The Daily - Hacked, Again
Episode Date: December 16, 2020Undetected for months, sophisticated hackers working on behalf of a foreign government were able to breach computer networks across a number of U.S. government agencies. It’s believed to be the hand...iwork of Russian intelligence.And this is far from the first time. Today, why and how such hacks keep happening and the delicate calculation that dictates how and if America retaliates.Guest: David E. Sanger, a national security correspondent for The New York Times. For an exclusive look at how the biggest stories on our show come together, subscribe to our newsletter. You can read the latest edition here.Background reading: In one of the most sophisticated and perhaps largest hacks in more than five years, email systems were breached at the Treasury and Commerce Departments. Other breaches are under investigation.The sophistication and scope of the attack has stunned experts. About 18,000 private and government users downloaded a Russian tainted software update — a Trojan horse of sorts — that gave its hackers a foothold into victims’ systems, according to SolarWinds, the company whose software was compromised.For more information on today’s episode, visit nytimes.com/thedaily
Transcript
Discussion (0)
From The New York Times, I'm Michael Barbaro. This is The Daily.
Today, the operation went undetected for months, giving foreign agents access to the inner
workings of American government. My colleague, David Sanger, on who was behind the attack and why it keeps happening to the U.S.
It's Wednesday, December 16th.
U.S. officials believe Russia is behind a massive cyber attack targeting the U.S. Treasury and Commerce Departments.
Sources say it may be one of the biggest and most sophisticated hacks in years, and it may have been launched in the spring.
Hackers appear to have accessed sensitive information as far back as March. U.S. officials are scrambling to try to figure out what data was taken,
what other departments may have been breached.
The actors behind this campaign gained access to numerous public and private organizations around the world.
One government official telling Reuters, quote,
this is a much bigger story than one single agency.
This is a huge cyber espionage campaign targeting the U.S.
government and its interests. David, tell me about this attack. Well, Michael, we're still learning
a lot and there's a lot we have to say we don't really know yet. But here's what we have pieced together. Sometime around March, a very sophisticated group
of hackers who clearly worked for a nation state, we believe Russian intelligence, broke into the
computer systems of a range of U.S. government agencies, the Treasury, the Commerce Department, the Los Alamos National
Laboratory, which makes nuclear weapons and designs them, the State Department. But at the time,
no one saw any of this. And so as we've been able to go reconstruct it in recent days,
it looks like one of the reasons we missed it was that it was an incredibly
sophisticated approach in which the hackers didn't go right after those different institutions,
didn't try to get directly into their networks. But instead, they got into a kind of software
that government agencies, Fortune 500 companies, the New York Times all use.
It is software made by a company called SolarWinds in Texas. Most consumers have never
heard of them. I had barely heard of them until a few days ago. And what they make is network
monitoring software. So it's a real sort of backroom engineering thing.
But the brilliance of attacking through this software is that you're essentially getting
into the supply chain that feeds the rest of the U.S. government and corporate America.
And so you don't need to break into companies or agencies. If you can get into this software, it will take you into the government agencies.
What do you mean?
So imagine, Michael, that this wasn't a cyber attack, but it was in the physical world,
and you were trying to take out a bunch of tanks that were being produced for the army.
of tanks that were being produced for the army. One way to do it would be to try to creep into the tank factory and, you know, sabotage the parts. But you might get caught, and if you got caught,
you'd probably either get shot or arrested. Wouldn't it be easier to get into the much
smaller company that feeds ball bearings to the tanks and make sure that all those ball
bearings were flattened on one side. So you've been a lot more effective and you've taken a lot
less risk. So these hackers got into the ball bearings of these government agencies' online
presence. They got into SolarWinds, the ball bearing and the metaphor, and they screwed data. That's right.
So once they got into this SolarWinds network monitoring software that nobody usually pays
attention to, except if you're an IT engineer sitting in the back room, then they suddenly had
tremendous access throughout the system.
And if they were careful about it, they could keep that access without getting caught.
David, why are we convinced that this was Russian hackers? Did they leave behind any
evidence that allows us to say, ah, those are the marks of Russia?
ah, those are the marks of Russia?
Well, a few things.
First, the skill level.
This was done with a precision and with an understanding of the systems
that 97% of the world's best hackers
wouldn't have the time or the resources to pull off.
The second thing is they use certain techniques that have been seen before by the Russians.
It had the markings not just of the Russians, but of a particular intelligence agency within Russia
called the SVR. This is the group, a successor to the old KGB from Soviet days,
that is out there mostly for espionage purposes. That said, it's entirely conceivable that a few
months from now we could come to a conclusion that the early findings were wrong. But nobody
that I've spoken to in both the government or in the private sector, seems to have a whole lot of doubt
here. So what did these presumed Russian hackers actually take or look at? Do we know at this point?
So, Michael, that's what everyone wants to know. And it's the biggest mystery right now.
Mm-hmm. We do know that the Russians were into the email systems at the Treasury Department
in one particular agency of the Commerce Department that deals with technology and internet issues.
We know that they were into the State Department, where in the past they have broken in before
and have obviously interest in both diplomatic communications, but also trying
to find diplomats who may be undercover as spies. We know that they were inside the Los Alamos
nuclear laboratory and their interest there is clear. That's the place where we design new nuclear
weapons, think about cyber issues and encryption issues and so forth.
So this sounds like classic espionage, and it sounds like a pretty bad case of it.
If you're in the United States, Russia rooting around in highly sensitive corners of agencies
and getting the kind of information that any government zealously seeks to protect.
That's absolutely right.
And let's face it, this is highly embarrassing for the world's greatest cyber superpower, right?
And so I can imagine that the Trump administration,
in its last five weeks in office,
isn't especially interested in admitting that under their watch,
whole departments of government got cleaned out.
David, at the beginning of our conversation, you said this attack had begun in March, but we have only just seemed to learn about it a couple of weeks ago.
Which, if I'm doing my math correctly, suggests that Russian hackers have been rooting around in our government systems for like eight or nine months, which is a really long time.
So why did it take so long?
Well, that's a really great question, Michael. And part of the answer, I think, is a technical one, that the U.S. government has basically set up sensors throughout its own networks looking for hackers coming in or trying to steal passwords and so forth.
But none of that got set off here. looking for hackers coming in or trying to steal passwords and so forth.
But none of that got set off here.
And the reason for that is they had gotten into this software that was legitimately considered a part of the U.S. systems.
Right.
And then there may be one other thing, Michael.
It could have been the distraction of the election.
What do you mean?
Well, for the past year,
the National Security Agency, General Paul Nakasone, who also runs United States Cyber
Command, has said his number one responsibility was to protect this election against foreign
attackers. And so he was looking for attacks on the election networks, on the registration systems, on voting machines, on the way to retaliate.
Right?
A legitimate thing to do given what's happened in recent times.
So they were all looking over here.
And maybe the Russians, who understood exactly what we were doing, thought this would be a great opportunity to go rob the bank while
the police are down the street trying to stop a riot. But on a more serious note, look, there's a
reason that I call this the perfect weapon. It's dirt cheap. It's virtually invisible.
It's virtually invisible.
It lends itself to highly skilled engineers who could be working half a world away and don't have to physically enter your territory.
It's what makes cyber attacks so hard to defend against.
And it's the reason that cyber has become the primary way, the primary way that countries seek to undercut each other's power in various forms. And for the Russians, you know, they've been doing this for a quarter century.
There's a long history of this. It's just that they're getting better and better and better.
And if there's one lesson from all this, Michael, it's that American defenses,
that is both the ability to deter attacks from happening and deal with them when they do,
has not been anywhere near as effective as it needs to be.
We'll be right back.
David, you just started to hint at this, but where does this presumed Russian cyber attack fit into the history of Russian cyber attacks against the United States?
of Russian cyber attacks against the United States?
Well, there's a long history here, Michael.
But, you know, it really starts in the mid-1990s when there was an attack called Moonlight Maze
in which the Russians got into the Colorado School of Mines
because they figured out it was connected
to a whole bunch of military bases.
And when the United States saw this, what did they do?
Well, not much, other than recognize they had a problem
and began to build what ultimately became U.S. Cyber Command.
And then if you speed ahead to say around 2008,
there was a famous case in which the Russians sprinkled the parking lot
of a big base in the Middle East with USB keys,
you know, those kinds that you get at conventions and hotels and so forth.
And U.S. service personnel would pick these things up and say,
oh, I've got a free USB key.
And they would walk it into the base where the computer system was separated from the Internet.
And they would put the USB key into the computers,
and of course it would download malware
and begin to drain out some of our most classified communications.
What was the response to that?
They got some super glue,
and glue closed the USB ports on their desktop computers.
But what about retaliation against Russia?
There wasn't really retaliation because the sense was this was espionage and everyone
does espionage.
And then came the third big attack in 2014, 2015.
The Russians went into the unclassified emails at the White House,
the State Department, the Joint Chiefs of Staff. And again, the Obama administration didn't even
call the Russians out by name. They sort of hid who was doing this, even though they were trying
to fight them and get them out of the system. And the Russians kept coming back just to sort
of show they could. But they didn't pay a price for it.
And as a result, you know, Vladimir Putin figured, well, if they're not going to defend the White House, who's going to defend the Democratic National Committee, which is, you know, basically run by college kids?
We're tracking another major story tonight, a case of cyber espionage targeting the Democratic Party.
Right. This is arguably the most consequential hack of all of the actual
DNC by Russian hackers and their attempt to interfere in the election. Interesting question
of whether it's the most consequential or whether it was just the most public. An email scandal
forcing Florida Congresswoman Debbie Wasserman Schultz to step down as party chair. The leaked
messages implying the DNC favored Hillary Clinton over Bernie Sanders.
Which led to the resignation of the head of the party.
WikiLeaks has released another batch of emails from Clinton campaign chairman John Podesta.
Ultimately, you read emails in which Hillary Clinton's staff is exchanging notes about what a terrible candidate she is.
Now Clinton's team is mocking Hillary herself, saying even she doesn't know how
liberal she is. So that was a change of tactic. At that point, they weren't just doing espionage,
they were trying to go use it for political effect. But the pattern here seems to be very clear.
Russia commits a cyber attack against the United States, And the response is not very robust. And so Russia becomes
emboldened and its attacks get even bolder. So why isn't the United States doing whatever it
could possibly do to punish Russia in a way that would say, don't ever do that again?
Don't ever do that again.
Well, part of the reason is trying to control the escalation along the way.
And there's always been a great hesitance in the United States that if you push things too far,
if you come back with a disproportionate response,
you're suddenly escalating into what could be a much larger conflict.
And everyone's always been cautious about that.
Now, that is an understandable prudence,
especially when you're dealing with nuclear powers like Russia or China.
But it also creates a gray space in which your adversaries think, well, if we just avoid taking out all the electric power
from Boston to Washington or
Seattle to L.A., no one's going to bomb us. Instead, they're just going to do some cyber
stuff back to us and, you know, we can get away with this. So the problem is we had a failure
of deterrence. And the big public admission of this came in March of 2018. Our meeting would
come to order. The committee meets today.
When Paul Nakasone, the head of the NSA,
was up for his confirmation hearing.
General Nakasone, I want to start with you.
You know, we've had a number of hearings on this committee on cyber strategy.
He was asked by a senator, Dan Sullivan of Alaska.
We seem to be the, you know, cyber punching bag of the world.
What's your thought on that? And should we start
cranking up the costs of the cyber attacks on our nation? What do you think our adversaries
think right now? If you do a cyber attack on America, what's going to happen to them?
So basically, I would say right now, they do not think that much will happen to them.
They don't fear us. They don't fear us. So is that good?
It is not good, Senator.
That's a pretty extraordinary admission.
It's a remarkable admission.
And when Nakasone got into office, he determined that he had to change this.
So he got a lot more aggressive.
And, you know, a month ago, I would have said to you, given the success of keeping
the Russians out of the election system, this new approach to deterrence was beginning to yield
some modest results. But I've probably got to go reconsider my view now that we know
what was happening with these most recent attacks on these government agencies.
So it sounds like the U.S. does decide to fight back in ways, of course, that most of us can't see,
but they have not had the intended impact of deterring Russia. And it sounds like the reason
we won't take the kind of actions that might truly raise the stakes is because, as you said, we fear that such a response
would be inflicted on us after we commit a similar act of cyber war. And that's what we do. We also
commit acts of cyber war. So it sounds like we're in a little bit of a bind here. That's right. And
it's because cyber is such a different problem than the deterrence issue that we all grew up
thinking about and learning about in school, which than the deterrence issue that we all grew up thinking
about and learning about in school, which was nuclear deterrence, right? But in nuclear deterrence,
we got to a situation where we all avoided using the weapon because we understood mutually assured
destruction. If you take out New York, we take out Moscow, right? It was pretty binary.
And there weren't many players, you know?
The Russians had nuclear weapons.
The Chinese had nuclear weapons.
You know, six other countries, six other adversaries and allies had nuclear weapons.
But we could count them.
None of that's true in cyber.
In cyber, scores of countries now have cyber weapons.
Cyber, scores of countries now have cyber weapons.
The offense, stealing something or even putting code in the electric grid but not actually turning off the power, these don't raise up to the level of acts of war.
The brilliance of cyber as a weapon is that you can adjust it up and down to just avoid going over that red line that creates an act of war. So the Russians in going into the Treasury Department and the Commerce Department
and all that, they weren't anyplace close to the line. They were doing straight up espionage.
So the question is, is everyone going to continue to calibrate their attacks so they're just below that ill-defined, invisible red line?
Or at some point, is somebody going to go make a mistake
and do an attack so big that it actually will escalate?
But the utility of cyber is not as a weapon of war.
The utility of cyber is as a weapon short of war.
But it feels like in the absence of the kind of enormous attack that you just described as kind of a game changer, that seems to be working better for Russia than it is for the United States.
Does that feel right?
Because they keep acting in bolder and bolder ways, and we don't seem to know exactly what to do about it.
Well, it's true that it is benefiting offense right now.
And it's not just the Russians who are benefiting.
Obviously, the Chinese, the Iranians, the North Koreans, and also us.
Remember, we don't exactly have clean hands here.
It's the United States and Israel that took out Iran's nuclear program with a big cyber attack 10 years ago.
We've done other attacks on missile systems, on power grids, on all kinds of different targets.
But we've always worked on the assumption that we can carefully calibrate those so that there isn't a big retaliation as well.
So there are a couple of ways to think about
how you deter these in the future.
One of them is deterrence by denial.
That is to say, I build such great cyber defenses
that I say, Michael, you can come attack me.
Go do your best.
I built such a great wall here.
You're not getting through it, okay?
That's one kind of deterrence.
The second kind of deterrence is the one we've been talking about, deterrence by punishment, right? If you do this to
me, boy, you're really going to regret it. A third possibility is to develop some sort of
international set of rules where we say that certain things are off limits. Maybe it's power
grids in peacetime because you turn off the power,
people in hospitals and nursing homes are going to die. Maybe it's election systems.
The problem with this approach is that even the United States government isn't really sure it
wants to sign up because no one in the intelligence community, having spent all the billions of
dollars to develop these sophisticated cyber capabilities, wants to go up to the president of the United States and say,
I'm terribly sorry, but we reached an agreement a few years ago that we'd never do this.
And so we're as big an impediment to this problem as the Russians and the Chinese.
Hmm. David, if we assume that these attacks will keep coming
for the next few years,
I wonder if we can begin to think about
how a president-elect Joe Biden would handle them.
Because if there's anybody who might have a strong rationale
for taking a very hard line against Russia,
you might think that it would be Joe Biden.
And I say that because
we know from lots of reporting that the Russians did not want Joe Biden to win. They favored
Donald Trump. And so is it possible that our incoming president might take a much stronger
approach than his predecessors when it comes to responding to things like this attack
that just occurred. Well, he's going to try, but it's going to be a really hard needle to thread.
I mean, what he's got going for him is that he's not beholden to Putin in any way, right? He's
already said, Putin doesn't want me to be president. Putin's coming after me, and if he
does, I'm coming after him. And he's been pretty explicit about that.
But to say that you're coming after him and to actually do it is going to be a difficult thing.
Because the history of these past 25 years, since midnight maze, is that we have so far been unwilling to escalate enough with the nuclear power for all kinds of good reasons.
And he understands this.
So the question for Biden is, is he going to find a way to thread the needle?
Is he going to go accelerate General Nakasone's strategy?
Is he going to find a way to build those much better defenses?
And then finally, I think he's going to have to address the fear question, which is at the end of the day, the state adversaries, Russia, China, the other big nation states that are using cyber,
that are using cyber have to fear that the price of making use of this cheap, effective,
invisible weapon simply isn't worth it. And we haven't found the right way yet to make them fear us.
Well, David, thank you very much. We appreciate it.
Thank you, Michael.
In a statement on Tuesday, Russian President Vladimir Putin congratulated President-elect Biden on his victory and said he looked forward to a new era of cooperation between the United States and Russia.
We'll be right back.
Here's what else you need to know today.
The Times reports that the FDA intends to authorize use of a second vaccine for the coronavirus,
this one made by Moderna, sometime tomorrow.
If approved, doses of it could begin reaching Americans by Monday.
Like the Pfizer vaccine, Moderna's has been shown in large clinical trials to be more
than 90 percent effective. And many millions of us had hoped the presidential election would yield
a different result. But our system of government has processes to determine who will be sworn in on January the 20th.
The Electoral College has spoken.
After weeks of refusing to recognize Joe Biden's victory in the election,
the most powerful Republican in Congress,
Senate Majority Leader Mitch McConnell of Kentucky,
finally did so on Tuesday in a speech from the Senate floor.
So today I want to congratulate President-elect Joe Biden.
The president-elect is no stranger to the Senate.
He's devoted himself to public service for many years.
I also want to congratulate the vice president-elect,
our colleague from California, Senator Harris.
Given McConnell's stature, his acceptance of Biden's win is a strong signal to the rest of his Republican colleagues in Congress that resistance is now
futile and that it's time to turn the page on the Trump era. Today's episode was produced by Jessica Chung and Alexandra Lee Young.
It was edited by Paige Cowan and MJ Davis-Lynn and engineered by Chris Wood.
That's it for The Daily.
I'm Michael Barbaro.
See you tomorrow.