Gordon Corera is the Security Correspondent for BBC News joined me this morning. His Cyberspies: The Secret History of Surveillance, Hacking and Digital Espionage is as fascinating as it is alarming:
HH: This is the last radio hour of the week. I jump on a plane and head to New York, to Washington, D.C. tomorrow to do Meet the Press on Sunday. And I normally give the last radio hour over to Hillsdale College, Dr. Larry Arnn and the Hillsdale Dialogue, www.hillsdale.edu for everything Hillsdale, and www.hughforhillsdale.com for all of those previous dialogues. But Dr. Arnn is vacationing this weekend, so I’m using the opportunity to make the acquaintance of on air Gordon Corera. He is the security correspondent for BBC News. He has presented major documentaries for the BBC on cybersecurity, including Cryptowars and Under Attack, Espionage, Sabotage, Subversion and Warfare in the Cyber Age. I have been addicted for these past two weeks to his newly-released to the United States book, Cyberspies: The Secret History of Surveillance, Hacking and Digital Espionage, which the London Times called riveting, a highly-relevant read, and I would say that’s understating how riveting it is. You can’t detach from it. It’s linked at Hughhewitt.com. I’ve tweeted it out. And Gordon Corera joins me from Great Britain this morning. Gordon, thank you, it’s great to make your acquaintance on the air.
GC: Thank you. It’s good to be with you.
HH: Let me begin by asking you about how much occurred in the year between when you first wrote the book in its United States edition? I read your preface, but it seems to me it’s almost impossible to stay up with the general story. It’s good to get the history down, as you do, and it’s good to bring us up to speed. But my gosh, you could update this book every month with another evolution or iteration in the cyberwars.
GC: Oh, that’s absolutely right. I mean, what’s astounding is every week, there is a major new story on the cyberwars. Sometimes, it’s something like the DNC hack and the emails. Sometimes, it’s to do with terrorism and the use of cyber technology by ISIS, by ISIL, to spread its message, all of those stories are developing fast. And it’s what the tech companies are up to. It’s what, it’s the battles between, you know, Apple and the FBI over encryption. I mean, this story is moving so fast, and there are so many strands, that I do think the history is important, because I think it helps you understand what’s new and what’s not new, and how significant some of the changes are in this field, and how really it is changing so many facets of our world. And technology, of course, we know it’s changing our world, but it’s changing national security, it’s changing spying, it’s changing terrorism. It’s changing all those things at a huge pace.
HH: No, I found your introduction from the Bletchley Park to the present to be absolutely necessary. Unless you’ve got the beginning down, you can’t get to the end. And we’ll come back to that. But let me state you mentioned the DNC hack. I want to go back. Michael Morell, a former director of the CIA, acting director, endorsed Hillary Clinton today. On this show a year ago, here’s what he had to say about her server, Gordon. Let’s hear what you think about this. This is Michael Morell from May of 2015.
HH: What did you make of the Secretary of State having a private server in her house?
MM: So I don’t think that was a very good judgment. I don’t know who gave her that advice, but it was not good advice, and you know, she’s paying a price for it now. Yeah, it was, it was not good.
HH: As a professional matter, do you believe that at least one or perhaps many foreign intelligence services have everything that went to and from that server?
MM: So I think that foreign intelligence services, the good ones, the good ones, have everything on any unclassified network that the government uses, whether it’s a private server or a public one. They’re that good.
HH: So that’s a yes?
HH: Gordon Corera, that stunned me. It’s an admission that the bad guys were surveilling her server. Do you agree with Director Morell’s assessment?
GC: Well, of course, we don’t know the absolutely, you know, with certainty about it, but I think what was interesting about what he’s saying is that you know, good intelligence services, the real top intelligence services, you know, you’re talking about the kind of Russian and Chinese, are going to be across pretty much everything. But if you’ve got a kind of private email server, which is not as secured as some of the kind of more classified government servers, then it’s not just the top intelligence services who could get into it, but lots of second tier countries as well could have the potential to hack into that and to get hold of information, or non-state actors. We don’t know for sure who’s got into any of these emails, or for sure if anyone have, but it’s certainly possible that many actors, many countries, even non-nation-state actors could get into that kind of information and get hold of it and then potentially use it. And I think, you know, those top intelligence services can get into pretty much anything. But you know, a weaker, the weaker your security is, you allow a lot of other people potentially to get into it as well.
HH: I want to make use of your expertise, and of Director Morell’s assumption. His assumption is that they had everything in the server. But work with me for a little bit. If that was true, if they knew about it, if they compromised it, can they use her server or any private server to export bugs to people in connection with her? I’ve always wondered that. Can you use it as a switching station for your malware?
GC: Well, one of the, I mean, one of the things you can do is if you get inside something like that, you could use the information, you could spoof emails to make it look like it’s coming from there, or use the information about people to do social engineering in order to get other people to then click on emails or email links, and then allow you to get into their network. So every time you get into a system, it incrementally allows you to build up your knowledge and your potential access into other systems. It doesn’t necessarily allow you automatically to get into those systems, though, and to inject into it. But it certainly adds to the overall vulnerability by having that one point of weakness. And we know that hackers will find the point of weakness. They will go for the weakest point to get in, and then they can move around the system and look for data that they’re after.
HH: Gordon Corera, I’ve asked William Daley on Meet the Press, I’m going there again on Sunday, I don’t know if Daley will be on, but I got to ask him a question on it. And I’ve asked David Axelrod. Neither of them knew about Mrs. Clinton’s server, neither of them. They both confirmed that on the air to me. Given that they’re corresponding with her and they don’t know it’s a private server, did she make them vulnerable as well?
GC: Well, it’s possible. I mean, this is the thing, is that if you’ve got a, if someone can get into the server, they can get the incoming and outgoing message, and potentially get quite a lot of information about that. So you know, anyone who sent an email to that server would potentially have that email vulnerable as well. So I mean, you know, it’s very hard to know how much is in there and how vulnerable it is. And of course, you know, the FBI themselves said that they, you know, not all of the data was still there. Some of it had gone, and so it’s impossible to know actually the full extent of the vulnerability that existed, or who exploited it.
HH: I’m beginning to think of these as sort of like invisible cyber STD’s that spread throughout the population without anyone knowing that they have them, but being potentially lethal or greatly damaging to your life.
GC: Well, I think that’s one thing we’ve learned, is that it’s gotten much harder to keep secrets these days, that, and that applies whether you are a government trying to keep your secrets, whether you’re an individual trying to keep your secrets, whether it’s your private data, whether it’s your, you know, your private business, whether it’s commercial data, intellectual property, all of that has gotten harder, but because of the nature of network computers, because of the sophistication of hackers, because of the inherent vulnerabilities of the internet. But it’s also true that if you don’t do your security well, then you’re making yourself even more vulnerable, and I think that’s the issue with that email server.
HH: Gordon Corera, what about the DNC hack and the fact that all of those people corresponding with the DNC? We now know it spread to the Democratic Congressional Campaign Committee, to the Democratic Senatorial Campaign Committee. The Clinton campaign says no evidence of that, but I mean, all those people corresponding with those committees, are they also now vulnerable? Is that what you’re saying?
GC: Well, all the emails they sent in through to the DNC or to the DCCC or wherever else has been compromised, it’s potentially there.
GC: And who knows what’s in there? I mean, who knows what kind of emails people were sending, thinking they were private to something like the DNC? We’ve obviously seen a release of some of that material around convention time, but who knows how much more there is and what kind of information there could be? I think, you know, I think that’s, you know, there could be a lot there. And I think what’s really interesting about the DNC hack is we know that political parties have been hacked in the past. We know even presidential campaigns in previous years have been hacked in the past. What’s different about this is, is the release of the information and the fact that some of that material is coming out.
HH: I’ll be right back with Gordon Corera. His book, Cyberspies, is linked at Hughhewitt.com. The Secret History of Surveillance, Hacking and Digital Espionage, he is the security correspondent for BBC News. This is a massively interesting, addicting book. Go and get it.
— – – —
HH: Gordon, I really don’t think that given what we’ve seen about Rio that we can expect them to have an encryption of all the things going on at the athlete’s village. Do you expect that?
GC: No, I, there’s an interesting story I came about which was from the London Olympics, which of course was the last one, 2012, when, so exactly this same time four years ago, the morning of the opening ceremony, there was a huge cybersecurity alert in London, because they found what they thought were the kind of details of the schematics for the electronics and the details for the power supply of the London Olympic venues on the hacker’s computer. And they thought that this could be the moment when hackers were going to try and take the power off during the opening ceremony. And they had this huge crisis in London that morning, fearing that right in the middle of the opening ceremony with the whole world watching, you know, with the Queen inside the Olympic stadium, suddenly a hacker could switch the power off of the Olympics. You could imagine how kind of devastating that would be.
GC: And in the end, it didn’t happen, but they went through to the point where they actually had people ready to switch the power to manual, you know, by a switch, in case it got switched off remotely by a cyberattack on that day four years ago.
HH: Yeah, and the odds of such a thing ever happening increase. As you point out in Cyberspies: The Secret History of Surveillance, Hacking and Digital Espionage, the bad guys of the Islamic State are very good at these new technologies, very good. But let me back up, Page 193. You quote NSA Director General Alexander as saying cyber espionage, in 2012, that’s four years ago, same year as the British Olympics, greatest transfer of wealth in history. I put the book down at that point and said wow, that’s absolutely correct. I hadn’t thought about it in terms of you know, Willie Sutton bank robbery, just pure money changing hands. And unpack what he’s talking about there, Gordon.
GC: He’s talking about intellectual property theft, and business and commercial secrets. And he’s particularly talking about it going to China. There’s no doubt that what’s happened is the biggest transfer of information in history, no doubt about it. I mean, terabytes, huge volumes, libraries full of business information, have gone to China. There’s a more complex question, which is how often have the Chinese actually been able to monetize it and actually use it commercially? The evidence is more, it’s harder to pin down. We know the information has been stolen, but where they’ve used it, it’s a bit more complex. But I did find one example, which was a few years back, there was a major negotiation about iron ore pricing, and in which the Chinese were involved along with other companies including Rio Tinto, the big mining giant. And at the time, it was estimated that because of a cyberattack on the company systems, they lost up to about a billion dollars in a commercial negotiation over iron ore pricing. It was like a huge amount.
GC: Now in practice, it may have been slightly less than that, but that was the estimate at the time that the British Security Service came up with. So you can see the ability to kind of manipulate negotiations to get inside really big, serious business decisions to steal the latest research from, say, pharmaceuticals or other R & D. That is potentially huge and transformative. And that’s the kind of thing that General Alexander was saying had taken place over preceding years, particularly with regards to China.
HH: And you know from the history, this is a minute, and we’ll set this up and we’ll come after the break. Influence operations are a specialty of both the old Russian service and the new Chinese service. The more data you have, the more sophisticated your influence operations. 30 seconds, am I right in my premise, Gordon?
GC: Absolutely. Influence operations have been something that the Russians have done for many decades. Cyber espionage have allowed them to do it on a much larger scale than before, because they can get hold of the data much more easily and much more sensitive data.
HH: When we come back, more with Gordon Corera. I have a long segment with him coming up to wrap up our conversation about Cyberspies: The Secret History of Surveillance, Hacking and Digital Espionage. It is so timely with the election looming, with international threats growing, with ISIS in the field. You’ve got to get and read and absorb this book. I hope every intelligence professional does so. It’s linked at Hughhewitt.com.
— – – – –
HH: We spend a lot of time in the Hillsdale Dialogue talking about Churchill, talking about the American, United States special relationship with the UK, and the Five Eyes program, Gordon. Would you explain to people what that is and where it came from, because they’ll know about Alan Turing from the movie, and they’ll know about Intrepid. But the Five Eyes partnership is really unique, and it grew out of that special relationship.
GC: It did, and it grew out really as a remarkable collaboration at Bletchley Park during World War II. So even before America has formally entered the war, there is a secret mission of American codebreakers to Bletchley Park. And I mean, I tell the story in detail in the book, because it’s just an amazing story where they travel over by boat, their boat is bombed by Germany fighters and is shot up even while they’re carrying very precious equipment, these American codebreakers, on this secret mission to Bletchley Park, because they’re carrying a reconstruction of the Japanese code machine that they’ve broken. They come to Bletchley with this as a kind of a gift, if you like, to try and establish a friendship. And at Bletchley Park, there’s this huge debate which goes right up to Churchill about whether they open up in turn about the work that they’ve done, led by Turing, to break the German Enigma machine. During the American visit, they decide yes, they are going to open up to the Americans. And the two sides share their most intimate secrets about codebreaking during the war. I mean, it’s a really remarkable thing to do. And out of that moment, which was 75 years ago, the close intelligence alliance which still exists was born between Britain and the USA, particularly between what’s now NSA and GCHQ, and which is then after the war expanded into what’s called the Five Eyes as the other English-speaking nations, Canada, New Zealand and Australia, also join this club. And so you really understand that at the heart of this relationship between Britain and America is being intelligence. And at the heart of the intelligence relationship has been codebreaking. And that cooperation in codebreaking was started with that secret mission to Bletchley.
HH: And then you bring it all the way forward 75 years to right now at this very moment. Germany is struggling whether or not to join Five Eyes with us, and they need us, and we need them, given especially this migration. But they don’t like the responsibilities that go along with the access to the data. And Snowden put enormous strain on this. I thought you were right up to the minute on this, but I don’t know if you know yet whether or not Germany has agreed. Have they, coming all in?
GC: NO, I mean, because basically the Five Eyes deal includes the idea that they, you don’t spy on each other. So you don’t spy on each other for commercial gain or political gain. It’s a deal, but, and so the Germans recently thought oh, we’d quite like to join this club so we don’t get spied on by the Americans and the British and anyone else. But part of the response was that it was then said well, but the deal doesn’t just involve not getting spied on. You have to also spy, if you like, on our behalf. And what they do in the Five Eyes is they divide up the world. They divide up the world and say you will look after spying on these countries, you will concentrate on these targets, you will collect data from these undersea cables, and tap them and work on them, and divide up the world. And the Germans were kind of like ooh, you know, we’re not sure about that side of things. And so the Five Eyes club still exists as quite a kind of a closed club. Lots of other countries would like more data sharing. It’s really interesting, because lots of these countries, including the Germans, complained about, you know, NSA, about other activities, about GCHQ in Britain. But at the same time, they want the cooperation, the partnership, because they know how valuable that information and the data sharing, and the tip offs and the intelligence leads about terrorism are that come from that kind of global surveillance capacity that the US and UK and others have built. They just know how powerful that is.
HH: So Gordon, people will have to read Cyberspies to get a full understanding of, I can’t even say Huawei, the Chinese conglomerate, which is based…
GC: Oh, the Chinese company, yeah, Huawei, yeah.
HH: That has hardwired cyber spying into vast amounts of engineering around the United States, but my very relevant this very day question is, if you take someone like Secretary Clinton who’s been compromised, or the DNC that’s been compromised, can they be re-sanitized? In other words, can she somehow assure people that okay, the Russians, the Chinese, and even, as Mike Morell pointed out, second rate agencies got everything on me for five years, but I can fix that. I can put myself above influence operations. I can secure myself. I can be aware of how I’ve been compromised and defense that. Is that possible?
GC: Well, in one sense, no. Firstly, because what’s already out there, what’s been stolen, has been stolen. So you know, how much more gets revealed, we’ll have to see, you know, as part of whatever, you know, whoever’s agenda that is. I think going forward in the future, you know, yes, people can take much more extreme security steps, but can you ever be totally secure? If there’s one thing I learned is that if a top intelligence agency really, really wants to get into your system, they probably can. There’s very little you can do to stop it. Now the truth is for most people, that doesn’t matter, because you know, it takes time and resources to get into a really secured system. You know, sometimes, it takes you know, using human spies to plug a USB into a system to get into it, and to get around some of the security. But it is possible. So if you are someone like a presidential candidate who might be a top target, it is very difficult to ever say I am secure, there is no way someone could…so you have to almost live in a different way in which you assume your information could be breached, could be compromised, could one day be revealed.
HH: That’s what I think. I had dinner last night with a now on reserves, but former United States SEAL who’s specialty was intelligence. And we were talking about your book, and about digital exhaust, this term that you’ve come up with, and his belief that basically, classification is a myth, and we might be tempting ourselves into believing that there are secrets when there simply can’t be any secrets, and that maybe we ought to all just open everything up because of that, except for the names of agents and things like that. This digital exhaust concept, would you explain it to me, because all of us are sliced and diced and filed away, every single person in the world is.
GC: Well, absolutely. We all now leave a digital exhaust, which is as you move around in this world, whether in the physical world or online, you leave a trail of data. So you leave a trail of data about where you’ve been, about what you’ve been doing, you know, obvious things like your kind of credit history, but much more subtle things. And as soon as we move to the internet of things in which all your, you know, all the items in your house and your car are wired up, people will know where you’re driving, how much gas you’re using, what you’re doing. People will know what your, you know, what food you’re eating. The amount of data you leave is growing exponentially, which allows people to track you, to define you, to know where you are, to know a lot about you. Now at the moment, the leading edge of that is probably the private sector. It’s advertising agencies who want to know that so they can sell you products. It’s the Googles and other companies of this world who are drawing together all this data, which we often voluntarily give to these companies in return for services. But yes, intelligence agencies can also get hold of that data, sometimes by demanding it from companies, sometimes by stealing it, sometimes through other routes. And they can use it to track us, to understand us, to define us. And it’s a hugely powerful tool which changes the nature of privacy and secrecy in the future. And I do think that, you know…
HH: It changes how people are going to live. I’m glad I’m 60. So I don’t have to worry about this. But I want to close by asking you, you describe the donut in Great Britain, how vast it is. And you also describe the NSA’s facility in Utah, and how it might hold every bit of data in the world, though the NSA denies that. Are you worried about, you know, children who are just being born into this age, by the time they reach my age of 60, everything will be known about them. Will everything be predictable about them?
GC: I think it is going to change so much about us, and I think we do need to understand the way in which the technology is allowing people to do predictive analysis, to say we think you’re going to buy this product, or we think you’re going to act in this way, or we think you’re going to conduct this kind of behavior or this kind of criminality, and try and predict it. That is the future that companies and governments are moving to with big data. And I think we do need to be aware of it. We do need to start debating it. We do need to start educating ourselves about it fast, because it’s not something which is 20 years away. It’s a year or two, or five years away in which this stuff is happening, and some of it is happening now. And if we don’t kind of grasp it and try and think what are the limits, how do we want to use it, or what data should be collected and how should it be used, if we don’t do that fast, it’s going to be decided for us by other interests.
HH: And a quick question…
GC: And it’s something people need to be aware of.
HH: The Snowden movie is coming out. Now I think he’s a traitor, but you are rigorously balanced in your assessment of him. Snowden fans and Snowden critics like me will both have to walk away from Cyberspies and say that you did a job of reporting here. Do you believe he, was he duped by the Russians and the Chinese? Is he really that bright?
GC: Well, I have to say the fact that he ends up in Russia is significant. Now you know, I don’t think there’s any evidence that he was a Russian spy from the start, but you know, would the Russians make the most of the fact he’s there, or try and get hold of his data? I’m sure they would try. His supporters will say no, they won’t, you know, he wouldn’t give it over. But would he know if they’ve got hold of it? He says that he didn’t take it to Russia. All of that may be true, but I think you know, for the Russians, there is certainly an opportunity there in having someone like Snowden on their territory. He has been critical occasionally of Russia. I think that’s true. But I think, you know, the Russians are very adept at this idea of influence operations, of trying to shape public opinion, of trying to get information out in particular ways. And I think we can see that, whether it’s in the DNC hack or whether it’s in the way that other information has come out. And I think in that sense, Snowden is, you know, you could see how he could, information, even if he’s not willing himself to do it, his information could be used in that way.
HH: And Gordon, last question, do you expect Hillary’s server private emails to show up on Wikileaks before the election is over?
GC: I think that would be a big deal, wouldn’t it?
GC: If we started to see that information, and you know, whether the people who got hold of the DNC information had got into her private emails, there’s no evidence of that, but you know, you can’t rule anything out. And you know, I wouldn’t be surprised if we see some more big revelations in the coming months before November on the election day.
HH: Gordon Corera, great book, Cyberspies. I appreciate you spending the time with me. Thank you, Gordon. I really do. I want to urge all of you to go and get the book. You will find it to be just amazing. And it will, I believe it will cement your decision not to vote for Hillary Clinton, totally compromised. I don’t understand Mike Morell’s endorsement of her today in the New York Times, which is there. I can’t deny it. He told me on this show that she’s compromised. Nevertheless, he endorses her. He must dislike Donald Trump that much.
End of interview.