WHAT MAKES NEW YORKERS VULNERABLE TO RUSSIAN CYBERATTACKS?

> GOOD EVENING AND WELCOME TO 'METROFOCUS,' I'M JACK FORD.

COUNTERTERRORISM OFFICIALS HAVE PUT THE NEW YORK AREA ON HIGH ALERT, TELLING NEW YORKERS TO BE ON THE LOOKOUT FOR POTENTIAL CYBER ATTACKS EMANATING FROM RUSSIA.

EXPERTS WESTERN THAT WITH U.S.

SANCTIONS CRIPPLING THE RUSSIAN COMPANY, RUSSIA COULD CHOOSE TO RETALIATE AT ANY MOMENT BY USING CYBER WARFARE AND NEW YORK COULD BE A PARTICULARLY ATTRACTIVE TARGET.

SO, JUST HOW VULNERABLE ARE WE TO CYBER ATTACKS?

WHAT CAN BUSINESSES AND INDIVIDUALS DO TO PROTECT THEMSELVES?

AND ARE WE REALLY PREPARED FOR ATTACKS ON OUR CRITICAL IN INFRASTRUCTURE LIKE THE SUBWAY SYSTEM OR THE POWER GRID?

WELL, JOINING US TONIGHT TO HELP ANSWER THOSE QUESTIONS IS GLENN GERSTELL.

HE'S A CYBER SECURITY EXPERT AND THE FORMER GENERAL COUNSEL OF THE NSA.

GLENN, WELCOME.

THANK YOU FOR JOINING US.

THANK YOU, JACK.

LET ME START WITH THE BIG PICTURE QUESTION, AND THEN WE'LL GET DOWN TO SOME OF THE SPECIFICS I MENTIONED.

YOU RECENTLY WROTE A 'NEW YORK TIMES' OP-ED PIECE WHERE YOU SAID YOU DON'T BELIEVE THE U.S.

IS ADEQUATELY PREPARED . WHY DO YOU BELIEVE THAT'S THE CASE?

THE SIMPLE FACT IS, WE'RE FACING A VERY SERIOUS ADVERSARY, A VERY SOPHISTICATED ONE, IN THE FORM OF RUSSIA, WHICH KNOWS HOW TO PENETRATE CYBER NETWORKS THROUGHOUT THE WORLD.

WE'VE SEEN WHAT THEY CAN DO ELSEWHERE.

AND ON THE OTHER SIDE, AMERICAN BUSINESSES AND INDUSTRY AND INFRASTRUCTURE AREN'T EVENLY -- AREN'T EVENLY ORGANIZED AND DON'T HAVE THE SAME LEVELS OF CYBER SECURITY PROTECTION ACROSS THE BOARD.

SOME SECTORS, SUCH AS THE BANKING SECTOR, THE FINANCIAL SECTOR, WALL STREET WHICH IS SO IMPORTANT TO THE NEW YORK ECONOMY, THEY'RE IN PRETTY GOOD SHAPE, BUT OTHERS AREN'T.

AND ACROSS THE COUNTRY, AND, OF COURSE, WE'RE VULNERABLE AS A WHOLE COUNTRY, WE HAVE VERY UNEVEN LEVELS OF CYBER SECURITY.

PART OF THAT IS THE WAY OUR NETWORKS WERE ORGANIZED IN THE FIRST PLACE, PART OF IT IS POOR CYBER SECURITY PRACTICES, INSUFFICIENT CYBER SECURITY EXPERTS, A WHOLE LIST OF REASONS WHY WE'RE VULNERABLE, WE ALL KNOW THAT.

AND ON THE OTHER SIDE, AS I SAID, WE'RE FACING VERY SOPHISTICATED ADVERSARY.

WE KNOW HOW RUSSIA WAS ABLE TO TURN THE LIGHTS OFF IN UKRAINE IN 2014 AND 2015.

LET ME ASK YOU SOME FOLLOWUPS TO THAT.

WE TALK ABOUT WHAT WE KNOW ABOUT CYBER ATTACKS EMANATING FROM RUSSIA.

GENERALLY SPEAKING, ARE THEY WHAT WE REFER TO AS STATE-SPONSORED ATTACKS?

CERTAINLY THE UNITED STATES GOVERNMENT HAS ON A NUMBER OF OCCASIONS SPECIFICALLY CALLED IT OUT, THE GRU, WHICH IS THE ACRONYM FOR THE RUSSIAN MILITARY INTELLIGENCE UNIT, AS THE RESPONSIBLE PARTY BEHIND A BUNCH OF SERIOUS ATTACKS IN THE UNITED STATES, INCLUDING SOLAR WINDS AND OTHER ATTACKS AROUND THE -- AROUND THE WORLD, INCLUDING THE RELEASE OF WHAT WAS THE MOST DANGEROUS CYBER SECURITY VIRUS THE WORLD HAS EVER SEEN, IN 2017, WHICH WAS AIMED AT UKRAINE, BUT -- SPREAD ALL AROUND THE WORLD, CAUSING $10 BILLION OF DAMAGE.

SO, RUSSIA IS A VERY SOPHI SOPHISTICATED FOREIGN CYBER ADVERSARY THAT, IN SOME WAYS, IS PROBABLY A NEAR PEER TO THE UNITED STATES.

WHY DO YOU THINK, WITH ALL THE TALK ABOUT THIS, THAT AT LEAST WE HAVEN'T HEARD OF ANY OF THESE CYBER ATTACKS ON OUR STRUCTURES AND ENTITIES AND ORGANIZATIONS, AT LEAST YET?

WHY DO YOU THINK THAT IS?

WELLING, A COUPLE OF THINGS.

FIRST OF ALL, LIKE THE SAYING GOES, DAY AIN'T OVER YET, SO, WE CAN'T BE SURE EXACTLY WHAT PUTIN IS GOING TO DO IN THE FUTURE, ESPECIALLY IF HE'S CORNERS OR HE FEELS HE HAS NO CHOICE BUT TO LASH OUT IN RETALIATION.

IN ORDER TO MAKE HIMSELF LOOK STRONG DOMESTICALLY.

OR IF HE FEELS HE HAS NOTHING TO LOSE.

OR HE'S ALREADY GOT SANCTIONS IMPOSED ON HIM, NOT GOING TO GET MUCH WORSE, SO WHY NOT JUST ENGAGE IN A CYBER ATTACK?

WE CAN'T RULE THAT OUT.

HAVING SAID THAT, I STILL THINK IT'S UNLIKELY.

WHY?

BECAUSE THE UPSIDE FOR HIM IS VERY MINIMAL.

THERE'S NO REAL STRATEGIC GOAL HE SERVES BY UNLEASHING A DESTRUCTIVE CYBER ATTACK IN THE UNITED STATES.

HOW DO YOU MEAN WHEN YOU SAY THAT, NO REAL STRATEGIC GOAL?

IS IT JUST CREATING INCONVENIENCE FOR US AND NOTHING MORE?

SO, THE RUSSIAN PATTERN IS TO TRY TO SPEW DISINFORMATION, TO SEW DECISION CORD, TO SORT OF THROW SAND IN OUR GEARS, SO TO SPEAK.

THEIR PATTERN IN THE UNITED STATES HAS NOT BEEN TO ENGAGE IN DESTRUCTIVE CYBER ATTACKS.

BY THAT, I MEAN USING CYBER TO OPEN VALVES IN A CHEMICAL PLANT, RELEASING POISONOUS GASES, OPENING GATES IN A DAM TO HAVE WATER GO DOWNSTREAM OR HITTING THE FINANCIAL SERVICES SECTOR AND CAUSING VISA AND MASTERCARD PAYMENTS TO SUDDENLY STOP.

WHETHER THEY'RE CAPABLE OF THAT, WE DON'T KNOW EXACTLY, BUT WE NEED TO BE WORRIED ABOUT IT.

HE HASN'T DONE THAT BECAUSE OF THE LIMITED UPSIDE IN THE STRATEGIC SENSE AND THE FEAR OF RETRIBUTION.

HE KNOWS IF HE DOES SOMETHING THAT HAS REAL WORLD DESTRUCTIVE EFFECTS IN THE UNITED STATES, WE'RE GOING TO FIGHT BACK AND IT'S NOT JUST GOING TO BE IN THE BASIS OF A CYBER ATTACK.

YOU MENTIONED DIFFERENT ENTITIES THAT COULD BE TARGETED HERE.

WHAT ARE THE ONES THAT YOU WOULD KEEP YOUR EYES ON AS THE MOST VULNERABLE TARGETS IF THERE WAS TO BE SOME TYPE OF A CYBER ATTACK?

SO, I THINK THERE ARE DIFFERENT KINDS OF CYBER ATTACKS THAT THE KREMLIN COULD EITHER AUTHORIZE OR CONDONE.

I COULD EASILY SEE VLADIMIR PUTIN TELLING THE RANSOM WARE GANGS, OKAY, GUYS, GO AT IT.

AND THAT'S EVERY INDUSTRY, FROM A DRUG COMPANY TO A PIPELINE COMPANY TO YOU NAME IT.

I DON'T THINK ANYONE IS IMMUNE FROM A RANSOM WARE ATTACK.

ON THE QUESTION OF A PHYSICALLY DESTRUCTIVE ATTACK OR SOMETHING THAT DELETES DATA OR IMPEDES ECONOMIC ACTIVITIES, SUCH AS GOING AFTER THE S.W.I.F.T.

BANKING NETWORK, THE NEW YORK STOCK EXCHANGE, THAT'S A LITTLE HARDER TO DO.

THOSE INDUSTRIES TEND TO BE VERY WELL-PREPARED.

THE ENERGY SECTOR AND THE BANKING SECTOR IN PARTICULAR HAVE PRETTY GOOD CYBER DEFENSES.

DOESN'T MEAN IT'S IMPOSSIBLE, BUT THEY'RE IN PRETTY GOOD SHAPE.

ON THE OTHER HAND, GENERAL MANUFACTURING, RETAILING, OTHER FORMS OF PAYMENT, THEY'RE ALL VULNERABLE.

LET ME GO BACK TO SOMETHING YOU SAID EARLIER IN RESPONSE TO THE FIRST QUESTION, WE WERE SAYING WHY YOU BELIEVE WE WEREN'T PREPARED.

AND YOU TALKED ABOUT THE FAIRLY SCATTERED APPROACHES HERE.

THE FEDERAL GOVERNMENT, STATE GOVERNMENT, INDIVIDUAL ENTITIES, BUSINESSES, PEOPLE.

WHY DO YOU THINK IT IS THAT WE DON'T HAVE -- AND I SUSPECT THAT MOST PEOPLE WOULD BE SURPRISED ABOUT THIS, BECAUSE IT'S NOT AS IF THAT SIGNER ATTACKS ARE SOMETHING BRAND NEW.

WHY DO YOU THINK IT APPEARS THAT WE DON'T HAVE A CENTRALIZED, CONCENTRATED LINE OF DEFENSE FOR THESE TYPES OF ATTACKS?

IS THERE -- MAYBE THE FOLLOWUP IS, IS SUCH A THING POSSIBLE?

SURE, I THINK THE ANSWER TO THAT IS A LITTLE COMPLEX.

LARGELY ROOTED IN HISTORY AND LEGACY OF THE WAY THE CYBER PROBLEM MANIFESTED ITSELF.

IN THE EARLY DAYS, YOU KNOW, 20 YEARS AGO, THE DAWN OF THE INTERNET, THIS WASN'T A VERY BIG PROBLEM, CERTAINLY WASN'T A SYSTEMIC IC PROBLEM.

YOU GOT AN EMAIL --

OH, YOU MEAN THAT WASN'T ACCURATE?

THAT WASN'T TRUE WHEN I GOT THOSE EMAILS?

HUH.

I HOPE YOU DIDN'T SEND THEM TOO MUCH MONEY.

FORTUNATELY, MY WIFE IS SMART ENOUGH TO SAY, MAKE THAT GO AWAY.

ALL RIGHT, WELL, THAT'S GOOD.

BUT WE WENT FROM THAT TO SYSTEMIC ATTACKS, TO RANSOM WARE ATTACKS, TO SOMETHING FAR MORE DANGEROUS, INCLUDING BY OTHERED A VERVE SAYS LIKE IRAN, NORTH KOREA, AND WCHINA.

WE'RE NOT ORGANIZED TO DEAL WITH THAT.

THE WAY OUR FEDERAL GOVERNMENT DECIDED TO DEAL WAS CYBER WAS TO SIMPLY BOLT ONTO THE CYBER RESPONSIBILITIES TO EXISTING GOVERNMENT AGENCIES.

SO, THE DEPARTMENT OF TREASURY IS RESPONSIBLE FOR BANKS AND THE FINANCIAL SECTOR.

THE DEPARTMENT OF -- I'M SORRY, THE DEPARTMENT OF TREASURY AND THE ENERGY -- DEPARTMENT OF ENERGY IS RESPONSIBLE FOR ENERGY SECTORS.

WE GRAFTED ON IN A VERY DISJOINTED, FRAGMENTED WAY, TO DISJOINTED AGENCIES.

AND IN CONGRESS, THE SITUATION IS EVEN WORSE.

THERE ARE OVER 80 COMMITTEES AND SUBCOMMITTEES WITH JURISDICTION OVER CYBER.

SO, THAT'S THE WAY IT'S GROWN UP.

NO ONE ON A CONGRESSIONAL COMMITTEE WANTS TO GIVE UP JURISDICTION TO ANOTHER COMMITTEE.

AND YETD,, TO YOUR POINT, THIS A NATIONAL PROBLEM.

THIS CUTS ACROSS OUR ECONOMY ALL SECTORS.

THE SOFTWARE AND THE KINDS OF COUPLE PEWTERS WE USE, THEY'RE ALL COMMON.

IF YOU'RE USING WINDOWS 10, A DRUG COMPANY OR A DEFENSE CONTRACTOR, IT'S THE SAME KIND OF PATCH TO WINDOWS 10.

IF YOU ARE USING SALESFORCE OR SAP OR A PAYROLL SYSTEM, IT'S LARGELY THE SAME.

SO, WE SHOULD HAVE A UNIFIED APPROACH IN THE WAY WE DEAL WITH THE VULNERABILITIES, BUT WE DON'T.

WE'RE JUST NOT SET UP THAT WAY.

SO, THE BIG QUESTION THEN IS -- IS IT POSSIBLE FOR US TO GET TO A UNIFIED APPROACH?

DO WE HAVE THE POLICIC E IKTICA DO WE HAVE THE RESOURCES, PHYSICAL RESOURCES, FINANCIAL RESOURCES, IT IS POSSIBLE FOR US TO GET THERE?

JACK, THAT'S THE QUESTION.

I GUESS THE GOOD THING ABOUT THE CYBER SECURITY PROBLEM, IF THERE IS A GOOD THING, IS THAT WE KNOW HOW TO FIX THE PROBLEM.

THIS IS NOT A MEDICAL MYSTERY WHERE WE CAN'T -- WE HAVE NO IDEA WHAT'S GOING ON OR WHY THE PROBLEM IS BEING CAUSED.

WE KNOW THE REASONS FOR CYBER INSECURITY.

WE UNDERSTAND THE TECHNOLOGY.

WE CREATED IT OURSELVES.

SO, WE KNOW HOW TO FIX THE PROBLEM.

AND IF WE LOOK AROUND THE WORLD AND WE SEE WHAT OTHER COUNTRIES ARE DOING, LIKE-MINDED COUNTRIES, DEMOCRACIES SIMILAR TO OURS, THE UNITED STATES, CANADA, OTHER COUNTRIES, THEY ARE ADOPTING A CENTRALIZED MODEL.

THEY HAVE ONE UNIT WITHIN THEIR NATIONAL GOVERNMENT THAT IS RESPONSIBLE FOR ENFORCING AND SUGGESTING UNIFORM RULES THAT APPLY ACROSS THE BOARD.

OBVIOUSLY THERE HAVE TO BE SOME ADAPTATION FOR INDIVIDUAL INDUSTRIES.

BUT THERE'S SOMETHING THAT WE PROBABLY COULD EMULATE HERE IN THE UNITED STATES.

GETTING THERE IS GOING TO BE AN ISSUE.

INDUSTRY IS GOING TO HAVE TO GET COMFORTABLE WITH THE IDEA.

IT'S GOING TO MEAN INCREASED REGULATION, PROBABLY A LITTLE MORE BUREAUCRACY.

THE BENEFIT WE GET IS A CENTRALIZED APPROACH, WHICH OVER TIME, WILL, A, CURE THE PROBLEM, OR LARGELY CURE THE PROBLEM, AND B, ACTUALLY BRING DOWN COST.

IT WILL BE A BETTER DEAL FOR OUR ECONOMY TO DO THAT.

LAST QUESTION FORRING YOU GOT ABOUT A MINUTE AND A HALF OR SO.

I SUSPECT THAT FOLKS THAT ARE WATCHING THIS AND LISTENING TO OUR CONVERSATION ARE SAYING, FIRST, I'M LEARNING A LOT OF THINGS THAT I DIDN'T KNOW BEFORE.

YOU'RE A WONDERFUL TEACHER.

BUT SECONDLY, THEY MAY BE SAYING, WHAT SHOULD I BE CONCERNED ABOUT, WHAT SHOULD I DO?

GOT ABOUT A MINUTE LEFT.

WHAT SORT OF ADVICE WOULD YOU GIVE?

TWO THINGS.

ON THE MACRO LEVEL, I WOULD SAY, TALK TO AS MANY PEOPLE AS YOU CAN, INCLUDING YOUR REPRESENTATIVES IN CONGRESS ABOUT THE NEED FOR US TO ADDRESS THIS AT A NATIONAL LEVEL AND TAKE IT SERIOUSLY.

I THINK THERE'S SOME MOMENTUM GOING ON IN THAT WAY, BUT EVERYTHING FROM CLUBS TO PROFESSIONAL ORGANIZATIONS TO LETTERS TO THE EDITOR WILL HELP GET THIS ISSUE MOVING.

AND THEN SECONDLY ON AN INDIVIDUAL LEVEL, WE SHOULD CERTAINLY PAY MORE ATTENTION TO CYBER SECURITY.

IF YOU HAVE AN EMAIL ACCOUNT, YOU SHOULD HAVE TWO-FACTOR AUTHENTICATION ON.

IF YOU DON'T KNOW WHAT IT IS, LOOK IT UP ON GOOGLE.

TAKE A COUPLE OF QUICK TRAINING COURSES ONLINE.

THERE ARE STEPS AN INDIVIDUAL CAN TAKE THAT ARE GOING TO BOOST YOUR SECURITY.

NOT MAKE YOU IMMUNE, BUT REALLY PUT YOU IN A MUCH BETTER POSITION.

THAT'S WHAT WE NEED TO DO.

GLENN GERSTELL, THANK YOU FOR HELPING US UNDERSTAND THIS AND WE LOOK FORWARD TO TALKING TO YOU DOWN THE ROAD.

BE WELL.

JACK, THANK YOU.