Chertoff: I’m Listening to the Internet (Not in a Bad Way)
Homeland Security chief Michael Chertoff sat down with Threat Level on Monday in Silicon Valley to talk about laptop searches at the border, the government’s new-found interest in computer security, and the continuing saga of overeager terrorist watch lists.
Among the revelations: It seems blog comments inspired him to propose a laptop-tracking application for those who had their computers seized at the border. He also explained why watch-list mismatches are the airlines’ fault, and why the government is too secret.
Wired.com: There have been quite a few security czars over the years, but sometime last year, cybersecurity became important. What changed?
Homeland Security Secretary Michael Chertoff: I’m going to give credit to Mike McConnell, the director of national intelligence. When I came on board and we looked at the entire department three-and-a-half years ago, one of the issues we saw was that we didn’t have a very mature cybersecurity program. We have US-CERT, which does good work, but we didn’t have a program much beyond that.
Frankly, it was hard to get people to explain what they thought our value-add to the program would be. It’s not like we are inventing software or firewalls or are competing with McAfee or companies like that.
We could talk about creating a forum where the cyber community could come together and share information, but that seemed like pretty weak tea.
But last year, Mike McConnell and I sat down … and really began talking through what do we do to deal with this issue — the problem is getting greater.
We have had intrusions. We have had the theft of information over the internet. We are concerned about denial-of-service attacks. We saw the attacks in Estonia.
The sense was we couldn’t not deal with the problem because it was hard.
And as I became better acquainted with some of the tools other parts of the government use in terms of capabilities for cybersecurity, that we have used for [the Department of Defense and] for the intelligence community, for example, I was persuaded — it didn’t take a lot of persuasion — that there ought to be a way to translate this into civilian domains.
And there are two parts to this. One, we have to protect our own civilian assets — meaning the dot-gov assets.
And there what is involved is getting a hold on the number of access points between .gov domains and the internet, and finding a way to progress from our current Einstein model [DHS’s Intrusion Detection Software], which is the passive detection-after-the-fact model, into a real-time detection tool and possibly even a defensive capability with respect to our networks connecting to the internet.
And just getting a handle on that would be a huge benefit in terms of protecting our assets against espionage and also against the possibility of an attack.
The larger challenge — and frankly one that is further out — is to find a way to partner with the private sector to enable and encourage them with some to the capabilities that we have to increase their defensive capacities, but on a voluntary basis, meaning not making them do it or regulating them into doing it. But instead offering them the opportunity — much the same in the non-cyber-world, we go to people who run power plants and dams and we share information and best practices that they can use to defend their own assets.
Wired.com: When you hear talk of cyberwar, people start talking about power plants going down and you get cascading problems. Do we need legislation to give DHS the power to regulate those who run critical infrastructure?
Chertoff: I’d be hesitant to go there with private sector. With the Federal Aviation Administration or other government agencies, I think it is different. I think with the private sector the model is the cooperative model. They have a very strong interest in protecting their assets. But they also have to make a choice about how much they want to partner with the government.
The one thing we don’t want to do, because the culture of the internet is opposed to anything that smacks of government clumsy heavy-handedness, is that we don’t want to be sitting on the internet, like certain other countries do, where people suspect we are limiting what people can see. We don’t want to force people to do what they don’t want to do. We don’t want them to think we are intruding into their private space.
There is an interdependence on the internet that puts a premium on being a responsible citizen. If you fail to protect your own assets, it doesn’t just affect your assets, it affects the assets of everyone linked up to you. So pretty soon, someone who doesn’t do a responsible job is going to find themselves ostracized.
The business community is pretty good at understanding that, when they have a threat, and there is capability to defend against the threats, if you don’t exhaust every reasonable means, pretty soon you will end up being sued and you will be in bankruptcy court. They have a natural incentive to protect their assets.
Wired.com: What is your threat model? Is the threat level that high?
Chertoff: There are nation states and non-nation states that have the ability to penetrate and filch information and there are certainly other countries in that area as sophisticated as we are — or close to it — so naturally you worry about that.
I think you worry about intrusions that steal valuable intellectual property, and you worry to an even greater degree about corruption or disruption of processes.
By corruption, I mean someone enters the financial sector and you begin to corrupt how the system works and it becomes unreliable, people begin to find out they have lost money from their bank account.
The reliability of the system becomes compromised.
There is no question in terms of espionage: It has already materialized. There is a huge amount of penetration of certain government systems that we have had to contend with. Now we are able to defend against a lot of this, but some of it has not been defended against and some of this is out in public
We had the Estonian experience in terms of an attack actually on a system.
If we wait till someone tries this the first time, its going to be a really unhappy circumstance.
Just ask [Treasury Secretary] Hank Paulson. If someone takes out a bank, and all of a sudden you don’t know any more if your money is safe, that imperils the entire banking system.
There are some people who believe the current generation of terrorists wants a big visible bang. But you know, the next generation may not want a big visible bang. They might take a quiet satisfaction in watching the entire financial system shutter.
Wired.com: Could we talk about laptops and the borders? (ed. note: The government reserves the right to look through any laptop or electronic device crossing the border, saying it is no different from any other luggage. DHS published the official policy on its website just weeks ago.)
Chertoff: This is something that has been done since there were laptops … It is not a new program. It is a program that affects only a small number of people. And contrary to what the ACLU says, it is constitutional, because the courts say it is constitutional, including the 9th Circuit most recently.
The only thing that happened recently is that I ordered the policy to be put online in the interests of openness and transparency. We get about 80 million people a year coming to our airports, and a very small number are put into secondary inspection and that’s based on some suspicion that the inspector has about the person.
It is that pool of people in secondary that have their things gone through, they can have their luggage and documents gone through. And nowadays because you can bring contraband through on a laptop, they can have their laptop looked at.
You are looking for material that is contraband itself, such as child pornography or information about how to set up remote control IEDs. Or if they are non-Americans, you are looking for information on the laptop about why they should not be admitted.
In many cases, we open the laptop and look at it right there. There are some cases where it is encrypted or it is difficult to assess, we may hold on to laptop for purpose of having someone more expert look at it.
If it turns out there’s nothing there of criminal nature or significant in terms of national security or admission to the country, we return the laptop and expunge the information and it evaporates.
If it turns out there is significant information, we may return the laptop and keep the info, or if the laptop is itself evidence of a crime, then once we have PC [probable cause] determination we keep it.
One thing I am thinking of doing is creating a better tracking system so if we do take a laptop off the premises, we find a way to let them track it and after a certain number of days they can inquire about when it going to be returned or what the situation is.
Wired.com: Wouldn’t it allay the suspicions of the business community if you had a policy that says we only search through laptops if we have a good reason to do so?
Chertoff: That’s exactly why I put it up on the internet. It is on the web to say, ‘We only do it when we put you into secondary and we only put you into secondary when there is a suspicion, when there is a reason to suspect something.’
We were trying to say we don’t take everyone’s laptop and suck it up into a giant vacuum cleaner.
There is some basis for suspicion the inspectors use, and they are the same they have used for decades.
We posted [about the policy] on the Leadership blog and we got a lot of comments. So I said, ‘Let’s look at all the comments and if there is something we can clarify in the policy because there is a persistent issue, we will do it.’
I am willing to treat this as a bit of an experiment in interactive policy-making. For example, it seemed to bother people, from what I was told, when a laptop is taken elsewhere. So that’s where I came up with idea of finding a way to assure people they won’t lose their laptop. We are going to track it and make sure we can account for when it is and when they will get it back. So I am willing to do this back and forth in interactive way.
Wired.com: Since people could simply store things on servers or use Gmail, doesn’t the program just get at low-hanging fruit?
Chertoff: I’m going to tell you a story from real life. When I was a prosecutor we had had wiretaps for criminal cases for years — it was a well-known thing. But time and again I would hear the following on a wiretap: "I hope no one is listening in because if they are we are going to jail."
The truth is it is very hard to perfectly avoid being captured if you are doing something wrong simply by saying, ‘I’m not going to put it on my laptop. I will put it somewhere else.’ They are going to have to be worrying that the other place they are keeping it, the cloud, is being penetrated
Now is it impossible? No, a perfect terrorist could find a way to circumvent this. But if I can reduce the risk by getting rid of 99 percent, I am way ahead of the game.
Wired.com: If you have an encrypted laptop and you are an American citizen and you come back to the border and you get pulled aside for secondary, they want to look through the laptop and you don’t want to give the password, what happens?
Chertoff: That’s being litigated. I think our view is that you can be required to open it up, in much the same way, that if you have a briefcase and it is locked and you don’t want to open the lock. And the hunch is that’s a circumstance where the laptop might be seized and taken elsewhere to be decrypted.
[In response to a follow-up e-mail, spokesman Russ Knocke clarified. "Constitutionally, U.S. citizens are permitted entry into the country. However, if they are carrying contraband such as illegal narcotics, they may be taken into custody. In the hypothetical circumstance that a U.S. citizen is entering the country with an encrypted laptop, and that individual is even referred to secondary in the first place, and then that individual refuses to cooperate by providing a password (again, even if we were to get this point), then the laptop could be seized and de-encrypted."]
Wired.com: Almost seven years after 9/11, there are still reports of problems with the government’s watch lists. Most recently, Jim Robinson, a former assistant attorney general, says he is stuck on the list.
Chertoff: In the airport environments, supposing there is a terrorist Jim Smith and that person should be on the watch list, the question is how do you distinguish them from the other Jim Smiths and the answer is you need an additional bit of data, such as a birthday.
That would override or eliminate most false positives. In order to allow people to do this, [beginning] about two or three months ago, people who are selectees can give their frequent flier number or birthday, the airline can enter it in system and they can enter that at the kiosk or at home and they can get their boarding pass and it won’t be an issue.
One airline has done that very well. There are some airlines that have not done that. They don’t want to reconfigure their software, it’s not an issue of customer service they care about, and if there are false positives they can blame the government.
We would like to reconfigure in the next year … so we do the checking. Some of the airlines don’t want to do that because they would have to reconfigure their software.
So that’s why there was a discussion recently about whether we should fine airlines that don’t correct this problem. There is a system for correcting this and which is adding another data point, but the people running the system have to be willing to reconfigure the system. If they don’t care, then the problem is going to continue.
Wired.com: But there is no mechanism for me to say I’m not doing what you think I am doing?
Chertoff: There is a redress program. The easiest thing to resolve is that you are not the person we are worried about. The hardest thing to resolve is that you are worried about me, but you shouldn’t be — because, to be honest, there are people who are dangerous who lie about being dangerous.
And if you tell why you have them on list, they will reconfigure or readjust their behavior to not leave the traces that are a problem.
There may be people for whom it is inconvenient to be patted down or asked a few questions. The downside is that if we don’t do that except if we have proof someone is an actual terrorist, you are going to have a Mohammed Atta getting on an airplane or crossing the border and that’s going to raise the risk.
Wired.com: At what point do stops by law enforcement and four-hour holdups at the airport become a punishment that you can actually protest?
Chertoff: Particularly with respect to Americans, the number of people that are on the list that are not false positives are not that large a number. And if they do raise an issue, we will take a look at what the basis is. And sometimes we will make adjustments.
But if you are asking if we would do a court process where we litigate it, I mean, that effectively would shut it down.
And then I guarantee what would happen is this: If you stopped using the watch list and basically anybody could get on a plane without knowing their identity, sooner or later something would happen — and people would lose their lives, and then there would be another 9/11 Commission and we’d hear about how you had this system and you would have kept them off and these people lost their loved ones on a plane.
I don’t know if they do it anymore, but when I was a kid we all had polio shots, and after a while, you just don’t know anyone with polio. And the question was raised was, why are we taking these shots? There’s not that much polio around. And one of the reasons there’s not that much polio around is that everyone is getting inoculated.
Wired.com: You are talking about sharing information and this being an open process, but so much of the Comprehensive National Cybersecurity Initiative is secret. Homeland Security Presidential Directive 23 — which authorized the program — there’s still not an unclassified version of it. You can talk about Einstein, but there are other things you can’t talk about. There’s reportedly $20 billion in the classified intelligence budget for cyber-security. From the outside, it’s hard to know what’s going on.
With that much secrecy, it sounds like security through obscurity.
Chertoff: I think secrecy is one of the hard issues. That’s because the culture of the internet is an open culture and I would like to see us be as open as possible.
It’s obvious that some things can’t be open because they compromise things that, if known to others, would diminish our ability to do certain things, whether that be acquire information or take certain steps
We will have to figure out how to be open to the extent we can while recognizing you live in a world where openness can be a problem too.
It is my fervent hope that more and more of the strategy will be public and only things that really have to be kept secret will be kept secret. But once something is out it is out — so there is hesitancy and deliberativeness about making things public. But in this case we tried to make public early we were thinking about this.
Wired.com: How do people know this isn’t a program about sitting on the internet and monitoring everything?
Chertoff: That’s why I think the easy part is the government piece, because clearly with government domains, you have a right to protect your own domain.
And that’s why I emphasize the voluntariness. I think the key to the approach is one where the government offers to work with the private sector. But it has to be consent-based.
If you don’t want any part of it, then you can walk away.