — they’ve made me sound much smarter than I really am. And the fact checkers have helped me avoid inadvertent error. I am especially grateful to the producer (who I worked with twice), Alisha, who takes care to make the whole product looks professional. It’s a great team and they really help me get my ideas across in a way that everyone can relate to

SUE: Professor – In cases of stolen identity, what would you recommend?

ROSENZWEIG: First, report it and cancel all your cards. Second, get a credit watch on your credit to see if anything bad is happening. Third, try and figure out why/how you lost the identity in the first place and do something different next time. Was it bad passwords? Did you type your credit card number into an email?

JOEDUFFUS: I read a lot of spy novels, and really hope our intelligence people lie often about what their capabilities really are. Do they?

ROSENZWEIG: Absolutely not — our spies never lie! {Joke!]. We tend, though, to try not to lie — but rather to not answer the question at all. One of the challenges though is that when they do answer, if they answer gets out (say from a leak) they may lose the capaibility. But without telling the truth about capabilities, we can’t have a discussion about what is right or wrong, can we?

MEG: What do you think of the RFID chips in to almost everything we buy?

ROSENZWEIG: THey are useful for tracking goods in things like storehouses. I don’t have a problem if Walmart uses them to track pallets of diapers. I like them less in my personal goods, like my passport. But I keep them in a sleeve that blocks them except when I need them … so I get the convenience without too much of a privacy burden.

T@BITH@: It is annoying that they are in everything. I suppose I would want to be able to track my stuff if it got stolen or lost however…

Professor Rosenzweig at Foreign Press Center
Professor Rosenzweig at Foreign Press Center

LEN: In the past day, I have heard that an attack in space could bring down our electric grid. Would you speak to that please.

ROSENZWEIG: I think you are talking about an EMP — an Electro Magnetic Pulse — weapon. They are capable of disabling electric systems and the are often missile launched. The possibility is real — on the other hand we’ve not really had experience with such weapons, so the threat is theoretical.

BRADLEY STEEG: Hot potato: Snowden, should Obama give him a Presidential pardon? Also, should we increase whistleblower protections to offset the potential abuses of a Surveillance State?

ROSENZWEIG: In my view no. Snowden did it the wrong way and should not get a pardon. On the other hand, yes, we need better whistleblower laws so that it is easier for people like Snowden to do it the right way — especially to counter growing government power. I just feel uncomfortable with the unilateral nature of Snowden’s actions ….

WILL: With the buzz around big data analytics do you see an emergence of new threats as organizations fumble their data management practices in a hurry to discover the gold in their business data? Ex. Hacker creation of faux data, and manipulation of analytic logic in applications.

ROSENZWEIG: Great question. Absolutely yes. The more we become dependent on data and analytics as critical path technology that guides us and often controls applications, the more the integrity of that data will become a target of opportunity — for hackers and also for malicious actors from other countries. It will include faux data; it will also include data degredation, and disruption. Imagine the consequence if someone messed with every 50th trade on the New York Stock Exchange

PATSY STONE: I watch my smart TV, but is my smart TV watching me?!

ROSENZWEIG: Not yet. But it is collecting data about what you watch for your service provider. And here’s a fun final question — if the US government can order Apple to build code for their phone, can they order TV makers to put surveillance in TVs???

MEG: I thought some smart TVs already had the capacity to watch us and Samsung got so much push back that they didnt include that feature in some of the new TVs. Otherwise it has to be ‘disabaled’ so the TV cant ‘watch’ us. Scary

SUE: Is there any way ‘someone’ can view a computer user through the little window used for Skye?

ROSENZWEIG: Your video camera can be turned on remotely by a malicious attacker who has put malware on your computer. That’s irrespective of Skype.

MICHAEL F. STROBEL PROF.: Has the emphasis on CYBER served to diminish the value of HUMINT (human intelligence) in the Security Battle? May humint personnel are concerned about legal liabilities in the performance of that line of work.

ROSENZWEIG: On the contrary, I think cyber enhances the need for HUMINT. Most of the challenges in cyber are problems of attribution — and one of the few ways to gain insight into that is through HUMINT. Anonymous, in the end, was hurt by an informer not by an outside investigation.

LIBERTY UNIVERSITY (LU): I think cash is good in the right hands. Why should a good person need to be tracked?
However, my dad got tricked by a criminal. The criminal used PayPal to see if he could steal my dad’s watch. He sent a fake deposit email and asked for the watch to be sent before it would be released. My dad almost fell for it. How can we best tell if the email or payment is a fraud?

ROSENZWEIG: I agree that all tools can be used for good or for bad. Technology is always value neutral. As for how you can identify fraud — the same way that you always have in the past: If it is too good to be true … it isn’t true. Seriously, there are no official clues — some emails have really bad typos in them, but some of the most sophisticated hacks are letter perfect and look exactly like an email from your mother or sister or something.

LIBERTY UNIVERSITY (LU): When it comes to hacking, my friends are worried. How can we protect our personal data, such as on a laptop? I have heard of covering the camera, but I don’t want to just because of some fear. Can you help my friends and I?

ROSENZWEIG: The best answers are simple — 1) use encryption for your sensetive data; 2) think before you click; 3) don’t do sensetive browsing on a public wifi; 4) use strong passwords. I give some more tips in one of the Cybersecurity lectures.

LIBERTY UNIVERSITY STUDENT: Professor, what is your favorite topic when it comes to cyber threats, espionage, and etc.?

ROSENZWEIG: Personally, I like the topics that are more “real world” — things like how the world is changing because we are using cyber-enabled cars and toasters. I love the problems that we need to think about because my toaster can spy on me!

1998HOTCHICK: Professor, if there were to be a cyber war – what would be our greatest threat?

ROSENZWEIG: The most significant threat is, in my view, the most catastrophic (albeit the least likely). That’s something like a cyber-enabled nuclear meltdown. A more realistic threat (though not quite as severe) would be a disruption of the power grid.

BRADLEY STEEG: Recently, a hospital in southern California was hacked. The criminal(s) demanded payment of $17K in Bitcoins as ransom. I expect the medical industry to get serious about hardening their cybersecurity as a result, build high walls so the cybercriminals look elsewhere. At present, which industries do you think are too lax about cybersecurity?

ROSENZWEIG: I’ll answer it the other way. To date, the financial sector and the energy sector are the only ones that are really stepping up to the plate with a strong effort — not perfect, but very creditable. Everyone else is lagging.

BRADLEY STEEG: Hello Dr Rosenzweig, I watched both your courses. Excellent. During the cyber security course you mentioned that some people were working on an alternate security based internet — dot.security — but that it wasn’t likely to get much traction. Do you think a secure internet for machine to machine communications, a secure internet for the Internet of Things, could develop more easily than the current human to human internet?

ROSENZWEIG: That’s an intersting idea. I am not sure how much traction it would get since most of the value in the IoT comes from the human/machine set of interactions. But at a technical level, we should probably consider isolating the machine to machine comms. I had not read of any such proposal — you should go try to market it!

P R BRUBAKER:  In the latest Apple vs Gov. doesn’t the judicial safeguards protect Apple, especially from foreign gov. requests to provide help??

ROSENZWEIG: Not really. Apple’s people/company in China is directly subject to Chinese law and Chinese compulsion. The same is true in German/Britain/etc. The US courts can’t issue an order telling France to stop … so Apple has to contend with the rules in every country on the globe.

RODERICK TATOM: Dr. Rosenweig, this question is to help people who are interested in a career in Cybersecurity. Could you please name some of the must-have IT skills sets, in addition to college educations, that you know employers are looking for when hiring a cybersecurity specialist?

ROSENZWEIG: There are really two types of careers in cyber — hands on and “big think.” For hands one, invest in a practical set of skills — understand internet engineering; learn hacking; study the structure of code. For the big think jobs — get a PhD in information security or something like that.

HAMZONI: High tech. surveillance is not an alternative of human surveillance. whats your opinion and why fail HTS in terrorism.

ROSENZWEIG: They are both effective in their own way. Today, the threat is high tech, so some of the response has to be high-tech. We can learn a lot, for example, from data analysis of financial transactions . But I agree with you that human surveillance will remain critical for a long time to come.

ALEXIS DIX: I would like your perspective on cybersecurity when it comes to the Internet of Things.

ROSENZWEIG: We are rushing forward to build the internet of things without enough thought to its security. Last year two hackers took control of a Jeep on the highway — just to show it can be done. If we don’t build security in from the start many of the consumer items on which we depend will be vulnerable.

ALEXIS DIX: I see many interesting questions tonight, professor, it seems that I am not the only one concerned with online security.

ROSENZWEIG: If your are concerned, try using anonymous search engines like Duck-Duck-Go and browsers like Tor. They help keep your personal data private. Also, do not ever let a merchant store any more personal information about you than the absolutely NEED to have.

PETE FL: How important is file or hard drive encryption to prevent cyber attacks?

ROSENZWEIG: I encrypt everything I have on my hard drive that is sensitive or confidential. As a lawyer that includes my client’s information. It’s my finances and my personal medical info. Stopping ALL intrusions is very hard — encryption makes it much less bad if the bad guys get inside because they get much less. It is easy to do — so do it.

PETE FL: How does the individual follow cyber attacks and hot to prevent a personal attack

ROSENZWEIG: Use a good anti virus program and keep it up to date. Think before you click on links that are “dodgy.” Don’t overshare personal information. Change your passwords regularly.

BILL: I think I read my 55″ Samsumg smart TV has 1 mb of “memory.” Both when I watch Comcast TV, but also when I hook up my internet to make it a giant screen, what is likely to be information passed on to Comcast or other. Anything? A lot?

ROSENZWEIG: I don’t know what information Comcast gets — but I would guess that they have your entire TV watching history so they know whether or not you are a sports fan, or prefer soap operas.

TOMMYD5555: In your “Thinking about Cybersecurity” course you discussed hardware threats. Can you expound on what that may actually mean or provide examples? Thank you.

ROSENZWEIG: Most known hardware threats are classified — they are that scary. But in general it means that the malicious attack is built into the silicon chip, not an external program. One very famous one involved a Chinese company, ZTE, that used chips in phones to download the users’ contact lists.

GJS747: We work with federal civilian agencies with tools to monitor public social media sites such as Twitter or Facebook and others including blogs. We’ve actually found a reticence from the agencies engage in this monitoring for fear of being perceived as “Big Brother”. Is there an acceptable level of Big Brother monitoring?

ROSENZWEIG: Sure — but I don’t know what it is. 🙂 Put another way, I think your answer to that question and mine are probably different. In the end, agencies don’t want to be publicly condemned so I understand their reluctance — that means we are making a choice that has costs and benefits.

JERRY: Has the “security” part of cyber security gotten any better since you recorded those lectures?

ROSENZWEIG: Overall, yes in the sense that there is more awareness both among the general public and in corporate board rooms. Security investments are up. Congress has finally passed a cybersecurity act (which may or may not be any use). The actual effect is hard to measure, but I would say the trend is positive.

RALPH: Are android phones as secure as iphones as far as encryption is concerned?

ROSENZWEIG: The underlying math of the encryption is the same on both phones. I don’t know enough about the comparative operating systems to say whether Android is better or worse than Apple.

LEANDER: Have the recent attacks in Europe heated up the alternate views on encryption and government backdoor access?

ROSENZWEIG: Definitely yes. We see moves in France, for example, to extend surveillance laws. Same in the UK. On the other hand in some countries there continues to be resistance to the growth of intelligence agencies. This is particularly true in the European Parliament. It’s an ongoing discussion.

DAN LAVELY: How did the “ENEMY” get so far ahead of us in encryption capabilities, and how long do you think it will take us to catch up with them?

ROSENZWEIG: They aren’t really ahead. The math of the current encryption was invented here in the US in the 1980s. The bottom line is that this is a math absolute — large public key encryption can’t be cracked. So it isn’t a question of catching up either.

ROGER: Technology exists to be able to wirelessly receive the signal from another computer very similar to listening in on a portable phone. This is very easy to do and has been written about in hacker magazines and been around for many decades.
A case went to the Supreme Court that held that the police do not need a warrant to listen in on portable phones. Portable phones operate on the public airwaves. I am not referring to cell phones which operate on protected frequencies. Your computer also operates on the public airwaves for its keyboard and display. The military operates its computers in protected buildings so that people cannot eavesdrop on their computers.. There is no way to track a hacker listening in this way. They are not using an connection such as the Internet. They are just receiving your signal, such as tuning a radio to a radio station. What is being done to protect businesses from this threat such as building protected buildings with shielding and proper grounding? Military contractors can download the specification from the Corps of Engineers website. We cannot. The law would be useless in this type of spying. What is being done? This is a very good way for hackers to pick up passwords.

ROSENZWEIG: Many new secure facilities are being built with systems that are intended to interfere with these radio emenations so that they cannot be intercepted. The vulnerability you mention is, indeed, well know. It costs a lot, though, to mitigate it, so it is only done when there is a real need.

SUE: Are you familiar with Start Page or Ixquick used for searches as well as for em, etc? It was founded to be a ‘safe’ place.

ROSENZWEIG: I don’t know this very well at all, so I’d prefer not to offer a guess and pretend it is an opinion.

ROSENZWEIG:Thanks everyone for joining me in this chat. I enjoyed engaging with you on these important topics

Paul Rosenzweig is a Professorial Lecturer in Law at The George Washington University Law School in Washington, D.C., where he lectures on cybersecurity law and policy.
You can watch his lecture series Thinking About Cybersecurity: From Cyber Crime to Cyber Warfare on The Great Courses Plus.