Paul Rosenzweig, former deputy assistant secretary for policy in the Department of Homeland Security and founder of Red Branch Consulting, PLLC, talks about the October 21 attack on internet service in the U.S. that left millions without connectivity for hours.
Steve Mirsky:Welcome to Scientific American podcast Science Talk posted on October 26, 2016. I'm Steve Mirsky. And I'm sitting on a cruise ship currently in port in Puerto Vallarta, Mexico. We started in Vancouver on the 19th of October, stopped in Santa Barbara, San Diego, Cabo, Mazatlán yesterday, and Puerto Vallarta today heading back to San Diego and then back to New York City – not on the ship – by an airplane.
So one of the speakers on this cruise – I'm one of the speakers and that's why I'm on the cruise. But one of the other speakers is a fellow named Paul Rosenzweig. I have our little program right here. You can hear me turning the pages. This is officially the Bright Horizons Cruise Number 30 that we're on. If you'd like more information about Bright Horizons Scientific American cruise you can go to www.insightcruises.com.
Now you almost certainly know about the disruption of the internet last Friday. Friday would have been the 21st. And Paul Rosenzweig is an expert on such things. So we were fortunate to have him on board to tell us what happened. Let me give you some more background on Paul Rosenzweig first though. I'm turning the pages. Paul Rosenzweig is the founder of Red Branch Consulting, a homeland security consulting company.
He's a senior advisor to The Chertoff Group. He was formally deputy assistant secretary for policy in the Department of Homeland Security. He's a distinguished visiting fellow at the Homeland Security Studies and Analysis Institute. He also serves as a lecturer in law at George Washington University, senior editor at the Journal of National Security Law & Policy, visiting fellow at the Heritage Foundation. He's a member of the American Bar Association Standing Committee on Law and National Security and a contributing editor of the Lawfare blog.
In 2011 he was a Carnegie fellow in national security journalism at the Medill School of Journalism, Northwestern University where he now serves as adjunct lecturer. So he gave us this talk just a couple of days ago. We have been without internet service that I could rely on because we've been at sea. So this is the fastest I could get this particular piece of information to you. But he gave a couple of talks so far. And so you'll hear him refer back to a previous talk perhaps.
But there's nothing in that talk that you need to know to understand that he's talking about presently. So again he gave this talk on the 23rd. The outage had occurred just a couple of days earlier. And you'll also hear him very briefly talk about a couple of other very recent developments before he goes into detail about the internet outages. So here is Paul Rosenzweig aboard the Westerdam, the Holland America cruise ship the Westerdam as part of the Scientific American Bright Horizon's Cruise series.
Paul Rosenzweig: From Thursday till today at least three things have happened that have been really kind of interesting. I want to talk about two of them very shortly and then one of them at length. The first one that I want to talk about briefly is you'll remember we talked about internet domain names and how there was a country called Tuvalu that uses dotTV and sells it for a profit. Well I found out just this morning that apparently in the last 48 hours somebody has purchased trump.tv. And it is not Donald Trump.
And if you go to trump.tv what you will find – I just saw this about 15 minutes ago – is a webpage that says, "The guy isn't even smart enough to buy trump.tv and he wants to be president of the United States."
I just got a letter from his lawyers that say, "Give it to us. It's ours." We talked about trademarks. I told him to go jump in a lake. And as of now I still own it. So you can look at that today but you know maybe six or eight days from now Mr. Trump will have secured trump.tv. But for now the Tuvaluans have sold it to some unnamed person. So that was the first interesting thing that happened this weekend. The second was also a report I read just today.
You'll remember that we talked about large-scale data collections and how Google and/or governments were collecting data about you to build a profile of you. And we had an interesting discussion about whether that was good or bad. In a plan that was released last month what has just been translated is The Washington Post reports that the Chinese government has developed a mechanism for collecting big data on all of their citizens and has expressed its view that it is going to give a trustworthiness score by year 2020 to every citizen of China.
Presumably you will get – The details are not clear but presumably you get more points for attending party meetings and you'll lose points for traffic tickets and things like that. So this is probably the deepest portion of this that we could imagine right? But that was an interesting one. The original paper itself is in Chinese so I haven't read it yet. Someday somebody will translate it and I'll get to read it but until then – So when you think about big data at least think about it in the context of Chinese government activity.
And then ask yourself whether or not that's a real risk in the United States. I suspect it's not – or in Canada – that our institutions are strong enough that we would never put up with that. And so maybe it's not that big of a deal in the United States. But the big one that I want to do is what happened last Friday. We were all in Santa Barbara and basically most of the network in the East Cost of the United States and increasingly on the West Coast went down. And it was almost exclusively focused at least initially in the major metropolitan areas of the United States: Seattle, LA, San Francisco.
So no real problems in Montana, for example. This was a really significant attack. So what happened? You know this is a distributed network but that doesn't mean it's completely decentralized. There are significant high level servers where lots of the domain name traffic goes through and lots of the addressing is. One of them is run by a company called Dyn which runs a whole host of such servers mostly for the United States. We talked about something called the denial of service attack right?
That's essentially a flooding attack. So you've got a Web site that is fit to accept 5,000 inquiries in a second or 10,000 inquiries. And what happens when 100,000 or 1 million come to it? Well the DDoS attack was launched against Dyn blocking traffic to it using something that has been named – I don't pick the names – the Mirai botnet. The Mirai botnet – Botnets are controlled robot networks; networks that somebody other than the owner of the computer actually controls.
So somebody sent an order to the Mirai botnet and said basically, "Flood Dyn with traffic so that it's gotten taken offline." And then nobody will be able to find domain name addresses. And that will render the entire internet effectively dark. The forensics are still being done so this is my understanding today. If it changes tomorrow I'll amend the discussion of it. But this is pretty much it. But here's the really fascinating part about this is that most botnets that we've experienced up until now have been run on laptops and servers.
You know like my laptop or yours at home. This botnet was run on Internet of Things devices: baby monitors, CCTVs and DVRs – your digital video recorder that is hooked up to the network where you use it to record the movie that you're watching that comes in over the web. So the security on the CCTVs and the nanny cams and the DVRs was hacked. And these devices that were intended to be very simple devices that would take the video from your baby and put it on your laptop so you could watch your baby while you're working were infected with a program that then sent this nanny cam out sending spam connection requests to the Dyn servers.
So essentially we've taken these really teeny devices that are generally thought of as pretty dumb devices that essentially have been built without any security in them. And they became slaves to whoever was running the Mirai botnet. Okay? So this is novel, new, not seen before. Yes ma'am.
Audience: So does that mean that my DVR back in New York may or did have this program on it, this code on it? And is it still there if it was?
Rosenzweig: If it was there before it is still there now. And whether or not your personal one has it I can't answer. But if 50 of you have one some of you have this. So you may very well have been an unwilling, unwitting, whilst distant in the middle of the ocean participant in this attack. So this actually lets me spend a few minutes talking about why this happens. Yes?
Audience: I did see one article yesterday that suggested at least that if your baby camera and stuff are behind your personal firewall router that you're less likely to be involved.
Rosenzweig: That's right but only if you actually have an enabled firewall on your router. Most people – or many people do not enable the firewall on their router, do not protect it with an encrypted password. So yes it does not work on that. But the size of this network was – They're estimating it at something along the order of one million pieces of gear. So that's a pretty big network.
Why does this happen? It's not a cyber problem. It's a people problem. I want to introduce you to a guy named Arthur Pigou. He is the greatest economist you've never heard of. And he explained why it is that your baby camera doesn't have any security on it. Of course he didn't note baby cameras because he lived at the turn of the century but there you go. And here it is. I make a baby camera. I try and figure out how much it costs me to make. And I figure out cost of labor, cost of materials, cost of production, and cost of marketing.
I put it all in and I think that a baby camera costs me $5.00 to make - $5.00. So I say okay I've got to make a profit. I'll sell it to you for $10.00. And I make the $5.00 – a nice, tidy little profit. But then somebody else comes along and makes it cheaper. He's got a better product system. So he makes it for $4.00 and he sells it for $8.00 and all of a sudden nobody is buying my cameras because my competitors are cheaper. So I compete either by trying to improve it or maybe I make a better product.
I've got a grainy picture on my baby camera and now I use a high definition TV, a video, so you've got a beautiful picture of little Johnny in his crib instead of the grainy thing that was there before. Maybe I compete on price. Maybe I compete on quality. But the key to the discussion is that the interaction between the producer and the consumer is based exclusively – in most business concepts exclusively on my production values and the consumers' needs.
When I sell a shoe it's the cost of the leather, the cost rubber, and maybe the cost of the labor. And I tell you it's $100.00 for the shoe. You give me $100.00, bam I'm fine. I spent $75.00 and I made a profit of $25.00. All of that is the natural course of market forces. What if I say – I'm the baby camera manufacturer, "Hmm there's a security problem here." Because maybe I've figured out that the baby camera can be hijacked by a hacker. I'll put a security in. Well that raises my cost right?
So instead of costing me $5.00 to make it costs $6.00 to make. So I want to obviously keep my profit margin. So I raise my price from $10.00 to $11.00. And you say, "Well why did you raise your price from $10.00 to $11.00?" And I say, "For security." And you say, "Well I don't care." Because it's not that – The camera is not my problem. It's all about security for the network out there. And I'm not going to pay an extra $1.00 for security on my camera if all that does is make it easier for Dave, who I don't know, to get to Twitter, 'cause I don't care about Dave.
So that's what we call an externality, where the product that I'm using has an external effect on other people that is a true cost but isn't included in the costs of production. So I don't want – You can't market things generally that cost more than they're worth to the purchaser. And the purchaser tends not to value at all the security that is given to Dave or somebody else other than him. The best case we know about, the classic case that you're probably all familiar with is pollution.
I make steel. I sell steel to you and you buy it to make cars or whatever and you give me money. But while I'm making steel there's a whole bunch of smoke going into the atmosphere. In general the guy who's buying the steel doesn't care about the smoke. He cares about the cost of the steel. And the smoke's harmful effects are not on him. It's on everybody in the community generally. So we have this problem where the true costs of the good – in this case the security of the baby camera – are not included in the general price of the product.
So how do we react to that? Well typically that's where government gets involved. Sometimes we tax things. People think that an answer to pollution is a carbon tax. We add money to the cost of the steel that is our best estimate of the harm caused by the pollution and we artificially – not artificially. We inherently raise the price of steel so that it actually captures the value that we want. Or the flip of that are subsidies. Sometimes we regulate.
We say okay you're making steel but you can't make steel unless you keep the level of pollution below ten parts per billion of carbon dioxide or whatever the factories _____ on. So here in this instance we might say you can't sell nanny cams, DVRs, without security in them so that everybody has to raise their security up a level so that all the new devices are secure. And everybody's price goes up $1.00 or so.
So the government might – in response to the Mirai problem – do something like this. Or we could prohibit them for example. We could simply say from now on no more nanny cams. No more nanny cams at all because they're too dangerous to the rest of us. And we're going to prohibit their use. We sometimes do that with highly dangerous things. Since we're unlikely to do that here a third possibility – the last possibility that's a governmental response – is kind of quarantine.
If you have an unsecure nanny cam you can't attach it to the network. That makes it kind of useless because the network is the whole value of having a nanny cam so that you can watch your child at a distance. But we are faced with this problem of how are we going to enforce security regulations on this new area, Internet of Things devices, all of which have no security in them at all. And even if I figure out an answer to this going forward there are on the order of 50 million to 100 million of these devices already deployed, all of which are vulnerable in one way or another.
The fact that this attack came through DVRs and nanny cameras and CCTVs doesn't mean that the next attack won't come through internet-enabled toasters, refrigerators, or –
Rosenzweig: Thermostats – the Nest thermostat. All of those communicate on the network. Very few of them have inherently built in security in them. And that's because up until now nobody even though that there was a risk from these, that the security problem – We used to joke – Literally a week ago a friend of mine told me a joke about a spamming refrigerator. We said, "Eh that's not home." Today it's a problem. So my role changes all the time.