Two-dozen congressional staffers joined academic and Silicon Valley experts at Stanford’s inaugural cybersecurity boot camp to discuss ways to protect the government, the public and industry from cyber attacks, network crimes and breaches of personal privacy.

The staffers listened to presentations from 25 business and technology leaders, as well as experts in privacy, civil liberties and intelligence during the three-day boot camp. They also took part in a role-playing exercise dealing with a cyber crisis, posing as staffers from the White House, Homeland Security, the State and Defense departments, as well as private enterprise.

The idea behind the workshop was to give Capitol Hill staffers the knowledge and contacts that will help them better craft legislation and policies on cybersecurity.

“We’re 3,000 miles away from Washington and we’re at ground zero for the tech revolution,” said CISAC Co-Director Amy Zegart. She is also the Davies Family Senior Fellow at the Hoover Institution, which co-sponsored the boot camp that that ran from Aug. 18-20.

“The boot camp is an important early step in what we envision to be a continuing, leading and lasting cyber program,” said Zegart, co-convener with Herbert Lin, chief scientist at the Computer Science and Telecommunications Board, National Research Council of the National Academies, who joins Stanford in January as a senior scholar for cyber research and policy at CISAC and research fellow at the Hoover Institution.

Zegart had three goals for the boot camp. One was to bring together computer and social scientists across campus and across the country “to broaden and deepen our cutting-edge scholarship.”

Then, from the networking that naturally took place, Zegart hopes to create a Track II cybersecurity council that will convene regularly with leaders from the U.S. government, scholars and key stakeholders from the private industry.

“And finally, we want enhanced education programs not only for students here at Stanford, but key stakeholders for cybersecurity policy,” she said.

The presentations were videotaped and will be packaged and used for educational purposes at Stanford and eventually be made public online.

Some of the staffers said the boot camp exceeded their expectations and they were grateful for the jam-packed, 72-hour crash course in all things cyber.

“What Stanford has done really successfully here is they brought together people from D.C. who wouldn’t necessarily talk to each other, from different committees, from different sides of the aisle,” said Jamil Jaffer, Republican chief counsel and senior advisor to the Senate Committee on Foreign Relations. “Then from the valley community they brought lawyers, educators and technologists – you name it – from across the spectrum in a way that I’ve never seen before.”

He said he hoped CISAC and the Hoover Institution, which co-sponsored the Stanford Congressional Cyber Boot Camp, would convene the next boot camp with the New York business community as well.

“I think there’s a real opportunity to build bridges between these three major cities; I think we need to have these conversations together,” he said.

Staffers also exchanged views about the wide gap between the government and Silicon Valley tech companies with regard to privacy when they met with senior security chiefs at Google during a visit to the nearby Google X campus.

And there were plenty of lively debates about Internet security vs. privacy and whether the government should step in to police public networks.

Benjamin Wittes of Brookings and Hoover faced off with Jennifer Granick, director of Civil Liberties at the Stanford Center for Internet and Society at the Law School.

“Liberty is a feature of security – and security is a feature of liberty,” Wittes said. “So the urge to think that any security measure is going to negatively impact your liberty, or conversely that anything that augments online liberty is going to have negative implications on security is a very easy, and I would say, very lazy instinct.”

Granick countered by saying most professionals in Silicon Valley do not trust the government to police the Internet without secret hacks. For example, documents leaked by former NSA contractor Edward Snowden indicated the National Security Agency tapped into fiber optic cables transmitting data for Yahoo and Google.

“Last night you heard Eric Schmidt say that the NSA had hacked Google,” she said, referring to a keynote dinner conversation between the Google chairman and former Secretary of State Condoleezza Rice, a professor at Stanford's Graduate School of Business and a senior fellow at Hoover and the Freeman Spogli Institute.

The NSA has denied hacking into Google and Yahoo.

“Everyone here in Silicon Valley agrees with what he says,” she said. “Don’t fool yourself that he’s just saying that because that’s just Google marketing. Everybody at Twitter believes it; everybody at Facebook believes it. I am embedded in the privacy world and we’re all worried about consumer privacy and what these companies are doing with this information – but that doesn’t mean we trust the government to protect us.”

Aside from the government trust debate, other big takeaways were that surprisingly little is secure on the Internet and the threat of cyber attacks against the United States is one of the biggest issues facing Washington policymakers today.

They heard a warning in stark and unambiguous language from Jane Holl Lute, president of the Council on CyberSecurity and a consulting professor at CISAC.

"It's no longer possible to ignore this issue," said Lute, who until last year was deputy secretary for the Department of Homeland Security, where she was responsible for the day-to-day management of the department's efforts to prevent terrorism and enhance security. "Life online is fundamentally unsafe.”

She emphasized that the Internet is about "the power to connect, not to protect" and stressed the importance of practicing "cyber hygiene" to reduce problems. This includes monitoring the hardware and software running on a network, limiting administrative permissions, and real-time patching and monitoring of system vulnerabilities.

If organizations would just follow these steps, she said, 80 to 90 percent of cyber attacks would be prevented.

"We know a lot, but we're just not doing it,” she said.

Lute emphasized that today's world has an "existential reliance" on the Internet – more than 3 billion people in the world, including 80 percent of North Americans, have access to the Internet. All of this dependence comes against the reality that many companies and sites do not carry out basic hygiene to protect their networks.

The U.S. Senate and House staffers attending the boot camp come from both political parties and work on the U.S. Senate Select Committee on Intelligence and the Homeland Security, Appropriations, Judiciary, Energy and Commerce committees. The group also includes staffers working with House Minority Leader Nancy Pelosi, D-Calif., U.S. Sen. John McCain, R-Ariz., and Ed Markey, D-Mass., among others.

Senior executives from Microsoft, Visa, Palantir, Palo Alto Networks and U.S. Venture Partners had a robust discussion about how their companies battle cyber crime and share network data.

Ellen Richey, global head of enterprise risk for Visa, talked about her frustration with the international organized crime rings that attack financial institutions and credit cards companies.

“And they’re using that money to finance other types of illicit activities, such as human trafficking, drugs and terrorism, yet their governments don’ t go after them, or if they do go after them, they are released due to corruption in the courts,” Richey said.

She said Visa believes that at the end of the day, it’s not possible to adopt measures that are going to adequately protect against the growing threat of cyber crimes.

“So we believe that the ultimate answer for us is to get vulnerable data out of their hands,” Richey said. “You’ve got to shrink the battlefield.”

Facebook CSO Joe Sullivan addresses the boot camp, Aug. 20, 2014.

And the staffers heard a plea by Joe Sullivan, chief security officer at Facebook, to join them in the valley’s quest for better network security.

“The pace that we work at here in Silicon Valley is amazing. It’s exciting and fun to be a part of – but it’s really scary, too,” said Sullivan, a former federal prosecutor devoted to high-tech crime. “There are challenges that we have to deal with every day and we have to have really large and nimble security teams that are thinking about the next big thing before it launches.

“The question is: are government agencies thinking about these issues? Far too often – that is not the case. Hopefully when you go back to Washington you think about how we engage companies, how we engage with government agencies, think about the roles that we all play.”

Sullivan talked about Facebook’s “white hat” program, in which the social network invites users to find security vulnerabilities and report them for a bounty.

He said they have spent $3 million in the last three years in payouts to users around the world, such as the young Palestinian man who was able to hack into Facebook CEO Mark Zuckerberg’s page to warn him of a security flaw.

“We’ve focused on encryption, we’ve hired a lot of people and we’ve looked at data center traffic and all those things,” Sullivan said. “But one of the areas where I think we’ve tried to be at the forefront is about talking about security in a more open way.”

Sullivan said he believes there’s a “disconnect” when one talks about security between the private and public sectors and consumers.

“I feel like when the government talks about security, they’re talking about surveillance,” Sullivan said. “I think when consumers talk about security, they’re talking about safety.”

The big tech companies – Facebook, Microsoft and Google – must take “full ownership” of network security, though he wishes that were not always the case.

“We honestly don’t count on any government agency anywhere in the world to make the people who use Facebook secure,” he said. “We realize we have to do it on our own. Is that a good thing or a bad thing? I would suggest it’s a bad thing. I think we’d all like more help in securing our services.”

For more details about the boot camp speakers and program, visit this website.

Stanford's Condoleeza Rice and Google's Eric Schmidt greet congressional staffers attending boot camp. ©Rod Searcey

Image

The atomic bombs had been dropped on Hiroshima and Nagasaki just before 18-year-old William J. Perry landed in Japan during the War of Occupation as a mapping specialist. He saw the devastation left behind by American firebombers on Tokyo and Okinawa.

The young man quickly understood the staggering magnitude of difference in the destruction caused by traditional firepower and these new atomic bombs. He would go on to devote his life to understanding, procuring and then trying to dismantle those weapons.

But that was seven decades back. And many young Americans today believe the threat of nuclear weapons waned alongside the Cold War and Cuban Missile Crisis.

So as faculty at Stanford and the Center for International Security and Cooperation evolve with the digital age by taking their lessons online, one of the university’s oldest professors is also adapting to online teaching in an effort to reach the youngest audience, urging them to take on the no-nukes mantle that he’s held for many years.

“The issue is so important to me that I tried all sorts of approaches from books and courses and lectures and conferences to try to get my contemporaries and the generations behind me engaged – all with limited success,” says the 86-year-old Perry, a CISAC faculty member and the Michael and Barbara Berberian Professor (emeritus) at the center’s parent organization, the Freeman Spogli Institute for International Studies.

“First – which is a sine qua non – they must become seriously concerned that there is a nuclear danger, which most of these kids don’t understand at all,” said Perry. “Secondly, we want to convince them that there is something they can actually do about it.”

To reach those students, he believes he must go digital. So Perry – who co-teaches with CISAC’s Siegfried Hecker the popular Stanford course, “Technology and National Security” – began to map out a classroom course that would be videotaped and serve as a pilot for an online class that would be free and open to the public.

That course, “Living at the Nuclear Brink: Yesterday & Today” included lectures by some of the best people working in the field of nuclear nonproliferation today. Among those who will be highlighted in the online course are Perry and Hecker; Joe Martz of the Los Alamos National Laboratory; Stanford nuclear historian David Holloway; Stanford political scientist Scott Sagan; and Ploughshares Fund president, Joseph Cirincione.

The Perry Project will produce short-segment videos highlighting key information and stories from the course, packaging them in an online course available in multiple platforms and possibly offered by the university.

Perry used his personal journey as a young soldier during WWII, a mathematician and later a developer of weapons for the U.S. nuclear arsenal as undersecretary of defense for the Carter administration – and then trying to dismantle those weapons as secretary of defense for President Bill Clinton.

“I’m not doing this simply because I want to put a notch on my belt, to say that I’ve done a MOOC,” Perry said. “I’m doing it because I really want to get across to hundreds of thousands of young people.”

Last summer, he launched the Perry Project by inviting a dozen high school and college students to campus for a nuclear weapons boot camp so that they could take back to campus the message that nuclear annihilation is still a real, contemporary possibility.

He asked them: How do I get through to your generation?

“They said, `We don’t get our information by books or even by television, we get it through social media and YouTube, the various social media platforms. And you want to make the message relevant and relatively compact,’” he recalls.

Perry listened. “Living at the Nuclear Brink: Yesterday and Today” is in production now and a short-segment pilot video should be made available in the fall.

Cybersecurity fellow Jonathan Mayer to teach online class on surveillance.

CISAC is turning to other forms on online learning, as well.

Cybersecurity fellow Jonathan Mayer is teaching an online course in surveillance law.

And lectures from CISAC's signature course, “International Security in a Changing World” (PS114S) will soon go up on YouTube as lecture modules entitled, “Security Matters.”

“Online learning offers a way to expand CISAC's reach to new audiences, geographies, and generations,” says CISAC Co-Director Amy Zegart, who has co-taught the popular course for the past few years with CISAC’s Martha Crenshaw.

“At the same time, the PS114 online modules will give us a living lecture library so that future Stanford students can compare faculty lectures on similar topics across time – learning, for example, how Martha Crenshaw assessed the terrorist threat in 2010 vs. 2015,” Zegart said.

Guest lecturers whose presentations will be included for the YouTube package include:

• Jack Snyder of Columbia University: Democratization and Violence
• Francis Fukuyama of Stanford: The Changing Nature of Power
• Zegart: Understanding Policy Decisions: The Cuban Missile Crisis
• Scott Sagan of CISAC: The Nuclear Revolution; and Why Do States Build/Forego Nuclear Weapons?
• Abbas Milani, director of Iran Studies at Stanford: Historical Perspective on Iran
• Former FBI Director Robert Mueller: the FBI’s Transformation Post 9/11
• U.S. Army Lt. Gen. Karl Eikenberry (Ret.) and former U.S. ambassador to Afghanistan: The War in Afghanistan and the Future of Central Asia
• Jane Holl Lute, former deputy secretary of Homeland Security: Emerging Threats in Cybersecurity
• Perry: Security Issues in Russia, Yesterday and Today
• Brad Roberts: former U.S. Deputy Assistant Secretary of Defense for Nuclear and Missile Defense Policy: Ensuring a (Nuclear) Deterrence Strategy that is Effective for 21^st Century Challenges
• CISAC Co-Director David Relman: Doomsday Viruses

And lectures at CISAC’s Cybersecurity Boot Camp for senior congressional aids will also be videotaped and packaged for YouTube and online consumption later this year.

“We are excited to enter into this phase of experimentation to see what works, what doesn't, and how we can further CISAC's teaching mission both here at Stanford and around the world,” Zegart said.

Jonathan Mayer's education path is unusual: He has earned a Stanford law degree while working on his Ph.D. in computer science. He did research with a fellow doctoral candidate to discredit NSA claims that sensitive information about American citizens cannot be gleaned in the "metadata" the spy agency gathers from millions of phone calls.

Law and computer science both have their codes, but they're disparate. Legal code is often fuzzy and qualitative. Computer code is precise and quantitative. Not surprisingly, law and computer science tend to attract different people. It's not that the twain shall never meet; it's just that they seldom do.

Mayer is the exception. He has received his law degree and is completing his PhD in computer science, both at Stanford. Along the way he has aimed his double-barreled expertise at the National Security Agency's practice of collecting various forms of electronic information, including telephone metadata of Americans: the phone number of every caller and recipient, the unique serial number of the phones involved, the time and duration of each phone call.

Working with fellow Stanford computer science doctoral candidate Patrick Mutchler, Mayer proved that the NSA was wrong when it claimed that its analysts could not tease detailed personal information from phone metadata searches.

"Phone numbers, as it turns out, aren't just phone numbers," said Mayer, who is also a cybersecurity fellow at the Center for International Security and Cooperation. "They're an avenue for finding out detailed information about individual citizens."

Aleecia McDonald, the director of privacy for the Center for Internet and Society at Stanford Law School, said Mayer's research irrefutably demonstrated that phone metadata is anything but trivial.

"The lovely thing about Jonathan's research is that it made the sensitivity of phone metadata concrete," McDonald said. "The country was told that phone metadata were not worth constitutional protection, and now Jonathan's research confirms otherwise."

McDonald said Mayer's research confirmed the sense of unease felt by many Americans, which could have ramifications beyond the current metadata debate.

"Mobile phones are basically tracking devices, but in addition to geographic data, Jonathan showed you can obtain rich information on daily lives and associations," she said. "This speaks directly to strongly protected privacy issues. No one is calling for stopping all surveillance, but these new dragnet programs essentially treat everyone as criminals and terrorists all the time. People are wondering if they can trust government on anything, and that's dangerous."

Mayer talks to CBS News about his metadata project

Mayer's ability to have significant public impact while still a young academic stems directly from his unusual combination of legal and computer acumen, according to John C. Mitchell, the Mary and Gordon Crary Family Professor in the School of Engineering and Stanford vice provost for online learning. Mitchell, who is Mayer's adviser, is a professor of computer science and, by courtesy, of electrical engineering.

"That ability to apply high technology to legal issues, to understand both fields so deeply – well, not many people have those skill sets," said Mitchell. "In fact, he seems one of a kind. We're lucky to have him working on these issues. I don't know anyone else who could do it."

Go 'geekward,' young man

Mayer traces his interest in computer science – his "geekward leanings," as he puts it – to his childhood in Chicago, where he logged a lot of time on his family's Apple IIGS computer. Once, when he received an elementary school writing assignment, he developed a web page instead. This was in the early stages of the World Wide Web, and his accomplishment engendered both respect and confusion.

As his facility with computers grew, he became increasingly interested in security issues. This was sometimes expressed in unorthodox – even mischievous – fashion. He couldn't help but hack.

One holiday, he recalled, he received a Radio Shack watch that had a TV remote control feature. After fiddling a bit, he discovered that by setting the frequency for a Sony TV, pointing his device at the infrared port on certain Apple computers and hitting channel change, he could force the computer to reboot.

"My school used those kinds of computers, so I spent quite a bit of time pushing channel change when kids were on the computers at school," Mayer said. "They were mystified. I have to admit it was fun, but it also got me thinking about computer vulnerabilities."

Computer science quickly became a focus for Mayer during his undergraduate studies at Princeton. But he also developed interests in public policy and politics – subjects that had previously struck him as dreary.

"They just seemed somewhat vapid and tedious," Mayer said. "But my roommates were intensely interested in policy and politics, and they gradually won me over. I saw that both are viable paths for implementing change, for getting real things done."

His faculty adviser, Princeton computer science and public affairs Professor Ed Felten, reinforced that. Mayer's senior thesis reflected the merging of his interests: It was about web privacy – balancing computer science research with law and policy issues.

Taking dual paths

After graduating from Princeton in 2009 with a degree in public policy, Mayer came directly to Stanford with the intention of becoming, as he tells it, the first student to simultaneously pursue a JD in law and a PhD in computer science (CS).

"I wasn't going to do law and policy lite or CS-lite," Mayer told the Stanford Daily in February. "I was going full in on both."

Among his successes on the legal front: He was recently asked to teach a class at Stanford Law. The seminar explores the legal ramifications of security and privacy in the technology sector, emphasizing "areas of law that are frequently invoked, hotly contested or ripe for reform," according to the course overview.

He finds his new instructor role rewarding: "I get a kick out of the fact that I'm an engineer teaching law at Stanford."

His legal accomplishments notwithstanding, Mayer's computer science efforts – particularly his metadata research – have made more of a public splash. And as so often happens at Stanford, it all started with a conversation among peers.

"Patrick [Mutchler] and I were talking with our adviser [Mitchell] shortly after the Edward Snowden revelations," Mayer recalled. "We were really intrigued by the NSA's programs, especially all the claims and counterclaims about phone metadata. There was a lot of conjecture at that point but very little scientific clarity. So we thought we'd try to bring some focus to bear."

But Mayer and Mutchler found it difficult to acquire the metadata. While the NSA could harvest it directly from telecommunications companies, the Stanford doctoral students had to solicit phone records from the public.

"We realized we might be able to get metadata voluntarily through crowdsourcing," Mayer said. "So we posted an explanation on a Stanford website and provided an Android app that allowed people to send us their data. Crowdsourcing is a pretty risky basis for research, of course, because you never know what you're going to get. We would've been very happy with 100 responses – instead, we got about 500, and we were off to the races."

Metadata was revealing

Again, this innovative tactic took root in the confluence of legal and computing expertise.

"Building and distributing the app was within the capabilities of many computer experts, but its application was very clever," Mitchell said. "The rationale was: 'We would like to see what the NSA sees, but we don't want to behave like the NSA. So how do we do that?' Seeking volunteers willing to provide their phone data and devising and distributing the app was an extremely creative, sophisticated – and effective—approach."

In the course of their analysis, Mayer and Mutchler derived many revealing inferences from the metadata that show who called whom, when, from where to where and how often. For example, they could determine where the subjects lived and worked, and could see some intimation of relationships between the volunteers.

In some cases, the researchers were able to identify who was dating whom. One volunteer contacted a pharmaceutical hotline for multiple sclerosis patients, a management service for rare medical conditions, a specialty pharmacy and several neurology medical groups. Another called several locksmiths, a hydroponics dealer, a head shop and a home improvement store.

Those findings, Mayer drily observed, debunked the NSA's original assertions that phone metadata were impenetrable.

"It gave us pause," he said. "It was pretty clear that we could tease out more sensitive information with some elbow grease."

The findings have caused headaches for the NSA, and Mayer sees waning support for the agency's aggressive pursuit of private information. A number of high-profile cases on metadata are either pending or wending their way through the courts, and the entire program is up for renewal, or cancellation, in 2015. In May, the U.S. House of Representatives passed legislation to halt the National Security Agency's wholesale collection of domestic phone records. Sen. Dianne Feinstein, the chairwoman of the U.S. Senate's intelligence committee, signaled she is amenable to supporting a companion bill.

What's Next?

Mayer, who has received his JD and recently passed the California Bar Exam, expects to complete his computer science PhD in 2015. And after that?

"I would like to go to Washington, to try to bring technical rigor to federal policy," Mayer said, "though I'm aware there's always the danger of sinking into the political morass in that town. I'm working on a start-up NGO that I hope can bridge D.C. and Silicon Valley. In the interim, I just enjoy teaching at the law school."

Glen Martin is a former San Francisco Chronicle reporter based in Santa Rosa, Calif.