January 7, 2021 • 40 mins
Thousands of companies may have been hacked as well as Gov Agencies in America.
Homeland Security, The FBI and NSA say it's Russia.
What was taken? The hack is still ongoing and went on for months. Why weren't critical systems better protected?
On this Back Story with Dana Lewis we talk to Suzanne Spaulding, Senior adviser for Homeland Security and Director of the Defending Democratic Institutions project at the Center for Strategic and International Studies
Adam Darrah serves the Director of Intelligence at Vigilante in South Dakota, a US-based cyber intelligence firm.
And Glenn Chisholm is CEO at Obsidian which protects cloud services from account takeover, insider threat and identity sprawl and he has former NSA experts as advisors.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Well, this is not a case where you can say the
(00:01):
system worked.
The system did not work.
Um, but, but I will say thesystem was not designed for
government agencies.
They, uh, intrusion detectionsystem, which we call Einstein
was not designed to catch thingsthat we'd never seen before.
Speaker 2 (00:22):
Hi everyone.
And welcome to backstory.
I'm Dana Lewis in London, whileyou were watching the American
election and the disturbingassault by Trump's crazy
supporters on the Capitolbuilding amidst that flurry of
views lost in the headlines wasa massive computer hack.
Most likely by Russia say theNSA and FBI and Homeland
(00:45):
security.
Now at least 10 federal entitieshad their networks breached,
including major agencies, suchas the department of state
treasury, Homeland security,energy, and commerce.
The hack may be ongoing, meaningit hasn't stopped.
The hackers likely used US-basedplatforms to get into critical
(01:08):
systems and it appears theyentered those systems through a
Texas security company and itslinks to sensitive networks.
In total 18,000 entities.
I told you it's massive.
Mostly private corporations usedcompromised Orion system while
estimates vary.
The latest thinking is thatabout 250 of those were selected
(01:31):
by the Russians for deeper hackson this backstory.
How vulnerable are we and how dowe stop outsiders from
compromising our computernetworks, including banking,
defense, the power grid, privateenterprises.
There's a lot at stake.
Speaker 3 (01:52):
All right.
Joining me now from Washingtonis Suzanne Spalding.
She's a senior advisor forHomeland security and director
of the defending democraticinstitutions project at the
center for strategic andinternational studies.
Suzanne.
Welcome.
Speaker 1 (02:07):
Thank you, David.
Nice to be here.
Speaker 3 (02:10):
Hell of a time in Washington.
I mean, I can not just talk toyou about cybersecurity without
getting your feelings and yourreaction to what happened in the
Capitol building yesterday.
It's shocking.
Speaker 1 (02:21):
It is shocking.
It's appalling.
Uh, it was, um, distressing onso many levels, not had just on
Tuesday.
I've been talking to a younggirls, seventh grade through
12th grade about our democracyand they had a lot of questions
about why they should trust tobelieve in our democracy.
And I told them, um, it is worthfighting for, it must be fought
(02:43):
for not because it's perfect,but because it has the capacity
for change.
Uh, and we all must be agents ofthat change, but that change has
to come about peacefully throughour democratic process.
Thank surprise.
Speaker 3 (03:00):
Is it Suzanne?
Sorry to interrupt.
But I mean, when you see thepresident constantly saying that
the elections were false, theelection is being stolen.
Eventually people startedbelieving it.
Even if there's no evidence in60 some odd court cases, they
get angry.
Then he encourages them to go tothe Capitol building.
I mean, you can't keep throwingkerosene on the fire like w
without an explosion, can you
Speaker 1 (03:21):
Now I met Rami, had it right when he talked about an
insurrection incited by thepresident,
Speaker 3 (03:28):
Should the president be removed?
Speaker 1 (03:30):
You know, those are decisions that his cabinet will
have to make.
Congress needs to look at that.
I certainly think we are in avery dangerous and perilous
place for the next two weeksbetween now and January 20th, if
he continues to be the presidentof the United States.
Speaker 3 (03:45):
Talk to me about cybersecurity.
I mean, you've had a terriblehack, uh, inside the United
States, you also served as amember of the cyberspace
solarium commission.
You were also the undersecretary for the department of
Homeland security, and you ledthe nation's, um, the national
protection and programsdirectorate now called the cyber
(04:07):
security and infrastructuresecurity agency.
You managed, uh, I mean, a lotof the budget that was supposed
to protect government agenciesin this hack is not only about,
uh, companies, but also manygovernment agencies, such as
treasury that have been hackedinto.
Speaker 1 (04:23):
Yep.
So the, you know, this is not acase where you can say the
system worked, the system didnot work.
Um, but, but I will say thesystem was not designed for
government agencies.
They, uh, intrusion detectionsystem, which we call Einstein
was not designed to catch thingsthat we'd never seen before.
Uh, and that's something that,you know, they've been working
(04:45):
on, but what needs to needs tohappen.
We need to get, we've beentelling our private sector
partners this, uh, we need toget to a point where we can
detect malicious activity, uh,that we've never seen before.
Right?
We need to understand how todetect anomalous behavior.
So there was a failure there,but there's also, this should
also be a reminder to folks thatour planning needs to assume
(05:11):
that everything we put in placewill fail in terms of keeping
the adversaries out of oursystems and that we will be
breached.
And now how do we mitigate theconsequences of that breach?
What are our mission essentialfunctions?
How are we going to make surethey continue?
Speaker 3 (05:27):
Surely that was already framed around cyber
security protections in theUnited States?
Was it not?
I mean, you know, that you're ina constant chess game, not only
with hackers and individualhackers, but I mean, people like
the SVR in Russia and the FSBand the NSA and the FBI and
Homeland security are sayingthat this is an ongoing hack.
(05:50):
What does that mean?
And are they not able to veryquickly shut it down and limited
?
Well, no, they
Speaker 1 (05:58):
Have to find it first.
Uh, and once it's in yoursystem, very difficult to get
the adversaries out, uh, on apermanent basis.
What we've seen in the past, uh,with the very actors that we
suspect are behind this, um,hack, is that they will do hand
to hand combat.
I mean, you, you will thinkyou've gotten them out of one
(06:19):
place and they'll pop upsomewhere else.
They don't just melt awayquietly and go away when they
are detected.
And so, um, it will be a longtime finding all the places that
they may have managed toinfiltrate throughout our system
and, and a very long time, uh,rebuilding in a more secure way
Speaker 3 (06:36):
Comment on the fact that president Trump eliminated
the role of cyber securitycoordinator in 2018.
Speaker 1 (06:43):
Well, I think it was a huge mistake.
Uh, and I was pleased to see,uh, the, uh, Biden incoming
Biden administration announcedyesterday that they are going to
restore, uh, central cybersecurity coordinator in the
white house.
I think it's criticallyimportant.
We have so many parts of thegovernment and the private
sector that bring importantcapabilities, resources,
(07:03):
authorities, to bear, and itneeds to be coordinated from the
white house.
Speaker 3 (07:07):
I just played this eternal chess game with Russia
where, you know, we try to blockthem.
They try to go around, they tryto get in, or does it become, I
mean, at what point is it, Imean, is this just an, another
layer in spying and espionage orat a certain point, do
presidents speak to one anotherand say, wait a minute, there's
gotta be some rules here.
(07:28):
You are intruding into criticalsystems in America.
And we view that with greatdisdain and there will be a
penalty.
Speaker 1 (07:37):
Absolutely, absolutely.
And so, uh, certainly in theObama administration, in which I
served, we worked very hard toestablish norms, uh, around the
protection of criticalinfrastructure upon which a
civilian society depends.
Uh, I don't think that we justcan just dismiss this as
traditional spy versus spyespionage.
(07:59):
Uh, we need to assume thatthey're doing at a minimum
reconnaissance that would enablethem to cause disruptions in the
future.
Speaker 3 (08:07):
It's naive of me to think that a conversation is
going to solve it because theRussians or the Iranians or the
Chinese, whoever they be aregoing to continue to just go at
this whenever they can, if theycan steal secrets, they'll steal
it.
Speaker 1 (08:18):
Absolutely.
But the lack of a conversationis, is more damaging.
You can, a simple conversationis not going to deter or stop
our adversary, but not havingthat conversation.
Certainly emboldens them.
Speaker 3 (08:33):
Last question to you.
What do you think the damage ispotentially that was done?
When do we know?
And are you worried that theywere doing more than simply
stealing secrets?
They were trying to embedsomething.
Speaker 1 (08:44):
So I'm worried, uh, about all of the above, but what
I'm most worried about is thatthey may have been doing
reconnaissance, you know,getting access, for example, to
industrial control systems thatcontrol machines or the electric
grid.
It's not sufficient to have areally damaging impact through a
cyber attack.
(09:05):
You need to understand thoseoperational processes.
You need to understand whatwould be hardest, for example,
to, to repair, to recover.
Um, how can you have thatimpact?
That requires a fair amount ofreconnaissance.
And, and my worry is that, uh,while we didn't see them
necessarily get into operationaltechnology, that they're
gathering information to be ableto have that kind of disruption,
(09:28):
perhaps with access they'vealready achieved,
Speaker 4 (09:30):
Should the public be worried about it?
Speaker 1 (09:33):
I should be worried about it, not, not losing sleep
over it, but they should bedemanding that our public
officials, uh, take thisseriously and act with the sense
of urgency that is required.
And I was pleased to see theCongress enact, uh, many of our
recommendations from thesolarium commission in this new,
uh, most recently signed defensebill.
(09:53):
That's what needs to happen.
We need to, we need to moveforward on the things we know
need to be
Speaker 4 (09:59):
Suzanne Spalding at the center for strategic and
international studies to,public's got a lot of things to
worry about these days.
Don't they?
Thank you so much.
Thank you.
All right.
Adam Darragh serves as thedirector of intelligence for
vigilante in South Dakota, aUS-based cyber intelligence
(10:20):
firm.
Hi Adam.
Thanks for joining me.
Appreciate it, Dan.
Thank you.
There are now seeing the 250companies were hit by a Russian
intrusion.
Um, and there've been all sortsof characterizations and
descriptions of this hack.
How would you characterize it?
It seems unprecedented.
Speaker 5 (10:39):
Yeah, it does seem that way.
Uh, but I characterize this as,uh, espionage, um, your standard
espionage operation, um, whichfrom an adversarial point of
view, they consider inbounds andthey are probably thinking we
are doing the same things tothem.
So, uh, I don't see this as a, Ibelieve it to be unprecedented
(11:00):
in terms of what we know aboutit publicly.
Usually these types ofintrusions are kept, um, much
more quieter, but, uh, yeah,this is, uh, this, it just
demonstrates the sophisticationand the vigilance of our
adversaries.
They are, they are, um, verysophisticated.
They are aggressive and they arerelentless.
Speaker 4 (11:18):
It sounds like it's Russia, according to the NSA,
Homeland security, uh, the FBI,everybody, but Donald Trump is
naming Russia.
Speaker 5 (11:27):
Well, you know, um, there are only,
Speaker 4 (11:30):
Which means that's probably an, a confirmation
Speaker 5 (11:34):
Perhaps.
Um, uh, yeah, th the, theRussian, the Russian security
services definitely meet all therequirements of this type of
intrusion and this type ofespionage campaign.
They're very good.
Probably the, one of the best inthe world.
Speaker 4 (11:47):
So the, the, those agencies also declared it as an
ongoing operation nearly a monthafter it's discovered.
So I now, you know, talking topeople who don't know anything
about computer hacking, doesthat mean once they're in there,
they're like rats in your attictrying to get them out.
Speaker 5 (12:06):
It is, it's a, that's a very good analogy.
Um, and not calling the Russiansrats, by the way, just saying,
um, that, but yeah, that's avery good analogy.
Um, there are very smart andcapable people on the inside.
And so when an intrusion likethis is discovered, um, you
know, th the, the sophisticatednation States like Russia, like
China, and in, in some verysmall pockets of Iran, actually,
(12:30):
um, they they've used thisinitial intrusion to pivot
because they want the familyjewels.
They want the crown jewels, uh,on classified systems.
And so, um, this is, this is,uh, probably why, uh, these very
good agencies are saying thingslike, yeah, like we, this is an
ongoing thing because theforensics that are being done
behind the scenes by very smartpeople, uh, you know, it takes
(12:53):
time, uh, because they're good,uh, though the Russians are
very, very good.
And so it does take time to makesure that you pull on all the
threads and follow each threadto its logical conclusion,
because again, um, they wantintelligence, they want to know
our plans and intentions, uh,and they want to use the
information gleaned from such asubstantial, um, intrusion such
(13:15):
as this to, for onwardintelligence, operations, human,
and human intelligence,operations, technical, onward,
technical operations, internalcounter-intelligence operations.
I mean, this is a, this is arich targeting set that they've
had.
Speaker 4 (13:32):
How were they able to do this?
Because, you know, we've hadhacks before, and then we hear
that everybody's going tooverhaul their system.
Um, the idea that they wouldactually penetrate, um, private
companies and then governmentagencies and agencies like
treasury, uh, and worse, andthen remain in there for months
at a time.
(13:53):
I mean, it's, you know, somebodyagain, uh, a layman listening to
this, it just amazes me thatwe're not better at detecting.
Speaker 5 (14:02):
Yeah.
Um, that's an excellentquestion, Dan.
Uh, and, and when you have, whenyou have multiple buildings
dedicated to this endeavor, uh,in the Russian Federation, you
have some of the, you have someof the world's most foremost
technical, uh, experts withincredible acumen, um, and a
(14:23):
very aggressive mindset.
Uh, vis-a-vis the United States.
So, uh, the way this works is afull as a full approach, they
use open source intelligence,they use human intelligence,
they, they use company insiders,you know, nothing is off the
table with regard to asophisticated intelligence
operation.
And this, this has all themakings of somebody that
(14:45):
probably was recruited by theintelligence services to help
them understand more.
Now they may have been an agentis what we say on the inside.
Uh, they could have just had areally cool friend that they
bounced code off of.
Um, the Russians may have alsorecruited, you know, third party
foreign nationals in othercountries to, you know, hire as
(15:06):
contractors.
So again like this is, uh, thisis a really, really well thought
out and a sophisticatedoperation that, um, that they
almost certainly used a fullwhole of government approach in,
in orchestrating this, thisparticular hack.
Speaker 4 (15:21):
And it was done inside the United States
Speaker 5 (15:24):
Almost certainly.
Yes, that's, that's what that,that's what gets me that feeling
in my stomach of like, Oh mygoodness.
And, and, you know, on the onehand you want to, you, you, you
are legitimately outraged,right?
One can be legitimately outraged, but on the other hand, you
think, well, I tip my hat.
Now we need to be better.
Speaker 4 (15:43):
Mr.
Warner, the vice chairman of theSenate intelligence committee
said, you know, we need to makeit clear to the Russians that
any misuse of compromisednetworks to produce destructive
or harmful effects isunacceptable and will be
promptly met with a strongresponse.
Is that the answer?
I mean, Russia is going to dowhatever it can to steal
(16:04):
whatever is stealable, isn'tthat the game
Speaker 5 (16:07):
It is the game.
And, you know, and, and let'sseparate the games, you know,
politicians have a game to play,and I understand that.
And, and I think it'srespectable those comments, you
know, those are, those are thoseneed to be said, you know, we
need to send a message that,Hey, you got us, but, you know,
um, we're going to do what wecan to defend ourselves.
(16:28):
I mean, that, that is apolitical message that, you
know, I'll leave that to thepoliticians to figure out how to
best message that.
But as far as you know, when wetalk about the game that we
play, it is a shadow, a game ofshadows.
It's a game that's played, uh,behind the curtain, and you can
see this.
Um, you can see this in theresponse of, of the two
(16:49):
different, you know, um,societies, let's call them the
two civilizations.
You have the Westerncivilization that is much more
open.
Uh, and so I applaud theresponse of, of the companies of
the government, you know, eveninternal government, um, not
being on the same page, youknow, internal, like, uh, robust
disagreements that that's,that's the consequence of living
(17:12):
in an old, more open society,you know, but the Russians, you
know, they, they reacted, youknow, in such a way that they're
signaling to us, in my opinion,that they want to go back to the
way it was before 2016, which isthe, Hey, let's keep this, you
know, let's keep these thingsbehind the scenes.
(17:32):
You know, they're, they're nowthey're denying it, of course,
because that's their job.
I mean, that's, their job is todeny it.
I mean, you don't say yes, thatwas us, which they did in 2016.
They said, yep.
That was us.
Um, as a signal to us, that tosay, Hey, look, let's get back
to the old way of playing thisgame.
Let's keep it behind the, let'skeep it, you know, for lack of a
better term spy versus spy.
(17:52):
But, uh, my goodness, what's theanswer.
The answer is, um, you know, tocontinue to recruit the best
talent, um, everybody must bevigilant.
And th the mindset has to bethat if you are a private person
or a private company that doesbusiness with the United States,
federal government, you areinbounds.
(18:13):
You have a target on your backtoo.
You already legitimaterecruitable intelligence,
target, and entity.
And so adversarial governmentsare going to come after you,
your networks.
And because they want to knowwhat we're up to, just like the
United States wants to know whatother countries are up to our
adversaries.
Also want to know,
Speaker 4 (18:33):
I remember reading a book about, uh, the black volt
and the beginnings of the NSA.
And in that book, there's thisincredible chapter because I've
been to come Chaka peninsulainside Russia when I was a
correspondent.
And that was where a lot oftheir submarine pens are.
And the fact that, you know, inthat book, they revealed that an
American submarine went to thebottom of the[inaudible]
(18:57):
peninsula and buried into acable which monitored military
communications, um, from the,the main sort of Russian
mainland out to come Chuck it tothe peninsula.
And it was revealing in thesense that it showed that a lot
of the Russian criticalcommunication, especially
military communication was, youknow, certainly not computerized
(19:17):
in those days, but even in Y2K,Y2K days in 2000, you know, a
lot, a lot of it was not put onthe computer systems and that it
was hardwired and it was oldschool and old style because
they understood thevulnerability.
Forgive me for a long question,the vulnerability of computer
systems.
Right.
And do we understand, are weoverconfident in the West about
(19:43):
our, uh, protection systems?
And do we think that we're nevergoing to be, our systems are
going to be penetrated the waythat the Russians have just
shown us once again, uh, thatthey can and will do.
Speaker 5 (19:55):
Yeah.
Um, I don't think the people inmy former circles and current
circles, um, circles, uh,definitely don't think that
we're, we're untouchable.
Let's just say, uh, the, the,you know, in the, in the
cybersecurity community, um,there are a lot of individuals
who, you know, their default istheir default is, Oh my gosh.
Like they only see ourvulnerabilities, right.
(20:17):
Same in the intelligencecommunity.
Uh, especially in the, in thesmaller circles of like, um,
offensive, uh, technicaloperations, defensive, technical
operations, all those wonderfulindividuals see are the
vulnerabilities.
Uh, and so I don't think, uh,from the United States point of
view, we've never thought orunder, and we definitely do not
(20:37):
underestimate, uh, the Russiancapability, uh, with regard to
what they can do against us andwhat they do against us.
Uh, the mindset is if this iswhat we imagine, what we don't
know,
Speaker 4 (20:50):
You don't think to use your term, they got the
crown jewels.
Speaker 5 (20:54):
Oh gosh, no, I don't think so.
I think that's what they want.
Uh, and I think that's why theydo these, these operations, um,
you know, and don't get mewrong.
Um, if I was sitting at my deskat my former job and I had
access to the Russian equivalentof the information that they
got, I mean, your careers made,I mean, that's, that's just
(21:14):
unbelievable.
And it it's a rich targetingset, no matter what, even if
they didn't get the familyjewels or the crown jewels, um,
that it's a very rich data set.
And we can learn a lot from,from the type of people, they
employed, what they talk about,uh, people people's personal
problems and, and, and alsoDanna.
(21:36):
They're watching us veryclosely, both from a technical
perspective, like what, how didwe respond once we knew?
What did we do?
What countermeasures did wetake?
How was this playing in theirmedia?
I mean, this is a very, veryinteresting time.
And there are many, many peopleback in the Russian Federation
watching us and figuring out,okay, how do we pivot what's
(21:59):
next?
Now that the Americans did this,they message this, we did this,
what can we do next?
Speaker 4 (22:06):
It's just a never-ending chess game, but do
we do the same to Russia?
Speaker 5 (22:10):
Yes.
Uh, we have a wonderfullytalented people who have been
students of that fascinatingcivilization guys, like you that
live there and they get it andthey've studied it.
And they've, they've gone headto head with the Russian target,
you know, behind closed doors.
(22:32):
And, and so there, there is arich understanding of, of the
Russian mindset and there's arich understanding of, of their
capabilities.
We do not underestimate them.
Um, at least behind closeddoors, we do not underestimate
them.
And, uh, a lot of reallyintelligent people on both sides
of the pond are fully engaged.
In this question,
Speaker 4 (22:53):
You sound very confident that we're still
pretty smart in the West.
And yet this was such a broad,deep hack across so many
businesses and agencies.
And I mean, the one company, youknow, um, um, out of Texas, you
(23:14):
know, handled some 18,000companies.
I mean, it's, it sounds like we,we didn't do very well.
Speaker 5 (23:20):
Well, here's the thing Danna like, uh, and I want
to, this is another clear cut.
This is an example of thedifference between a more open
society and an a in a, in adifferent mindset, right?
You have, Russia has a verydifferent mindset here.
I applaud the, these publiccompanies who had, who had to do
a public Mia culpa.
I mean, that's not easy, youknow, but we live in a more open
(23:43):
society.
So I applaud fire.
I applaud solar winds that theycame out Microsoft.
I mean, nobody has run away fromthis and is pointing fingers.
Um, but that, that's veryWestern.
It's very American dare I say.
Um, because like, we want to bebetter.
Um, yes, we have egg on ourface.
Don't get me wrong.
There's definitely egg on ourface.
(24:04):
But, uh, you know, again, it's,it's this do the dual nature of
man.
On the one hand we have thislike indignation, we're angry.
We're like, let's get, I'm like,ah, we're embarrassed, we're
angry.
But on the other hand, it'slike, okay, I tip my hat, you
won this round.
Like, but we're going to bebetter.
Uh, but you know, something likethis, this type of disclosure,
(24:25):
let's say, hypothetically, thishappened to the Russian
equivalent of these companies.
There wouldn't be publicdiscussion about this.
Um, and so again, like it, it'snot better different or worse,
different, we're just different.
And, and these types ofdisclosures, you know, the, our
press is doing its job, Bravo.
Our government's doing its job.
You know, the press is keepingus honest, you know, uh, you
(24:47):
know, they're editorializingthis, that's fine.
We welcome these robustdiscussions.
We welcome them here in theWest.
Um, uh, but you know, and, butyou know, Russia, Russia is
good.
They're very, very good.
And they're very, very motivatedto, uh, find out what the heck
we're up to here in America.
And in, in the UK, in the Westin general,
Speaker 4 (25:08):
Adam Dara, the director of intelligence for
vigilante, US-based cyberintelligence for him.
Good to talk to you, Adam.
Thank you.
Speaker 5 (25:15):
Thank you, Dan.
Appreciate it.
Speaker 4 (25:20):
All right.
Glen Chism joins us now.
He is in California and he's theCEO at obsidian, uh, which
protects cloud services fromaccount takeover.
Uh, they say that, uh, theyprotect from insider threats and
identity sprawl, which I have noidea what that is.
Glenn, what is identity sprawl?
Speaker 6 (25:39):
It's just the normal effect of a company's changes,
gross motor movements.
And, you know, everyone has anidentity in the computer system
and whether those accounts are,and those identities are
properly maintained and reducedand controlled over time.
Speaker 4 (26:00):
All right.
So there's a lot of firms outthere that claim that they do
computer protection.
I mean, yours in particular, uh,you say among others on your
leadership team are formermembers of the national security
agency.
The NSA is that right?
Speaker 6 (26:15):
Yeah.
Two of my co-founders are ex NSI.
Speaker 4 (26:19):
All right.
So you should be very muscularin terms of security, computer
security, and you should tell me, um, how in the world, and I
know you're not responsible forit, but how in the world do you
think 250 companies andgovernment agencies have been
hacked likely by Russia?
Speaker 6 (26:37):
I think what you're dealing with is I very
thoughtful and deliberative.
Who's willing to spendsignificant amount of time and
preparation and resources to getinto their targets.
Um, and given that type ofmentality, then you are going to
(27:00):
expect some degree of success
Speaker 4 (27:04):
And you would expect that these guys would just keep
on coming.
I mean, that's, that's alwaysbeen the game, isn't it?
That the Russians or whoever aretrying to hack into American
system?
Speaker 6 (27:14):
Yeah.
I mean, I think it's, it's,feticide this, this class of
attacks is often referred to asIP today's, which are advanced
persistent threats.
And the reason why they'repersistent threats is because
the opponent is resourced andmotivated in a way that allows
them to continue to target you.
(27:35):
Um, they don't have to scoresome immediate return.
This isn't a pedestrian criminalthat has to make money.
This isn't a crime scenetogether.
That's going to look for theeasiest opportunity to get a
cash return.
Uh, these are people whosemotivations are nation state
oriented, and with nation stateorientation comes patients time
(27:57):
and just the continualrepetition of the attack.
Speaker 4 (28:01):
How would you describe knowing what we know
about it?
And I assume you don't have anyfirsthand knowledge of it, but
how would you describe the depthof this hacking and the
seriousness of it?
Speaker 6 (28:15):
I mean, I think this is, this is obviously going to
be one of the most iconic, uh,computer security breaches of
all time is, is, is I think areasonable statement.
Uh, I don't think there's anyhyper ball in that from a, from
a, from a depth and approachperspective.
Um, you know, this is what isreferred to as a supply chain
attack.
(28:35):
You know, you, you look at thattarget, the target may be
difficult to get into it, maybewell defended, um, it may have
good controls in place.
And so it becomes the easiestway to do it is to find the
weakest link in the supply chainor, or let me rephrase that.
That's unfair find a link in thesupply chain that you can
(28:57):
explore it once you're in thatlink into the supply chain, use
that to move into the othercompanies.
And that's what was done here.
It's find a software supplierthat is broadly used break into
that supplier, sit there for aperiod of time, make sure you're
not detected, modify thissoftware to let this software
allow you to get into otherorganizations and then sit there
(29:18):
for a period of time, make suredon't have to take to it.
And then start to extractinformation at the value.
Speaker 4 (29:23):
This was a Texas firm named solar winds, reportedly.
Speaker 6 (29:27):
It does.
The P is solar winds was a keycomponent in this attack, but it
also appears that there wereother suppliers in the supply
chain that were targeted.
Um, and it's, it's fair to saythat because we do know that the
company that found the bridge,uh, and the one that I think
has, has, has shown themselvesto be extraordinarily
(29:48):
responsible and thoughtful aboutthis, which is, which is far I,
and I have no stake in fire.
I have no shares.
It's nothing like that.
It's just that nice down thebreach that we're very public
about it though.
They assisted everyone else andunderstanding the nature for the
breach and help track it back toits souls, which is solar winds.
FARA is also a supplier.
So, you know, if, if they weretargeting FireEye, that was
(30:09):
another element of the supplychain that they were targeting
and that work's going to usethat to get it elsewhere.
So I think it's, it's thatthere's, there's more to this
than just solar winds.
It's, it's, it's a broaderattack and a broader set of
approaches that we use to, to,to gain access to these
organizations.
Speaker 4 (30:25):
I mean, the depth of this seems pretty serious.
I mean, because, um, the, theone company in Texas, uh, solar
winds, actually, maybe it's notfair to say it's solar winds
customers, but reportedly thereare 18,000 entities here, mostly
private corporations.
They use the comprised Oriencyst Orion system.
(30:48):
Um, so I mean, that's, that's ahuge number of companies that
may have been affected includinggovernment system.
Speaker 6 (30:54):
Yeah.
So, so obviously the attack, theguide access to solve the winds,
and then they modified thespecifically, are there, there
are a product called the Ryan18,000 people, took the update
that, uh, that had this, thismalicious code in it now.
I mean, it's also fair to saythat all the[inaudible] thousand
people, the vast majority ofthose would not have been
(31:15):
accessed by this particularopponent, but it did give the
opponent the opportunity toaccess them, whether it was now
a LIDAR.
Um, and so, you know, thoroughlyidentifying this attack, the
approaches to the attack isimportant to make sure we clean
all of those 18,000organizations right through from
(31:38):
top to bottom to make sure theattacker can't come back into
one of those and then start theprocess all over again.
Speaker 4 (31:44):
We know that they've left.
If you're saying come back in.
I mean, it may be according to astatement yesterday by a
Homeland security, the NSA andthe FBI, I believe said it was
an ongoing operations.
So it's that, that seems toflirt with the idea that they
may still be inside thosesystems.
Speaker 6 (32:02):
No, I, I think it's very fast side that the, the,
the general understanding thatmost computer security people,
particularly incident responseteams applies that the attacker
is still going to be there.
And the task number one iscontaining, where are task
number two is removing them andclean and tossed.
Number three is applyingcontrols to prevent return.
(32:27):
So, I mean, certainorganizations may have expelled
the attack or others might be inthe process of doing so.
And maybe in the process ofdoing so for the next six
months, do you work withgovernment agencies?
Uh, we have some experience withworking with some agencies.
Yes.
Speaker 4 (32:42):
What kind of information are we talking
about?
I mean, when you're called in toprotect somebody system, is
everything vulnerable,everything from treasury to, you
know, I don't want to be overoverly dramatic and I'll tell
you why I even raised the idea,but to, to say nuclear launch
codes.
I mean, how serious does it get?
Speaker 6 (33:01):
Uh, I mean, this type of attack is, is, and, you know,
you can see it from the natureof the disclosed.
Victoza is far more at thecivilian agencies, rather than
the DOD type entities, the DODtype entities have far more
disconnected systems that aren'tconnected to the, you know, to
the internet or connected toexternal systems that would
prevent this type of attack ofhad even any, uh, uh, Y
(33:25):
successful.
Now, obviously there are otherways that the tax code, and
there are other approaches thathave been applied, um, and, you
know, for disconnected systems,we've seen, you know, in the
past approaches that have beenapplied that have been very
successful and, you know, um,but, but, uh, what, what I
would, what I would say is thatthe information is going to have
(33:50):
value.
So the question is, is, uh,what, like what information
would you as treasury have thatwould have information on
sanctions programs, individualswho are going to be targeted to
sanctions what treasuryunderstood to be components of
sanctions, you know, us programsaround the economy, et cetera,
et cetera.
So, you know, the information isvery rich and so, you know,
(34:12):
there's value to it.
Uh, there's value to it, tonation state attackers.
Speaker 4 (34:18):
So how do you, you know, leave me with lessons
learned, um, you know, it, itreminds me like back in 2000,
when I was a correspondent inMoscow, we're working for NBC,
we recovering Y2K.
And the idea that all of thecomputer systems around the
world were bugged in my crash,transportation networks, uh,
(34:39):
nuclear launches, and theRussians kind of said, well, you
know what, w we're not really onthe computer.
We're not really computerizedvery much.
So, I mean, a lot of our, Imean, that's 20 years ago, but a
lot of our systems, they said atthat time, weren't really
vulnerable, like Western, uh,systems from, you know, banking
and economics to maybe militaryto, um, were, were any lessons
(35:03):
learned there or did theRussians just, you know, catch
up or, I mean, and what are thelessons coming out of this?
Like, how do you protect likethis very important information
from both private corporationsand government?
Speaker 6 (35:16):
The, the coalescent is to always be looking and to
understand the nature of yourenvironment and the intimate of
your environment with everyother environment.
Um, you know, lessons are alwayslearnt and the processes, and,
um, you know, this is, this is,this is different to Y to K Y K
(35:39):
I is, you know, or in mostsituations, you know, what you
have to understand is thatcomputer systems are built to be
resilient.
Um, you know, security systemsare built to be resilient, um,
the built to be reliable.
Um, but you have an opponent,you have a highly intelligent
(36:00):
opponent that's highlymotivated.
And so, you know, this is aunique situation.
This, this isn't a normal sortof, uh, set of controls.
That one has to balance that is,is, is the standard for managing
risk.
Um, you know, if you're managingrisk in a bank against
fraudulent activity, um, youknow, you, you don't necessarily
(36:23):
have nation States attempting todefraud you when you're managing
risk in this case.
Um, you know, the nation statemay be attended to for the bank,
maybe North Korea, becausethey're attempting to get
foreign currency.
Um, people tending to targettreasury, maybe the Russians,
because they want to understand,you know, and I use this as an
(36:45):
example, without any directknowledge of the exact target,
but something like sanctionedprograms against their
individual members ofgovernment.
Um, they may want to understand,you know, uh, various programs,
the us government is running sothey can try and identify, you
know, intelligent sources ofinterest.
So all of these things are very,very complex.
Speaker 4 (37:07):
It just seems like it just seems like a chess game
that we can't afford to neverwin that every time we lose that
game, whether it be China,whether it be North Korea,
whether it'd be Russia, whetherit be Iran, um, the, the, the
costs are, I mean, we'llprobably never know exactly what
(37:28):
they got, but the costs arehuge.
Speaker 6 (37:31):
The costs are huge.
And so, you know, the lessonlearned is investment
understanding what yourinformation is, building
defenses for your currentproblems, not yesterday's
problems.
And that's typically one of thebiggest issues that can be faced
in computer security is peopleare very focused on what the
loss for each was not what thenext breach will be.
(37:55):
Um, and so, you know, one of thethings I've said before is, you
know, your defenses need to beoriented towards where you're
going, not where you were.
Um, I think that people, peoplehave to understand that to allow
themselves to be more resilientagainst these types of attacks.
And then most importantly, withanything, whether it be a human
(38:15):
agent or a computer securitybreach, um, the most important
thing you can do is, isdetective detection is key
because breaches happen.
You know, people do becomeforeign agents.
People become, you know,breaches happen.
Detection is what matters,identifying the breach as
quickly possible, minimizes thescope of a loss.
(38:39):
And that is what truly matters,right?
Except in this case, nobody know, knew that there was a breach
and it apparently went on formonths.
So it's an it's, it's an unusualone.
No, unfortunately it's notunusual.
That's the problem.
It's, this is more normativethat the breach goes on for a
period of time.
And that's, that's the problem.
(39:00):
You know, these type of niceststate breach is getting to take
it very quickly is unusual.
So that's why the controls needto be so well thought out.
That's why detection needs to beso well thought out.
And that's why you have to bemoving to where the attack is
going.
Not where the attacker was whenChisholm with the obsidian.
Thank you so much, Glenn.
Thank you.
(39:20):
Appreciate it.
Speaker 2 (39:21):
That's our backstory on a computer hack that still
hasn't been untangled in isongoing.
And we really don't understandyet the loss and the thread it's
posed.
We appreciate you subscribingsharing, supporting us by
spreading the word on backstory.
I've now started a dailynewsletter to help people
(39:41):
navigate the news.
And that includes news links.
So you can read original sourcesnews.
I think that's fair andimpartial and not anchored in
the disinflation.
That's confusing.
A lot of people it's Dana'sbackstory on sub stock.
Please sign up.
I'm Dana Lewis in London.
(40:02):
Thanks for listening.
And I'll talk to you again soon.
Well, this is not a case where you can say the
(00:01):
system worked.
The system did not work.
Um, but, but I will say thesystem was not designed for
government agencies.
They, uh, intrusion detectionsystem, which we call Einstein
was not designed to catch thingsthat we'd never seen before.
Speaker 2 (00:22):
Hi everyone.
And welcome to backstory.
I'm Dana Lewis in London, whileyou were watching the American
election and the disturbingassault by Trump's crazy
supporters on the Capitolbuilding amidst that flurry of
views lost in the headlines wasa massive computer hack.
Most likely by Russia say theNSA and FBI and Homeland
(00:45):
security.
Now at least 10 federal entitieshad their networks breached,
including major agencies, suchas the department of state
treasury, Homeland security,energy, and commerce.
The hack may be ongoing, meaningit hasn't stopped.
The hackers likely used US-basedplatforms to get into critical
(01:08):
systems and it appears theyentered those systems through a
Texas security company and itslinks to sensitive networks.
In total 18,000 entities.
I told you it's massive.
Mostly private corporations usedcompromised Orion system while
estimates vary.
The latest thinking is thatabout 250 of those were selected
(01:31):
by the Russians for deeper hackson this backstory.
How vulnerable are we and how dowe stop outsiders from
compromising our computernetworks, including banking,
defense, the power grid, privateenterprises.
There's a lot at stake.
Speaker 3 (01:52):
All right.
Joining me now from Washingtonis Suzanne Spalding.
She's a senior advisor forHomeland security and director
of the defending democraticinstitutions project at the
center for strategic andinternational studies.
Suzanne.
Welcome.
Speaker 1 (02:07):
Thank you, David.
Nice to be here.
Speaker 3 (02:10):
Hell of a time in Washington.
I mean, I can not just talk toyou about cybersecurity without
getting your feelings and yourreaction to what happened in the
Capitol building yesterday.
It's shocking.
Speaker 1 (02:21):
It is shocking.
It's appalling.
Uh, it was, um, distressing onso many levels, not had just on
Tuesday.
I've been talking to a younggirls, seventh grade through
12th grade about our democracyand they had a lot of questions
about why they should trust tobelieve in our democracy.
And I told them, um, it is worthfighting for, it must be fought
(02:43):
for not because it's perfect,but because it has the capacity
for change.
Uh, and we all must be agents ofthat change, but that change has
to come about peacefully throughour democratic process.
Thank surprise.
Speaker 3 (03:00):
Is it Suzanne?
Sorry to interrupt.
But I mean, when you see thepresident constantly saying that
the elections were false, theelection is being stolen.
Eventually people startedbelieving it.
Even if there's no evidence in60 some odd court cases, they
get angry.
Then he encourages them to go tothe Capitol building.
I mean, you can't keep throwingkerosene on the fire like w
without an explosion, can you
Speaker 1 (03:21):
Now I met Rami, had it right when he talked about an
insurrection incited by thepresident,
Speaker 3 (03:28):
Should the president be removed?
Speaker 1 (03:30):
You know, those are decisions that his cabinet will
have to make.
Congress needs to look at that.
I certainly think we are in avery dangerous and perilous
place for the next two weeksbetween now and January 20th, if
he continues to be the presidentof the United States.
Speaker 3 (03:45):
Talk to me about cybersecurity.
I mean, you've had a terriblehack, uh, inside the United
States, you also served as amember of the cyberspace
solarium commission.
You were also the undersecretary for the department of
Homeland security, and you ledthe nation's, um, the national
protection and programsdirectorate now called the cyber
(04:07):
security and infrastructuresecurity agency.
You managed, uh, I mean, a lotof the budget that was supposed
to protect government agenciesin this hack is not only about,
uh, companies, but also manygovernment agencies, such as
treasury that have been hackedinto.
Speaker 1 (04:23):
Yep.
So the, you know, this is not acase where you can say the
system worked, the system didnot work.
Um, but, but I will say thesystem was not designed for
government agencies.
They, uh, intrusion detectionsystem, which we call Einstein
was not designed to catch thingsthat we'd never seen before.
Uh, and that's something that,you know, they've been working
(04:45):
on, but what needs to needs tohappen.
We need to get, we've beentelling our private sector
partners this, uh, we need toget to a point where we can
detect malicious activity, uh,that we've never seen before.
Right?
We need to understand how todetect anomalous behavior.
So there was a failure there,but there's also, this should
also be a reminder to folks thatour planning needs to assume
(05:11):
that everything we put in placewill fail in terms of keeping
the adversaries out of oursystems and that we will be
breached.
And now how do we mitigate theconsequences of that breach?
What are our mission essentialfunctions?
How are we going to make surethey continue?
Speaker 3 (05:27):
Surely that was already framed around cyber
security protections in theUnited States?
Was it not?
I mean, you know, that you're ina constant chess game, not only
with hackers and individualhackers, but I mean, people like
the SVR in Russia and the FSBand the NSA and the FBI and
Homeland security are sayingthat this is an ongoing hack.
(05:50):
What does that mean?
And are they not able to veryquickly shut it down and limited
?
Well, no, they
Speaker 1 (05:58):
Have to find it first.
Uh, and once it's in yoursystem, very difficult to get
the adversaries out, uh, on apermanent basis.
What we've seen in the past, uh,with the very actors that we
suspect are behind this, um,hack, is that they will do hand
to hand combat.
I mean, you, you will thinkyou've gotten them out of one
(06:19):
place and they'll pop upsomewhere else.
They don't just melt awayquietly and go away when they
are detected.
And so, um, it will be a longtime finding all the places that
they may have managed toinfiltrate throughout our system
and, and a very long time, uh,rebuilding in a more secure way
Speaker 3 (06:36):
Comment on the fact that president Trump eliminated
the role of cyber securitycoordinator in 2018.
Speaker 1 (06:43):
Well, I think it was a huge mistake.
Uh, and I was pleased to see,uh, the, uh, Biden incoming
Biden administration announcedyesterday that they are going to
restore, uh, central cybersecurity coordinator in the
white house.
I think it's criticallyimportant.
We have so many parts of thegovernment and the private
sector that bring importantcapabilities, resources,
(07:03):
authorities, to bear, and itneeds to be coordinated from the
white house.
Speaker 3 (07:07):
I just played this eternal chess game with Russia
where, you know, we try to blockthem.
They try to go around, they tryto get in, or does it become, I
mean, at what point is it, Imean, is this just an, another
layer in spying and espionage orat a certain point, do
presidents speak to one anotherand say, wait a minute, there's
gotta be some rules here.
(07:28):
You are intruding into criticalsystems in America.
And we view that with greatdisdain and there will be a
penalty.
Speaker 1 (07:37):
Absolutely, absolutely.
And so, uh, certainly in theObama administration, in which I
served, we worked very hard toestablish norms, uh, around the
protection of criticalinfrastructure upon which a
civilian society depends.
Uh, I don't think that we justcan just dismiss this as
traditional spy versus spyespionage.
(07:59):
Uh, we need to assume thatthey're doing at a minimum
reconnaissance that would enablethem to cause disruptions in the
future.
Speaker 3 (08:07):
It's naive of me to think that a conversation is
going to solve it because theRussians or the Iranians or the
Chinese, whoever they be aregoing to continue to just go at
this whenever they can, if theycan steal secrets, they'll steal
it.
Speaker 1 (08:18):
Absolutely.
But the lack of a conversationis, is more damaging.
You can, a simple conversationis not going to deter or stop
our adversary, but not havingthat conversation.
Certainly emboldens them.
Speaker 3 (08:33):
Last question to you.
What do you think the damage ispotentially that was done?
When do we know?
And are you worried that theywere doing more than simply
stealing secrets?
They were trying to embedsomething.
Speaker 1 (08:44):
So I'm worried, uh, about all of the above, but what
I'm most worried about is thatthey may have been doing
reconnaissance, you know,getting access, for example, to
industrial control systems thatcontrol machines or the electric
grid.
It's not sufficient to have areally damaging impact through a
cyber attack.
(09:05):
You need to understand thoseoperational processes.
You need to understand whatwould be hardest, for example,
to, to repair, to recover.
Um, how can you have thatimpact?
That requires a fair amount ofreconnaissance.
And, and my worry is that, uh,while we didn't see them
necessarily get into operationaltechnology, that they're
gathering information to be ableto have that kind of disruption,
(09:28):
perhaps with access they'vealready achieved,
Speaker 4 (09:30):
Should the public be worried about it?
Speaker 1 (09:33):
I should be worried about it, not, not losing sleep
over it, but they should bedemanding that our public
officials, uh, take thisseriously and act with the sense
of urgency that is required.
And I was pleased to see theCongress enact, uh, many of our
recommendations from thesolarium commission in this new,
uh, most recently signed defensebill.
(09:53):
That's what needs to happen.
We need to, we need to moveforward on the things we know
need to be
Speaker 4 (09:59):
Suzanne Spalding at the center for strategic and
international studies to,public's got a lot of things to
worry about these days.
Don't they?
Thank you so much.
Thank you.
All right.
Adam Darragh serves as thedirector of intelligence for
vigilante in South Dakota, aUS-based cyber intelligence
(10:20):
firm.
Hi Adam.
Thanks for joining me.
Appreciate it, Dan.
Thank you.
There are now seeing the 250companies were hit by a Russian
intrusion.
Um, and there've been all sortsof characterizations and
descriptions of this hack.
How would you characterize it?
It seems unprecedented.
Speaker 5 (10:39):
Yeah, it does seem that way.
Uh, but I characterize this as,uh, espionage, um, your standard
espionage operation, um, whichfrom an adversarial point of
view, they consider inbounds andthey are probably thinking we
are doing the same things tothem.
So, uh, I don't see this as a, Ibelieve it to be unprecedented
(11:00):
in terms of what we know aboutit publicly.
Usually these types ofintrusions are kept, um, much
more quieter, but, uh, yeah,this is, uh, this, it just
demonstrates the sophisticationand the vigilance of our
adversaries.
They are, they are, um, verysophisticated.
They are aggressive and they arerelentless.
Speaker 4 (11:18):
It sounds like it's Russia, according to the NSA,
Homeland security, uh, the FBI,everybody, but Donald Trump is
naming Russia.
Speaker 5 (11:27):
Well, you know, um, there are only,
Speaker 4 (11:30):
Which means that's probably an, a confirmation
Speaker 5 (11:34):
Perhaps.
Um, uh, yeah, th the, theRussian, the Russian security
services definitely meet all therequirements of this type of
intrusion and this type ofespionage campaign.
They're very good.
Probably the, one of the best inthe world.
Speaker 4 (11:47):
So the, the, those agencies also declared it as an
ongoing operation nearly a monthafter it's discovered.
So I now, you know, talking topeople who don't know anything
about computer hacking, doesthat mean once they're in there,
they're like rats in your attictrying to get them out.
Speaker 5 (12:06):
It is, it's a, that's a very good analogy.
Um, and not calling the Russiansrats, by the way, just saying,
um, that, but yeah, that's avery good analogy.
Um, there are very smart andcapable people on the inside.
And so when an intrusion likethis is discovered, um, you
know, th the, the sophisticatednation States like Russia, like
China, and in, in some verysmall pockets of Iran, actually,
(12:30):
um, they they've used thisinitial intrusion to pivot
because they want the familyjewels.
They want the crown jewels, uh,on classified systems.
And so, um, this is, this is,uh, probably why, uh, these very
good agencies are saying thingslike, yeah, like we, this is an
ongoing thing because theforensics that are being done
behind the scenes by very smartpeople, uh, you know, it takes
(12:53):
time, uh, because they're good,uh, though the Russians are
very, very good.
And so it does take time to makesure that you pull on all the
threads and follow each threadto its logical conclusion,
because again, um, they wantintelligence, they want to know
our plans and intentions, uh,and they want to use the
information gleaned from such asubstantial, um, intrusion such
(13:15):
as this to, for onwardintelligence, operations, human,
and human intelligence,operations, technical, onward,
technical operations, internalcounter-intelligence operations.
I mean, this is a, this is arich targeting set that they've
had.
Speaker 4 (13:32):
How were they able to do this?
Because, you know, we've hadhacks before, and then we hear
that everybody's going tooverhaul their system.
Um, the idea that they wouldactually penetrate, um, private
companies and then governmentagencies and agencies like
treasury, uh, and worse, andthen remain in there for months
at a time.
(13:53):
I mean, it's, you know, somebodyagain, uh, a layman listening to
this, it just amazes me thatwe're not better at detecting.
Speaker 5 (14:02):
Yeah.
Um, that's an excellentquestion, Dan.
Uh, and, and when you have, whenyou have multiple buildings
dedicated to this endeavor, uh,in the Russian Federation, you
have some of the, you have someof the world's most foremost
technical, uh, experts withincredible acumen, um, and a
(14:23):
very aggressive mindset.
Uh, vis-a-vis the United States.
So, uh, the way this works is afull as a full approach, they
use open source intelligence,they use human intelligence,
they, they use company insiders,you know, nothing is off the
table with regard to asophisticated intelligence
operation.
And this, this has all themakings of somebody that
(14:45):
probably was recruited by theintelligence services to help
them understand more.
Now they may have been an agentis what we say on the inside.
Uh, they could have just had areally cool friend that they
bounced code off of.
Um, the Russians may have alsorecruited, you know, third party
foreign nationals in othercountries to, you know, hire as
(15:06):
contractors.
So again like this is, uh, thisis a really, really well thought
out and a sophisticatedoperation that, um, that they
almost certainly used a fullwhole of government approach in,
in orchestrating this, thisparticular hack.
Speaker 4 (15:21):
And it was done inside the United States
Speaker 5 (15:24):
Almost certainly.
Yes, that's, that's what that,that's what gets me that feeling
in my stomach of like, Oh mygoodness.
And, and, you know, on the onehand you want to, you, you, you
are legitimately outraged,right?
One can be legitimately outraged, but on the other hand, you
think, well, I tip my hat.
Now we need to be better.
Speaker 4 (15:43):
Mr.
Warner, the vice chairman of theSenate intelligence committee
said, you know, we need to makeit clear to the Russians that
any misuse of compromisednetworks to produce destructive
or harmful effects isunacceptable and will be
promptly met with a strongresponse.
Is that the answer?
I mean, Russia is going to dowhatever it can to steal
(16:04):
whatever is stealable, isn'tthat the game
Speaker 5 (16:07):
It is the game.
And, you know, and, and let'sseparate the games, you know,
politicians have a game to play,and I understand that.
And, and I think it'srespectable those comments, you
know, those are, those are thoseneed to be said, you know, we
need to send a message that,Hey, you got us, but, you know,
um, we're going to do what wecan to defend ourselves.
(16:28):
I mean, that, that is apolitical message that, you
know, I'll leave that to thepoliticians to figure out how to
best message that.
But as far as you know, when wetalk about the game that we
play, it is a shadow, a game ofshadows.
It's a game that's played, uh,behind the curtain, and you can
see this.
Um, you can see this in theresponse of, of the two
(16:49):
different, you know, um,societies, let's call them the
two civilizations.
You have the Westerncivilization that is much more
open.
Uh, and so I applaud theresponse of, of the companies of
the government, you know, eveninternal government, um, not
being on the same page, youknow, internal, like, uh, robust
disagreements that that's,that's the consequence of living
(17:12):
in an old, more open society,you know, but the Russians, you
know, they, they reacted, youknow, in such a way that they're
signaling to us, in my opinion,that they want to go back to the
way it was before 2016, which isthe, Hey, let's keep this, you
know, let's keep these thingsbehind the scenes.
(17:32):
You know, they're, they're nowthey're denying it, of course,
because that's their job.
I mean, that's, their job is todeny it.
I mean, you don't say yes, thatwas us, which they did in 2016.
They said, yep.
That was us.
Um, as a signal to us, that tosay, Hey, look, let's get back
to the old way of playing thisgame.
Let's keep it behind the, let'skeep it, you know, for lack of a
better term spy versus spy.
(17:52):
But, uh, my goodness, what's theanswer.
The answer is, um, you know, tocontinue to recruit the best
talent, um, everybody must bevigilant.
And th the mindset has to bethat if you are a private person
or a private company that doesbusiness with the United States,
federal government, you areinbounds.
(18:13):
You have a target on your backtoo.
You already legitimaterecruitable intelligence,
target, and entity.
And so adversarial governmentsare going to come after you,
your networks.
And because they want to knowwhat we're up to, just like the
United States wants to know whatother countries are up to our
adversaries.
Also want to know,
Speaker 4 (18:33):
I remember reading a book about, uh, the black volt
and the beginnings of the NSA.
And in that book, there's thisincredible chapter because I've
been to come Chaka peninsulainside Russia when I was a
correspondent.
And that was where a lot oftheir submarine pens are.
And the fact that, you know, inthat book, they revealed that an
American submarine went to thebottom of the[inaudible]
(18:57):
peninsula and buried into acable which monitored military
communications, um, from the,the main sort of Russian
mainland out to come Chuck it tothe peninsula.
And it was revealing in thesense that it showed that a lot
of the Russian criticalcommunication, especially
military communication was, youknow, certainly not computerized
(19:17):
in those days, but even in Y2K,Y2K days in 2000, you know, a
lot, a lot of it was not put onthe computer systems and that it
was hardwired and it was oldschool and old style because
they understood thevulnerability.
Forgive me for a long question,the vulnerability of computer
systems.
Right.
And do we understand, are weoverconfident in the West about
(19:43):
our, uh, protection systems?
And do we think that we're nevergoing to be, our systems are
going to be penetrated the waythat the Russians have just
shown us once again, uh, thatthey can and will do.
Speaker 5 (19:55):
Yeah.
Um, I don't think the people inmy former circles and current
circles, um, circles, uh,definitely don't think that
we're, we're untouchable.
Let's just say, uh, the, the,you know, in the, in the
cybersecurity community, um,there are a lot of individuals
who, you know, their default istheir default is, Oh my gosh.
Like they only see ourvulnerabilities, right.
(20:17):
Same in the intelligencecommunity.
Uh, especially in the, in thesmaller circles of like, um,
offensive, uh, technicaloperations, defensive, technical
operations, all those wonderfulindividuals see are the
vulnerabilities.
Uh, and so I don't think, uh,from the United States point of
view, we've never thought orunder, and we definitely do not
(20:37):
underestimate, uh, the Russiancapability, uh, with regard to
what they can do against us andwhat they do against us.
Uh, the mindset is if this iswhat we imagine, what we don't
know,
Speaker 4 (20:50):
You don't think to use your term, they got the
crown jewels.
Speaker 5 (20:54):
Oh gosh, no, I don't think so.
I think that's what they want.
Uh, and I think that's why theydo these, these operations, um,
you know, and don't get mewrong.
Um, if I was sitting at my deskat my former job and I had
access to the Russian equivalentof the information that they
got, I mean, your careers made,I mean, that's, that's just
(21:14):
unbelievable.
And it it's a rich targetingset, no matter what, even if
they didn't get the familyjewels or the crown jewels, um,
that it's a very rich data set.
And we can learn a lot from,from the type of people, they
employed, what they talk about,uh, people people's personal
problems and, and, and alsoDanna.
(21:36):
They're watching us veryclosely, both from a technical
perspective, like what, how didwe respond once we knew?
What did we do?
What countermeasures did wetake?
How was this playing in theirmedia?
I mean, this is a very, veryinteresting time.
And there are many, many peopleback in the Russian Federation
watching us and figuring out,okay, how do we pivot what's
(21:59):
next?
Now that the Americans did this,they message this, we did this,
what can we do next?
Speaker 4 (22:06):
It's just a never-ending chess game, but do
we do the same to Russia?
Speaker 5 (22:10):
Yes.
Uh, we have a wonderfullytalented people who have been
students of that fascinatingcivilization guys, like you that
live there and they get it andthey've studied it.
And they've, they've gone headto head with the Russian target,
you know, behind closed doors.
(22:32):
And, and so there, there is arich understanding of, of the
Russian mindset and there's arich understanding of, of their
capabilities.
We do not underestimate them.
Um, at least behind closeddoors, we do not underestimate
them.
And, uh, a lot of reallyintelligent people on both sides
of the pond are fully engaged.
In this question,
Speaker 4 (22:53):
You sound very confident that we're still
pretty smart in the West.
And yet this was such a broad,deep hack across so many
businesses and agencies.
And I mean, the one company, youknow, um, um, out of Texas, you
(23:14):
know, handled some 18,000companies.
I mean, it's, it sounds like we,we didn't do very well.
Speaker 5 (23:20):
Well, here's the thing Danna like, uh, and I want
to, this is another clear cut.
This is an example of thedifference between a more open
society and an a in a, in adifferent mindset, right?
You have, Russia has a verydifferent mindset here.
I applaud the, these publiccompanies who had, who had to do
a public Mia culpa.
I mean, that's not easy, youknow, but we live in a more open
(23:43):
society.
So I applaud fire.
I applaud solar winds that theycame out Microsoft.
I mean, nobody has run away fromthis and is pointing fingers.
Um, but that, that's veryWestern.
It's very American dare I say.
Um, because like, we want to bebetter.
Um, yes, we have egg on ourface.
Don't get me wrong.
There's definitely egg on ourface.
(24:04):
But, uh, you know, again, it's,it's this do the dual nature of
man.
On the one hand we have thislike indignation, we're angry.
We're like, let's get, I'm like,ah, we're embarrassed, we're
angry.
But on the other hand, it'slike, okay, I tip my hat, you
won this round.
Like, but we're going to bebetter.
Uh, but you know, something likethis, this type of disclosure,
(24:25):
let's say, hypothetically, thishappened to the Russian
equivalent of these companies.
There wouldn't be publicdiscussion about this.
Um, and so again, like it, it'snot better different or worse,
different, we're just different.
And, and these types ofdisclosures, you know, the, our
press is doing its job, Bravo.
Our government's doing its job.
You know, the press is keepingus honest, you know, uh, you
(24:47):
know, they're editorializingthis, that's fine.
We welcome these robustdiscussions.
We welcome them here in theWest.
Um, uh, but you know, and, butyou know, Russia, Russia is
good.
They're very, very good.
And they're very, very motivatedto, uh, find out what the heck
we're up to here in America.
And in, in the UK, in the Westin general,
Speaker 4 (25:08):
Adam Dara, the director of intelligence for
vigilante, US-based cyberintelligence for him.
Good to talk to you, Adam.
Thank you.
Speaker 5 (25:15):
Thank you, Dan.
Appreciate it.
Speaker 4 (25:20):
All right.
Glen Chism joins us now.
He is in California and he's theCEO at obsidian, uh, which
protects cloud services fromaccount takeover.
Uh, they say that, uh, theyprotect from insider threats and
identity sprawl, which I have noidea what that is.
Glenn, what is identity sprawl?
Speaker 6 (25:39):
It's just the normal effect of a company's changes,
gross motor movements.
And, you know, everyone has anidentity in the computer system
and whether those accounts are,and those identities are
properly maintained and reducedand controlled over time.
Speaker 4 (26:00):
All right.
So there's a lot of firms outthere that claim that they do
computer protection.
I mean, yours in particular, uh,you say among others on your
leadership team are formermembers of the national security
agency.
The NSA is that right?
Speaker 6 (26:15):
Yeah.
Two of my co-founders are ex NSI.
Speaker 4 (26:19):
All right.
So you should be very muscularin terms of security, computer
security, and you should tell me, um, how in the world, and I
know you're not responsible forit, but how in the world do you
think 250 companies andgovernment agencies have been
hacked likely by Russia?
Speaker 6 (26:37):
I think what you're dealing with is I very
thoughtful and deliberative.
Who's willing to spendsignificant amount of time and
preparation and resources to getinto their targets.
Um, and given that type ofmentality, then you are going to
(27:00):
expect some degree of success
Speaker 4 (27:04):
And you would expect that these guys would just keep
on coming.
I mean, that's, that's alwaysbeen the game, isn't it?
That the Russians or whoever aretrying to hack into American
system?
Speaker 6 (27:14):
Yeah.
I mean, I think it's, it's,feticide this, this class of
attacks is often referred to asIP today's, which are advanced
persistent threats.
And the reason why they'repersistent threats is because
the opponent is resourced andmotivated in a way that allows
them to continue to target you.
(27:35):
Um, they don't have to scoresome immediate return.
This isn't a pedestrian criminalthat has to make money.
This isn't a crime scenetogether.
That's going to look for theeasiest opportunity to get a
cash return.
Uh, these are people whosemotivations are nation state
oriented, and with nation stateorientation comes patients time
(27:57):
and just the continualrepetition of the attack.
Speaker 4 (28:01):
How would you describe knowing what we know
about it?
And I assume you don't have anyfirsthand knowledge of it, but
how would you describe the depthof this hacking and the
seriousness of it?
Speaker 6 (28:15):
I mean, I think this is, this is obviously going to
be one of the most iconic, uh,computer security breaches of
all time is, is, is I think areasonable statement.
Uh, I don't think there's anyhyper ball in that from a, from
a, from a depth and approachperspective.
Um, you know, this is what isreferred to as a supply chain
attack.
(28:35):
You know, you, you look at thattarget, the target may be
difficult to get into it, maybewell defended, um, it may have
good controls in place.
And so it becomes the easiestway to do it is to find the
weakest link in the supply chainor, or let me rephrase that.
That's unfair find a link in thesupply chain that you can
(28:57):
explore it once you're in thatlink into the supply chain, use
that to move into the othercompanies.
And that's what was done here.
It's find a software supplierthat is broadly used break into
that supplier, sit there for aperiod of time, make sure you're
not detected, modify thissoftware to let this software
allow you to get into otherorganizations and then sit there
(29:18):
for a period of time, make suredon't have to take to it.
And then start to extractinformation at the value.
Speaker 4 (29:23):
This was a Texas firm named solar winds, reportedly.
Speaker 6 (29:27):
It does.
The P is solar winds was a keycomponent in this attack, but it
also appears that there wereother suppliers in the supply
chain that were targeted.
Um, and it's, it's fair to saythat because we do know that the
company that found the bridge,uh, and the one that I think
has, has, has shown themselvesto be extraordinarily
(29:48):
responsible and thoughtful aboutthis, which is, which is far I,
and I have no stake in fire.
I have no shares.
It's nothing like that.
It's just that nice down thebreach that we're very public
about it though.
They assisted everyone else andunderstanding the nature for the
breach and help track it back toits souls, which is solar winds.
FARA is also a supplier.
So, you know, if, if they weretargeting FireEye, that was
(30:09):
another element of the supplychain that they were targeting
and that work's going to usethat to get it elsewhere.
So I think it's, it's thatthere's, there's more to this
than just solar winds.
It's, it's, it's a broaderattack and a broader set of
approaches that we use to, to,to gain access to these
organizations.
Speaker 4 (30:25):
I mean, the depth of this seems pretty serious.
I mean, because, um, the, theone company in Texas, uh, solar
winds, actually, maybe it's notfair to say it's solar winds
customers, but reportedly thereare 18,000 entities here, mostly
private corporations.
They use the comprised Oriencyst Orion system.
(30:48):
Um, so I mean, that's, that's ahuge number of companies that
may have been affected includinggovernment system.
Speaker 6 (30:54):
Yeah.
So, so obviously the attack, theguide access to solve the winds,
and then they modified thespecifically, are there, there
are a product called the Ryan18,000 people, took the update
that, uh, that had this, thismalicious code in it now.
I mean, it's also fair to saythat all the[inaudible] thousand
people, the vast majority ofthose would not have been
(31:15):
accessed by this particularopponent, but it did give the
opponent the opportunity toaccess them, whether it was now
a LIDAR.
Um, and so, you know, thoroughlyidentifying this attack, the
approaches to the attack isimportant to make sure we clean
all of those 18,000organizations right through from
(31:38):
top to bottom to make sure theattacker can't come back into
one of those and then start theprocess all over again.
Speaker 4 (31:44):
We know that they've left.
If you're saying come back in.
I mean, it may be according to astatement yesterday by a
Homeland security, the NSA andthe FBI, I believe said it was
an ongoing operations.
So it's that, that seems toflirt with the idea that they
may still be inside thosesystems.
Speaker 6 (32:02):
No, I, I think it's very fast side that the, the,
the general understanding thatmost computer security people,
particularly incident responseteams applies that the attacker
is still going to be there.
And the task number one iscontaining, where are task
number two is removing them andclean and tossed.
Number three is applyingcontrols to prevent return.
(32:27):
So, I mean, certainorganizations may have expelled
the attack or others might be inthe process of doing so.
And maybe in the process ofdoing so for the next six
months, do you work withgovernment agencies?
Uh, we have some experience withworking with some agencies.
Yes.
Speaker 4 (32:42):
What kind of information are we talking
about?
I mean, when you're called in toprotect somebody system, is
everything vulnerable,everything from treasury to, you
know, I don't want to be overoverly dramatic and I'll tell
you why I even raised the idea,but to, to say nuclear launch
codes.
I mean, how serious does it get?
Speaker 6 (33:01):
Uh, I mean, this type of attack is, is, and, you know,
you can see it from the natureof the disclosed.
Victoza is far more at thecivilian agencies, rather than
the DOD type entities, the DODtype entities have far more
disconnected systems that aren'tconnected to the, you know, to
the internet or connected toexternal systems that would
prevent this type of attack ofhad even any, uh, uh, Y
(33:25):
successful.
Now, obviously there are otherways that the tax code, and
there are other approaches thathave been applied, um, and, you
know, for disconnected systems,we've seen, you know, in the
past approaches that have beenapplied that have been very
successful and, you know, um,but, but, uh, what, what I
would, what I would say is thatthe information is going to have
(33:50):
value.
So the question is, is, uh,what, like what information
would you as treasury have thatwould have information on
sanctions programs, individualswho are going to be targeted to
sanctions what treasuryunderstood to be components of
sanctions, you know, us programsaround the economy, et cetera,
et cetera.
So, you know, the information isvery rich and so, you know,
(34:12):
there's value to it.
Uh, there's value to it, tonation state attackers.
Speaker 4 (34:18):
So how do you, you know, leave me with lessons
learned, um, you know, it, itreminds me like back in 2000,
when I was a correspondent inMoscow, we're working for NBC,
we recovering Y2K.
And the idea that all of thecomputer systems around the
world were bugged in my crash,transportation networks, uh,
(34:39):
nuclear launches, and theRussians kind of said, well, you
know what, w we're not really onthe computer.
We're not really computerizedvery much.
So, I mean, a lot of our, Imean, that's 20 years ago, but a
lot of our systems, they said atthat time, weren't really
vulnerable, like Western, uh,systems from, you know, banking
and economics to maybe militaryto, um, were, were any lessons
(35:03):
learned there or did theRussians just, you know, catch
up or, I mean, and what are thelessons coming out of this?
Like, how do you protect likethis very important information
from both private corporationsand government?
Speaker 6 (35:16):
The, the coalescent is to always be looking and to
understand the nature of yourenvironment and the intimate of
your environment with everyother environment.
Um, you know, lessons are alwayslearnt and the processes, and,
um, you know, this is, this is,this is different to Y to K Y K
(35:39):
I is, you know, or in mostsituations, you know, what you
have to understand is thatcomputer systems are built to be
resilient.
Um, you know, security systemsare built to be resilient, um,
the built to be reliable.
Um, but you have an opponent,you have a highly intelligent
(36:00):
opponent that's highlymotivated.
And so, you know, this is aunique situation.
This, this isn't a normal sortof, uh, set of controls.
That one has to balance that is,is, is the standard for managing
risk.
Um, you know, if you're managingrisk in a bank against
fraudulent activity, um, youknow, you, you don't necessarily
(36:23):
have nation States attempting todefraud you when you're managing
risk in this case.
Um, you know, the nation statemay be attended to for the bank,
maybe North Korea, becausethey're attempting to get
foreign currency.
Um, people tending to targettreasury, maybe the Russians,
because they want to understand,you know, and I use this as an
(36:45):
example, without any directknowledge of the exact target,
but something like sanctionedprograms against their
individual members ofgovernment.
Um, they may want to understand,you know, uh, various programs,
the us government is running sothey can try and identify, you
know, intelligent sources ofinterest.
So all of these things are very,very complex.
Speaker 4 (37:07):
It just seems like it just seems like a chess game
that we can't afford to neverwin that every time we lose that
game, whether it be China,whether it be North Korea,
whether it'd be Russia, whetherit be Iran, um, the, the, the
costs are, I mean, we'llprobably never know exactly what
(37:28):
they got, but the costs arehuge.
Speaker 6 (37:31):
The costs are huge.
And so, you know, the lessonlearned is investment
understanding what yourinformation is, building
defenses for your currentproblems, not yesterday's
problems.
And that's typically one of thebiggest issues that can be faced
in computer security is peopleare very focused on what the
loss for each was not what thenext breach will be.
(37:55):
Um, and so, you know, one of thethings I've said before is, you
know, your defenses need to beoriented towards where you're
going, not where you were.
Um, I think that people, peoplehave to understand that to allow
themselves to be more resilientagainst these types of attacks.
And then most importantly, withanything, whether it be a human
(38:15):
agent or a computer securitybreach, um, the most important
thing you can do is, isdetective detection is key
because breaches happen.
You know, people do becomeforeign agents.
People become, you know,breaches happen.
Detection is what matters,identifying the breach as
quickly possible, minimizes thescope of a loss.
(38:39):
And that is what truly matters,right?
Except in this case, nobody know, knew that there was a breach
and it apparently went on formonths.
So it's an it's, it's an unusualone.
No, unfortunately it's notunusual.
That's the problem.
It's, this is more normativethat the breach goes on for a
period of time.
And that's, that's the problem.
(39:00):
You know, these type of niceststate breach is getting to take
it very quickly is unusual.
So that's why the controls needto be so well thought out.
That's why detection needs to beso well thought out.
And that's why you have to bemoving to where the attack is
going.
Not where the attacker was whenChisholm with the obsidian.
Thank you so much, Glenn.
Thank you.
(39:20):
Appreciate it.
Speaker 2 (39:21):
That's our backstory on a computer hack that still
hasn't been untangled in isongoing.
And we really don't understandyet the loss and the thread it's
posed.
We appreciate you subscribingsharing, supporting us by
spreading the word on backstory.
I've now started a dailynewsletter to help people
(39:41):
navigate the news.
And that includes news links.
So you can read original sourcesnews.
I think that's fair andimpartial and not anchored in
the disinflation.
That's confusing.
A lot of people it's Dana'sbackstory on sub stock.
Please sign up.
I'm Dana Lewis in London.
(40:02):
Thanks for listening.
And I'll talk to you again soon.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.