Listen:
Highlights:
David Sanger: So one of the things about the Biden administration is that they’re willing to discuss solar winds as an attack in part, because it didn’t happen on their watch˳ It happened on the Trump administration’s watch and, and by the way, I’m not blaming president Trump for that, Sony and the office of personnel management, all that happened on Obama’s watch and Obama Biden˳ What is interesting though, is that president Trump, in his one comment on solar winds tried to say, well, maybe it was the Chinese˳ And then immediately the intelligence community came out and said, no, it wasn’t the Chinese, in fact, uh, it was likely the Russians, which is exactly where the White House left it yesterday˳ They didn’t take the attribution any further˳ They haven’t pushed it any further˳ They did say that there were nine government agencies who work yet, they have not done a final count of how many corporations were hit˳ What’s really interesting about this attack, I find, is two things: first, the Russians knew better than to attack us from Russia˳ In fact, to evade US intelligence, they came and engineered the entire thing from the United States˳ SolarWinds is a Texas company and they got into the software that does the updates˳ And for those of you who are wondering about what that means, just remember that, you know, your cell phone updates at night, right? You put it in and you put it next to your bed and overnight˳ You see that some new version of the operating system has been loaded in, and unless you’re Nicole, you probably don’t check every line of the code that came into your phone to make sure that it didn’t introduce a new malware into your phone˳ I would bet even Nicole doesn’t do that in the morning˳ So, the Russians did that and then, once SolarWinds all loaded their software into the computer networks of companies across America and government agencies, including the New York times, which uses SolarWind software, then they were in those companies without going through your passwords, without trying to go break into the system, SolarWinds would take it into the system because SolarWinds software was network management software˳ So that was the brilliance of this thing˳ And then it beamed out˳ To a command and control center, not back in Russia, but command and control centers that Amazon and Go Daddy ran in the United States˳ So at the White House briefing and Neuberger, formerly of the national security agency˳ Now the deputy national security advisor for cyber a new position in the white house said that they were going to have to basically redo their systems to account for the fact that the US intelligence community is not allowed to look inside the United States for all kinds of good personal privacy reasons˳ Our intelligence community can only look outside˳ And what happened was, in this case, was that the Russians knew this, turned our own privacy laws against us, and operated completely from inside the US which gives you an idea what a new kind of problem we’re facing˳
Nicole Perlroth: The other thing I would just say, and just listening to that remark, David, is we are definitely in a game of chess with Russia, if indeed this is Russia˳ And they have our number, you know, when you covered the 2016 election attacks, which always struck me about that, is the intelligence even showed Russia was an event˳ It blew Russia’s minds, how successful that attack and those information and disinformation campaigns were˳ They got our sweet spot by tapping into America’s polarization and divisions˳ And now once again, they’ve gotten into our sweet spot by brilliantly exploiting the seams and our defenses and our own privacy protections˳ So how do you respond to an attack like this, and also deterrent? I mean, we are finding out every day with this attack, just how failed our deterrent strategies have been˳ We’ve tried sanctions, we’ve tried indictments David and I both covered attacks by cyber command on the Russian grid˳ You know, perhaps deterrents shifted the Russian priorities away from our election, but they are now inside our federal IT network˳ So to me, it seems the most interesting conversations inside this new administration right now will: be how do you deter future attacks like this? And I don’t think there will be any easy answers˳
David Sanger: The United States has been involved in, let’s say there are a couple of similarities and many, many major differences here˳ So the first is the obvious one, people tend, usually wrongly, to do nuclear analogies with cyber˳ And that doesn’t really work˳ But the one area where it does work is that we thought- starting in 1945, that we had a huge lead over the rest of the world in nuclear weapons˳ And actually in the late forties, Harry Truman had a memo on his desk saying the Soviets were at least a year away from a nuclear weapon and they tested the weekend that he got the memo˳ We really had under assessed how much progress they’ve made here˳ We are 75, nearly 76 years after Hiroshima and only nine countries have nuclear weapons capability˳ Right now it’s actually a smaller number than Kennedy and others suspected would˳ But when I was finishing up The Perfect Weapon two years ago, I think we counted about 35 nations that had the ability to do a sophisticated cyber attack on the United States˳ And that’s because unlike nuclear, this is much more widely available˳ It’s available, not just to governments, but to terror groups, to criminal groups, and it’s criminal groups that have done all use zero days and other things to do ransomware and so forth˳ It’s available to teenagers and we all know how dangerous they are˳ That tells you that all of the usual ways that we had to deter attacks in the nuclear age simply don’t apply to what Nicole just described˳ There’s also a knowledge gap, you know, Even during the Obama administration, a pretty tech savvy administration, estates rounded government officials who were trained as I was in traditional conflict between nations and traditional arms that this whole market existed, that you could be a small power like North Korea or Iran, or a larger one like Russia and China, and use this as a short of war weapon that could degrade the power of the United States and yet calibrate it in a way that it does not lead to a military conflict˳ It’s as a short of war weapon, if we broke out into open war short, there would be cyber is a big piece of it, but used every day, it short of war˳ And that’s why it’s so much more useful than nuclear weapons˳ Think if you’ve got nuclear weapons, you can’t really use them because, you know what will happen an hour later, but if you have cyber weapons, you’ve a pretty high confidence that if you moderate your attack and calibrated just right, you’re probably going to pay a very small price, if any price at all˳ And that’s the solar winds dilemma˳ If they were just spying on us, if they were just stealing emails and so forth˳ Well, we do that too˳ If they were putting in back doors because they want to go attack us˳ Well, as Nicole has just described, we basically did a supply chain attack to get after the Natanz nuclear enrichment site, we’ve done supply chain attacks to make North Korean missiles blow up˳ We’ve done supply chain attacks to slow down the Iranian missile program˳ And so setting some global rules here˳ Would require us to basically agree that we too are not going to be using some of these weapons˳ And that’s not really where Cybercom or the national security agency is right now because they want to give a president of the United States, whoever the president is as many options as they possibly can˳ And if they could go into the president and say, Hey, we can use a few zero days of the kind that Nicole describes in her book to turn off the power in Tara˳ Well then maybe we won’t have to bomb Toronto˳ And wouldn’t that be a significant improvement over causing the kind of casualties that you would if you had the level and entire city that doesn’t mean you wouldn’t have any casualties˳ You turn off the electricity˳ People are going to die in nursing homes and hospitals and people shut into their homes, but probably not on the scale at which they would in a traditional military campaign˳ So Nicole, where’s this headed˳ If you were, if, if the Biden administration called you in and said, we all just read your book and we understand we’ve got a huge problem here, but what is it that you would do both on the offense and the defense side to make this, to make us more secure? What would that combo look like?
Nicole Perlroth: I think we have, we, we have exhausted some of our offensive options here˳ We have already used cyber to enshrine critical infrastructure as a legitimate target˳ We have been hacking into the Russian grid as you and I, disclosed to the New York times readers a few years ago˳ Um, we have been hacking the Russian grid and we have been making a loud show of it as a sign to Russia to say, Hey˳ If you’re going to hack into our grid and our nuclear plants know that we have also hacked into yours˳ And if you turn the lights off here, we will turn the lights off there˳ Um, and then in terms of diplomacy, I’ve already said, you know, we’ve, we’ve somewhat exhausted our options here˳ Sanctions indictments, naming and shaming, uh, has not stopped Russia or Iran or North Korea or China from resuming their cyber attacks on the United States˳ We are in a very precarious position right now, everything that could be intercepted in the United States has been our personal data or intellectual property˳ Our power plants, our nuclear plants, our hospitals are being held ransom almost every other week by cyber criminals, many of them in Russia˳ So what do we do here? And˳ You know, this idea that we’re going to come up with international norms is a very interesting nuanced conversation because it’s David mentioned, we don’t want to handcuff ourselves˳ Also most of the cyber attacks that come out of the United States come out of cyber command and the espionage operations come out of NSA˳ We don’t have the luxury here of tapping a Google engineer on the shoulder at night and saying, Hey, you’re coming with us tonight˳ You know, we, we direct our own cyber attacks˳ That is not the case in Russia and China and Iran in Iran˳ We know from indictments that they rely on a satellite system of contractors these days to pull off a lot of their attacks in China˳ Those some of the most sophisticated attacks no longer come from the PLA anymore˳ Few years ago, David and I revealed the unit known as six one three nine eight, who was working out of Shanghai and conducting thousands of attacks on U S companies and thinking expen, uh, diplomats˳ But history is the most sophisticated of the attacks out of China˳ Don’t come from the PLA or even the ministry of state security anymore˳ They come from this satellite network of contractors and in Russia, it’s a little different, but similar˳ There is some call it a PAX mafioso between the FSB, the Soviet intelligence and Russian cyber criminals˳ They say, you know, Pruden has only two rules for his cyber criminals˳ Don’t have inside the motherland˳ And when we call in a favor, you do what we ask˳ And we saw this an indictment form in the Yahoo, uh, attack a few years ago˳ When they finally named who was behind that attack, it was two Russian cyber criminals who broke in and profited off of a lot of the data and passwords they were stealing˳ And then it was two FSB agents who said, you know, if you find a really interesting, uh, account that belongs to a white house staffer, pass that over to us˳ And so what these countries have that we don’t have is a larger degree of plausible deniability, because even if Putin agreed to cease attacks on our critical infrastructure, if a Russian cyber criminal hacked into our critical infrastructure, and we tied it back to that, cybercriminal Putin could just as easily say that wasn’t us˳ Or as he put it a couple of years ago, he said, you know, Russian hackers are like artists˳ They just wake up in the morning and start painting˳ So, you know, we’re really, we’re really at a disadvantage here when it comes to international norms˳ So where I chose to focus in my book is on defense˳ What can we do at the individual level at business level, government level? To lock down our systems˳ And unfortunately, offense has always been more fun than defense˳ Defense is grueling˳ It’s boring˳ It requires things like two factor authentication and using a password manager and not clicking on links and that businesses, it requires slowing down, getting your product to market and making sure that all the code is locked up˳ So you’re not ruling out vulnerable code riddled with zero days˳ Two Teslas and critical infrastructure and our personal data and iPhone and Android systems and the government level˳
We’d love your input on our show! Email us at: This e-mail address is being protected from spambots˳ You need JavaScript enabled to view it ˳
