A Conversation with Joel Brenner

August 29, 2011

Scott Moyers, publisher of the Penguin Press: A declassified July 19 [2011] Department of Homeland Security brief states that so-called hacktivist groups like Anonymous and LulzSec “continue to harass public and private sector entities with rudimentary exploits and tactics, techniques, and procedures commonly associated with less skilled hackers.” The brief seems to argue there’s much more serious activity that goes unreported.

Brenner: Yes, many companies that have been attacked are keeping their problems to themselves – and some don’t even know they’ve been penetrated. You’d be surprised by how many companies have no idea what traffic goes back and forth in their own networks. But lots of successful attacks have been reported. Most companies just aren’t paying attention, or they assume – incorrectly – that they aren’t important enough to be the target of attempts to steal their technology.

Moyers: Why is that?

Brenner: So much of the public’s attention has been on the leakage of personal information: social security numbers, addresses, that sort of thing. The level of that kind of leakage has been astounding, and it enables consumer and bank fraud. That can drive you crazy if you’re a victim, it’s expensive if you’re the company that loses the information, and the press has covered this like a wet blanket. But really, compared to the systematic theft of western intellectual property, that’s a sideshow. Theft of corporate IP is a strategic issue for the United States and its allies, but the public is hardly aware of the more sinister development.

Moyers: What is that development exactly?

Brenner: It is the relentless, systematic pilfering of western technology over porous networks. These networks are massively important. They connect almost everything to almost everything else. This theft is going on all day, every day, and the victims are small companies as well as big ones.

Moyers: The Unites States, you point out, is under constant attack. Who is attacking us?

Brenner: The word “attack” is really fraught. I’m talking now about attacks in the espionage sense, not military attacks that would be a cause for war under the law of armed conflict. It’s easy to get the two confused.

Moyers: Okay, but who’s doing it?

Brenner: In terms of sheer volume, the Chinese lead the pack – no doubt about it. But the Russians and Iranians are also in this game in a serious way. Dozens of other countries also see the United States as their number one espionage target – including economic espionage – but China, Russia, and Iran are at the top when it comes to technology theft.

Moyers: I assume you’re talking about the Chinese, Russian, and Iranian governments.

Brenner: Not necessarily. Of course we see state-sponsored espionage…

Moyers: “Sponsored”?

Brenner: It’s either being done by government agents directly or through “cut-outs” — people and organizations they control but keep at arm’s length. But the Chinese are coming at us from every direction: government espionage involving both human spies and networks, like the Russians, but also a tidal wave of unofficial and semi-official digital information theft. In some cases, their government just turns a blind eye to patriotic hacking – so long as the victims aren’t Chinese. In other cases we see them operating through a cultivated network of cyber militias with ties to their military or a civilian agency, but operating pretty much on their own.

Moyers: You mentioned “patriotic hacking.” What’s that?

Brenner: The Chinese are highly nationalistic – more so than we are, and much more so than Western Europeans. There’s a huge, rabidly nationalistic Chinese hacking community, whereas in the West our hacking community tends to be anarchic and anti-government.

Not all espionage is state-sponsored, especially the economic variety. One of the characteristics of our age, in contrast to the Cold War period, is that the digital revolution has placed the means of digital espionage in private hands. The ability to penetrate other people’s networks and servers is not a state monopoly. Private companies and individuals can and do engage in it, too, for fun and profit. Or in China’s case, for nationalistic pride.

Moyers: The theft of state and military secrets has clear consequences for national security, but why should we be concerned over corporate espionage?

Brenner: Because our economy is what makes us powerful, and technology is what drives our economy and gives us our edge. The Chinese and other nations watched the Soviet Union collapse – not because they couldn’t compete with us militarily, but because they could not compete with us economically. They also watched us destroy Saddam’s World War II-style mechanized army in 100 hours, during the first Gulf War. We deployed a technologically equipped military that made their heads spin. But it cost us $60 billion. Who else but the Americans could spend $60 billion on a war half-way around the world? The boundary between national security and economic security has evaporated.

Moyers: How much of our daily lives and routines are affected by cyber espionage?

Brenner: The question is whether the American people, corporations, and government are smart enough, and disciplined enough, to start caring about the slow, long-term undermining of their prosperity and security. That’s what’s at stake. Frankly, when I see a company losing competitive information over its networks – and I do see this now in my law practice – it doesn’t affect me at all. And it doesn’t affect you. But it affects that company, and when you see it across the whole length of the beach, it’s going to affect our standard of living and our children’s standard of living. The Chinese, the Russians, and the Iranians are leveraging American R&D budgets – our tax money and our private investment in research and development – to acquire technology they haven’t been able to invent themselves.

Moyers: Can you shed some light into the government’s approach to this growing threat?

Brenner: Sure I can: The government’s approach is half-hearted, uncoordinated, and ineffective.

Moyers: Why?

Brenner: At the risk of not doing justice to a long story, I’ll give you three reasons. First, people are slow to take seriously new kinds of threats, especially when those threats don’t have immediate consequences. This is true of both government officials and corporate executives.

Second, the U.S. government, like most governments, is poor at coordinating strategic activities across departments or ministries. And like all serious problems, network insecurity is a cross-departmental challenge. The press talks about our “cyber czar,” but the so-called czar has no directive authority over the department secretaries who control budgets and whose authorities are written into law. The Defense Department is taking this seriously, but moving a behemoth is a slow business. And the Department of Homeland Security, which is supposed to lead the rest of government, lacks depth in this area. So the government has its hands full getting its own house in order, let alone leading the private sector to more secure ground.

Moyers: You mentioned three reasons. That’s two.

Brenner: The government is broke. That’s three. Can I add something?

Moyers: Sure.

Brenner: I don’t mean to suggest that no one in government is paying attention to this issue. On the contrary, there are people in Homeland Security, Defense, the intelligence agencies – and to some extent, in every agency – who understand this vulnerability all to well and have been trying to deal with it. But most of them are feeling like Sisyphus. They keep pushing the bolder up the hill, and it keeps rolling back down.

Moyers: How can we seriously and effectively address network insecurity?

Brenner: I’m going to give you two answers that sound contradictory, but aren’t. First, we have entered an era when secrets are harder to keep. We are so inter-connected now that not much is really secret anymore. And anything that is secret, will not stay secret for long. This is true for companies and governments as well as individuals, because we all communicate and store information on the same kinds of connected networks. And because secrecy is to organizations what privacy is to persons. We’re just going to have to get used to less privacy and less secrecy. For business, this means that speed, not secrecy, will increasingly be the key to success – speed of product development, speed to market, and speed at reacting to market information.

My second answer is that, in order to keep some information more or less private, or more or less secret, people are going to have to be really selective about what they want to protect, because you simply can’t protect everything. That means controlling access to the sensitive stuff and putting it on segregated networks and servers. A generation ago, hardly anybody except intelligence agencies behaved like this. The intelligence agencies tagged information in varying degrees of sensitivity, and tagged people with escalating access rights. That is, we classify information, and we dole out security clearances, and then we match up information with access rights. In the private sector, this is called “role-based access” to information. There’s going to be much more of this in the future.

Moyers: So which is it: nothing’s secret anymore, or we have to get better at protecting information?

Brenner: These ideas are in tension, but we have to live with them both. Good decisions, let alone wisdom, are impossible if you can’t keep more than one important idea in your head at the same time.