Today, Explained - The threat of Russian cyberwar
Episode Date: April 18, 2022Russia is ramping up attacks on Ukraine’s digital infrastructure. The US could be next. This episode was produced by Victoria Chamberlin, edited by Matt Collette, engineered by Paul Mounsey, fact-ch...ecked by Laura Bullard, and hosted by Sean Rameswaram. Transcript at vox.com/todayexplained Support Today, Explained by making a financial contribution to Vox! bit.ly/givepodcasts Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Welcome back to Today Explained.
Russia isn't happy with the United States right now.
Most recently, it sent a formal warning to the Biden administration.
Stop sending advanced weapons to Ukraine or risk, quote, unpredictable consequences.
Hard to know what Putin means by that.
But one thing we do know is Russia has been ramping up cyber warfare in Ukraine.
A top Ukrainian cyber security official has confirmed to NBC News that Ukraine is once
again under cyber attack and among the reported victims are banks and government websites.
And as Putin's frustration grows, as does the threat of cyber warfare.
Everybody's vulnerable.
Cyber activities know no sovereign boundaries.
And so the United States is surely going to be a potential target.
The threat of cyber warfare from Russia and how the United States isn't really ready.
Ahead on Today Explained.
Get groceries delivered across the GTA from Real Canadian Superstore with PC Express.
Shop online for super prices and super savings.
Try it today and get up to $75 in PC Optimum Points.
Visit superstore.ca to get started.
Today Explained, I'm Sean Romsferm and this is Glenn.
I'm Glenn Gerstel.
Glenn used to be in the NSA.
I'm the former general counsel of the National Security Agency,
having served there from 2015 to 2020.
But now he's just a regular civilian.
And I'm currently a senior advisor at a Washington, D.C. think tank,
the Center for Strategic and International Studies.
Glenn still thinks a lot about national security,
so he seemed like the right kind of guy to ask about cybersecurity.
We're seeing right now very significant cyber attacks in Ukraine,
including one that was just recently thwarted just days ago,
which would have been a successful attack on the electric grid in Kyiv.
That would have been the third such attack.
One was done by Russia in 2015.
An unprecedented cyber attack left 225,000 Ukrainians without power.
And another in 2016.
The hackers sent emails with infected attachments to power company employees,
stealing their login credentials and then taking control of the grid systems
to cut the circuit breakers at nearly 60 substations.
So we know that Russia is capable of this.
We see the kind of indiscriminate activity they're engaged in in the military operations on the ground.
And the fear is that this indiscriminate but forceful type of attack might occur in the cyber realm as well.
And the United States is potentially vulnerable to such an attack?
Everybody's vulnerable. Cyber activities know no sovereign boundaries.
And so the United States is surely going to be a potential target.
A March 18th FBI bulletin obtained by CBS warned at least 23 U.S. companies
that 140 Russian-linked IP addresses were scanning networks for vulnerabilities for use in potential future intrusions.
Malicious cyber activity runs the gamut. It's on a spectrum.
At one end, something that doesn't produce destructive effects,
that's the kind of cyber activity where a foreign adversary maybe tries to get into
the computer networks of our defense contractors or the national government,
as we saw a couple of years ago with the so-called
solar winds intrusion. Sending malware to 18,000 private and government organizations,
including the U.S. Departments of Justice, Treasury, State, and Homeland Security.
It was a simply old-fashioned spying operation, but done by means of a computer.
And at the other end of the spectrum, we have potentially devastating, physically destructive
cyber attacks where we use cyber to produce a real-world effect in our daily lives.
And that could involve turning off electricity, which could mean everything from homes getting
cold in winter to hospitals having to shut down in the middle of operations due to electricity
being turned off,
to potentially water supplies being contaminated. So the potential for a real-world consequence is very significant. And between those two extremes are other variations, one of which is ransomware
that generally doesn't corrupt data, generally doesn't stop everything dead in its tracks other
than access to the computer. But in theory, if you pay the ransom and the ransomware gang is honest,
they'll let you have your computer back
and you'll be back after a rather transient period of damage,
but not permanent.
And Russia's capable of the full spectrum?
Russia is capable of the full spectrum.
When I was at the National Security Agency,
we regarded Russia as one of the top four cyber adversaries. We regarded
Russia as a near peer. We had to take them very seriously. They are capable of the most
sophisticated type of cyber operations. And we've seen that over the past several years.
Tell me more about what Russia has executed during this war with Ukraine? We've seen a relentless barrage from Russia,
probably by the GRU,
which is the intelligence unit of the Russian military,
possibly also the SVR,
which is sort of the equivalent of their CIA.
We've seen a history of significant cyber attacks
seeking to bring down government websites
by something called a distributed denial of service attack.
And that basically involves sending hundreds and millions of messages at a computer
to sort of overwhelm it and take it offline.
That produces only a temporary effect because the computers are able to get back online.
Indeed, we just saw the Finnish foreign ministry,
evidently in retaliation for Finland's current consideration of joining NATO,
suffered a significant DDoS attack where they were taken offline for several hours.
This all happening as Ukrainian President Zelensky was speaking virtually to members
of Finland's parliament. The websites of both the Finnish defense and foreign ministry went down.
That is part of a very coordinated effort on the part of the Russians
tied up with their disinformation operations.
So the combination of spreading disinformation on social media to induce panic,
coupled with selected physical disruptions in sort of everyday real-life websites being turned off.
There were two state banks that were unable to function for several days due to computer attacks.
People couldn't get money from ATM machines.
Coupled with that, Russia in a very concerted way sent out text messages to people saying you won't be able to get your money from ATM machines, sort of inducing panic and sowing chaos.
So this is a – they have a very integrated way of combining their information operations together with their ability to engage in physically
destructive cyber attacks.
So it sounds like Russia is certainly engaging in these cyber warfare tactics in Ukraine
and even beyond, but they aren't going as hard as they could from what you've said the
spectrum is.
We haven't seen that.
So we've certainly seen, as I said, relentless, somewhat lower level attacks.
We haven't seen the shock and awe that might be accompanied with a massive cyber attack causing the entire country to plunge into darkness,
telephones and internet disrupted on a national scale. We haven't seen that. So why is that?
We'll know the answer in a few years when the full history comes out. But one reason surely has to be
that Vladimir Putin thought this was going to be an easy victory. He thought he was going to be able to have troops come in and reach Kiev in a matter of days from crossing the border.
So one is they didn't think it was necessary. Two, they might not want it anyway, because if
they thought they were going to be coming into the country and occupying it as an invader,
they'd want a function economy. They'd want a populace that was willing to engage in normal commercial activities. And that's obviously not what even remotely has turned out. replicated or extended to lack of coordination with their cyber units. So maybe the cyber folks
weren't clued into the full invasion plans. Maybe they weren't completely clued in to exactly how
the military would be operating. That certainly seems to have evidence of that. Finally, perhaps,
is just the simple fact that the Ukrainians have had several years to prepare for this.
They've known since 2015 and experienced since 2015 relentless cyber attacks, and they're better prepared.
It sounds like there might be some overlap between why Russia isn't waging as aggressive
a cyber war on Ukraine as it could and why Russia isn't waging as much of a cyber war on, say,
the countries that are helping Ukraine, Germany, France, UK, the United States. Is that fair? that if, to take an example, that the Kremlin were to orchestrate and launch a very severe,
physically destructive cyber attack against the United States, that we would say, oh, okay,
well, in that case, forget the sanctions. Obviously, we're not going to do that. If
anything, we'll double down on them. We would engage in some kind of escalation,
some kind of significant retaliation. Having said that, I could see a situation in which he feels cornered,
either because he feels he's got nothing left to lose, the sanctions are already imposed so strict,
there's not much worse, they can't get much worse. Or what I fear is that when the sanctions we've
imposed start having a real world effect on the average Russian citizen and they take to the
streets, we see more demonstrations in St. Petersburg. Of course, they could be brutally put down.
But if they aren't, and it turns out to be an existential issue for Putin where his rule is
threatened, then I could see him engaging in what we would regard as an irrational retaliation and
strikeout in terms of cyber without regard to the consequences because at that point,
he won't care. He'll engage in something that's just lashing out irrationally. And that's something
we do have to be concerned about. And it sounds like the United States is preparing for that
scenario. I think we need to be prepared for that scenario. Certainly, our government is taking it
very seriously. And an example of that is an absolutely unprecedented action by the president of the United States. Just several weeks ago, President Biden issued
a statement and an announcement. Look, today, my administration is issuing new warnings
that based on evolving intelligence, Russia may be planning a cyber attack against us.
Urging American businesses to be prepared for significant malicious cyber activity from Russia.
This was coming directly from the president.
We've never had that before.
And that's obviously because our intelligence community must have been in possession of some information
that gave them some specific reason to ring the alarm bell at that level.
So we do need to be prepared.
We know their capabilities.
We know how they're reacting to these sanctions.
It's not impossible that they could retaliate in a way that would be extremely unpleasant. Thank you. your phone to the frame. When you give an aura frame as a gift, you can personalize it, you can preload it with a thoughtful message, maybe your favorite photos. Our colleague Andrew tried an
aura frame for himself. So setup was super simple. In my case, we were celebrating my grandmother's
birthday and she's very fortunate. She's got 10 grandkids. And so we wanted to surprise her
with the aura frame. And because she's a little bit older,
it was just easier for us to source all the images together
and have them uploaded to the frame itself.
And because we're all connected over text message,
it was just so easy to send a link to everybody.
You can save on the perfect gift by visiting auraframes.com
to get $35 off Aura's best-selling Carvermat frames
with promo code EXPLAINED at checkout. That's A-U-R-A-Frames.com promo code EXPLAINED. This
deal is exclusive to listeners and available just in time for the holidays. Terms and conditions do
apply. BetMGM, authorized gaming partner of the NBA, has your back all season long.
From tip-off to the final buzzer, you're always taken care of with a sportsbook born in Vegas.
That's a feeling you can only get with Bet MGM.
And no matter your team, your favorite player, or your style,
there's something every NBA fan will love about Bet MGM.
Download the app today and discover why Bet MGM is your basketball home for the season.
Raise your game to the next level this year with BetMGM, a sportsbook worth a slam dunk,
and authorized gaming partner of the NBA. BetMGM.com for terms and conditions. Must be 19
years of age or older to wager. Ontario only. Please play responsibly. If you have any questions
or concerns about your gambling or someone close to you,
please contact Connex Ontario at 1-866-531-2600 to speak to an advisor free of charge.
BetMGM operates pursuant to an operating agreement with iGaming Ontario.
Did you find the files?
I don't even know what they look... What do they look like?
They're in the computer.
They're in the files? I don't even know what they look... What do they look like? They're in the computer. They're in the computer?
Yeah, they're definitely in there.
I just don't know how he labeled them.
I got it.
You gotta figure it out.
Roger.
In the computer.
It's so simple.
Today Explained, we're back with Glenn Gerstel.
Glenn used to be in the NSA.
It sounds like the president is concerned.
He issued this unprecedented warning to American business, to American infrastructure, as you mentioned just recently.
Give us an idea of how prepared this country is for malicious cyber warfare attacks from a country like Russia in this moment.
America's preparedness varies. In the industries that have a history of working together,
because that's the nature of their business, say the banking and finance industry,
or the energy industry, where they're shipping energy and coordinating supplies and deliveries
to each other, No surprise that those industries
are actually fairly well organized in terms of being prepared for malicious cyber activity.
They're also wealthy enough that they can afford to hire the best people, the best cybersecurity
engineers. They can buy the best equipment and they have the money to spend time on making sure
all patches are up to date,
their computers are up to date, etc.
So I would give those industries, the financial and banking sector,
credit card industry, a pretty, pretty high grade, well overpassing.
It's pretty, pretty, pretty, pretty good.
Comforting?
That's the good news.
What's the bad news?
The bad news is there are some guys at the back of the classroom who aren't doing so well.
Uh-huh. Who are they?
While nobody wants to be pointed out as who's sitting in the back of the classroom there,
state and local governments clearly are at a poor end of the spectrum. They don't have enough money
to do many of the important social services they want to do, let alone cybersecurity. Their computers are often outdated. It's not a question of patching
the computers. The computers and their network systems maybe are running old versions of Windows
or old versions of some software. So it's not a question of patching it. They just haven't
spent the money to buy it. And this is why they've fallen victim to ransomware in the past.
And we see time and time again, school systems, municipalities, Baltimore, Atlanta.
Essential services like 911 and 311 are still working, but most of the city's servers are
shut down.
Last Thursday, the city of Atlanta was attacked by hackers and they demanded ransom money,
blocking online access to certain city sites and leaving residents unable to pay bills,
report potholes, or even use the Wi-Fi at the airport.
Being crippled by ransomware to the point where they can't even write parking tickets anymore.
And another sector might be the water sector.
There are over 52,000 water utilities in the United States.
Most of them are very small.
They often struggle to have the funds necessary to do all the upgrades and maintenance
that they need to keep their water supplies proper. So they don't really have a lot of money
left over for cyber. They often run antiquated equipment. Cyber isn't integral to their business.
They are significantly vulnerable. We know they're vulnerable. And the only offsetting feature,
I would say, is that they're so dispersed. There's so many of them. There's so many school districts in the United States, so many election precincts and election
machinery, so many water supply companies. Pick any one of these infrastructure areas that are
widely dispersed because they're geographically diverse. Well, the good news is it's going to be
hard to attack them at scale. You can't attack all 52,000 water utilities in the United States.
You can take one by one. But you don't need to get
all 52,000 to produce a problem. Just imagine if Russia were successful in penetrating two or three
water supply systems around the United States and using cyber to open valves to add excessive
amounts of disinfectant or to pollute the waters or who knows what. Imagine the level
of concern that everybody would have when you'd go home and turn on the tap water. You'd wonder,
gosh, I wonder if they got into my system. What do I need to do? And so they could easily,
and if that were coupled with Russia's disinformation campaign and they're good at that,
you can imagine sowing a significant concern in the United States with just a very limited attack.
Again, I'm not trying to induce panic, but I'm just simply saying we need to be prepared
for the worst case.
Hopefully that'll never occur, but we do need to be worried about it.
Does that also apply to power, to grids?
Our electric grid system in the United States is connected in many important ways for all
sorts of reasons for redundancyancy so that if electricity goes off
in one area and if it goes off in Pennsylvania, then it's possible for electricity from Virginia
to be funneled along the electric grid to deal with the power outage. So that's the good part of
the fact that our grids are at some level tied together. And the concern there is that if Russia
were able to go after one or two key spots in the grid, it could have a significant regional effect.
It's hard to see how it would have a really truly national effect.
But again, if you're talking about a key city such as Washington or New York, that will have a national effect even if the lights go out only in Wall Street. It sounds like the silver lining here is there's a whole lot of systems.
And so attacking one does not necessarily mean disrupting the entire nation, though, as you said, there is potential to hit a really critical city or state and cause major disruptions.
What's the fix, though?
What do we do to not be vulnerable at all?
So the fix is complicated.
The problem is complicated. If it was easy, we would have fixed it by now at all? So the fix is complicated. The problem is complicated.
If it was easy, we would have fixed it by now.
So we know the problem is complicated.
And there's a whole bunch of reasons for our cyber vulnerability.
But at the end of the day, we need to approach our cyber vulnerabilities in several ways.
We certainly need such easy steps or relative easy steps and easy to articulate steps is getting more cyber professionals.
There are over three million cyber jobs that are going vacant in the United States right now.
And it's going to take a lot of professionals to fill that gap. But due to the pandemic,
coupled with the ongoing labor crunch, workers are being stretched thin,
both preventing attacks and responding to the ones that make it through.
We need to train average users how to be more cyber secure about
their laptops, their phones, using so-called two-factor authentication to make sure someone
doesn't get into your email or into your phone. So we need general public education. But then at
the end of the day, we really need to make sure that American businesses and infrastructure owners
employ the best cyber practices. And they don't. The simple fact of the
matter is they don't. Some industries, as we've already discussed, are really good at it. Others
aren't. But we're only as strong in our terms of our national well-being as the sort of weakest link,
and so we've got to make sure that we address that. Today, the MTA confirms it got hit by a
cyber attack in April. The hack is the latest in a number of high-profile
cyber attacks in the U.S. over the past few weeks. Hackers targeting our health care system,
stealing private data, and holding it for ransom. So far, five hospitals. Security experts warn
hundreds more under threat. We've relied for basically, oh, a generation, basically 20 years
since the internet and cyber has been a thing in our lives.
We've relied fundamentally on market solutions.
And what have market solutions given us?
They've given us buggy software,
which is vulnerable to many cyber attacks.
And they've given us a system
where we tolerate, evidently,
just low but still significant levels
of ransomware that affect us every day,
computer outages, and market solutions have proven ineffective to prevent us from these
ransomware attacks, these malicious cyber surveillance attacks against the federal
government, state governments, election interference. We've allowed our social
media to be polluted through cyber maliciousness,
et cetera. So private sector, it's not working and we need to recognize that. So what does that mean?
We need the government to step up. The United States Constitution says that our federal government
is designed for the, quote, common defense. And we certainly know that it undertakes that duty
in the case of foreign malicious real-world attacks.
So, for example, if North Korea attacked Sony Pictures because they didn't like the picture
that Sony was producing about the North Korean dictator and in retaliation, they—
The interview.
Exactly.
A devastating attack against Sony Pictures, knocking them offline, causing millions of
dollars of damage at Sony.
They undertook that attack through cyber means.
But yeah, they called it an act of war and an act of terrorism,
which as a comedian is like what you're fucking looking for, huh?
If instead the North Korean military had launched a missile
at Sony Pictures in Culver City, California,
well, we know what the United States response would be.
It would probably involve a B-52, right?
But instead, because it was a cyber attack, what did we do?
We imposed sanctions against North Korea.
So cyber exploits a vulnerability.
It exploits a vulnerability in the way our federal government is empowered and organized to defend the United States against foreign malicious cyber activity. And that's a very severe gap, very severe vulnerability.
To remedy it, we need the government to step up and provide, at the end of the day,
mandatory minimum cybersecurity standards like we do in so many other areas. We need to regulate
this area.
And the government you're talking about is the federal government?
Only the federal government is in a position to deal with what is in effect a threat to our national well-being. And that means recognizing that market solutions aren't getting us to where
we need to be. We need the government to impose mandatory minimum cybersecurity standards.
That will involve regulation. It'll involve a bureaucracy. No one wants either of those. But the alternative is to
sit back and suffer ever more devastating ransomware attacks. Is this the moment that
the federal government wakes up to the imminent dangers of a cyber warfare attack from Russia?
Is it this war that has brought us the closest
we've been in generations to a direct conflict with Russia? Or is it the actual attack that
comes one day and cripples, you know, critical American infrastructure?
In a funny way, I'm sort of worried that there won't be that kind of devastating attack that
will, the equivalent of 9-11 that will cause us to form a Department of Homeland Security that will cause us to reform their intelligence agencies, et cetera.
We may never or hopefully we'll never see such a devastating attack.
But I don't want the fact that we haven't seen a devastating attack to be an excuse for not doing anything about this.
We need to take action. And I think I've seen in talking
to members of Congress and the staff on Capitol Hill, a real change in their attitude.
Is it going to be sufficient to overcome partisan gridlock, the normal inertia that we have about
making any changes in government? I don't know. I'd like to think we're on the path to addressing that.
I'm under no illusions that it's going to be easy
or going to be quick.
But I think we've started that process.
Glenn Gerstel is definitely not in the NSA.
He's a senior advisor at the Center for Strategic
and International Studies here in Washington, D.C.
The program today was produced by Victoria Chamberlain with edits by Matthew Collette.
We were fact-checked by Laura Bullard and mixed and mastered by Paul Mounsey.
It is Today Explained.
I'm Sean Ramos for Up.