BACK STORY with DANA LEWIS

A MASSIVE COMPUTER HACK IN THE U.S.

January 07, 2021 Dana Lewis Season 3 Episode 1
BACK STORY with DANA LEWIS
A MASSIVE COMPUTER HACK IN THE U.S.
Chapters
BACK STORY with DANA LEWIS
A MASSIVE COMPUTER HACK IN THE U.S.
Jan 07, 2021 Season 3 Episode 1
Dana Lewis

Thousands of companies may have been hacked as well as Gov Agencies in America. 

Homeland Security, The FBI and NSA say it's Russia.

What was taken?  The hack is still ongoing and went on for months.  Why weren't critical systems better protected?

On this Back Story with Dana Lewis we talk to Suzanne Spaulding, Senior adviser for Homeland Security and Director of the Defending Democratic Institutions project at the Center for Strategic and International Studies 

Adam Darrah serves the Director of Intelligence at Vigilante in South Dakota, a US-based cyber intelligence firm.  

And Glenn Chisholm is CEO  at Obsidian which protects  cloud services from account takeover, insider threat and identity sprawl and he has former NSA experts as advisors. 

Show Notes Transcript

Thousands of companies may have been hacked as well as Gov Agencies in America. 

Homeland Security, The FBI and NSA say it's Russia.

What was taken?  The hack is still ongoing and went on for months.  Why weren't critical systems better protected?

On this Back Story with Dana Lewis we talk to Suzanne Spaulding, Senior adviser for Homeland Security and Director of the Defending Democratic Institutions project at the Center for Strategic and International Studies 

Adam Darrah serves the Director of Intelligence at Vigilante in South Dakota, a US-based cyber intelligence firm.  

And Glenn Chisholm is CEO  at Obsidian which protects  cloud services from account takeover, insider threat and identity sprawl and he has former NSA experts as advisors. 

Speaker 1:

Well, this is not a case where you can say the system worked. The system did not work. Um, but, but I will say the system was not designed for government agencies. They , uh , intrusion detection system, which we call Einstein was not designed to catch things that we'd never seen before.

Speaker 2:

Hi everyone. And welcome to backstory. I'm Dana Lewis in London, while you were watching the American election and the disturbing assault by Trump's crazy supporters on the Capitol building amidst that flurry of views lost in the headlines was a massive computer hack. Most likely by Russia say the NSA and FBI and Homeland security. Now at least 10 federal entities had their networks breached, including major agencies, such as the department of state treasury, Homeland security, energy, and commerce. The hack may be ongoing, meaning it hasn't stopped. The hackers likely used US-based platforms to get into critical systems and it appears they entered those systems through a Texas security company and its links to sensitive networks. In total 18,000 entities. I told you it's massive. Mostly private corporations used compromised Orion system while estimates vary. The latest thinking is that about 250 of those were selected by the Russians for deeper hacks on this backstory. How vulnerable are we and how do we stop outsiders from compromising our computer networks, including banking, defense, the power grid, private enterprises. There's a lot at stake.

Speaker 3:

All right. Joining me now from Washington is Suzanne Spalding. She's a senior advisor for Homeland security and director of the defending democratic institutions project at the center for strategic and international studies. Suzanne . Welcome.

Speaker 1:

Thank you, David. Nice to be here.

Speaker 3:

Hell of a time in Washington. I mean, I can not just talk to you about cybersecurity without getting your feelings and your reaction to what happened in the Capitol building yesterday. It's shocking.

Speaker 1:

It is shocking. It's appalling. Uh, it was , um, distressing on so many levels, not had just on Tuesday. I've been talking to a young girls , seventh grade through 12th grade about our democracy and they had a lot of questions about why they should trust to believe in our democracy. And I told them , um, it is worth fighting for, it must be fought for not because it's perfect, but because it has the capacity for change. Uh, and we all must be agents of that change, but that change has to come about peacefully through our democratic process. Thank surprise.

Speaker 3:

Is it Suzanne? Sorry to interrupt. But I mean, when you see the president constantly saying that the elections were false, the election is being stolen. Eventually people started believing it. Even if there's no evidence in 60 some odd court cases, they get angry. Then he encourages them to go to the Capitol building. I mean, you can't keep throwing kerosene on the fire like w without an explosion, can you

Speaker 1:

Now I met Rami, had it right when he talked about an insurrection incited by the president,

Speaker 3:

Should the president be removed?

Speaker 1:

You know, those are decisions that his cabinet will have to make. Congress needs to look at that. I certainly think we are in a very dangerous and perilous place for the next two weeks between now and January 20th, if he continues to be the president of the United States.

Speaker 3:

Talk to me about cybersecurity . I mean, you've had a terrible hack , uh , inside the United States, you also served as a member of the cyberspace solarium commission. You were also the under secretary for the department of Homeland security, and you led the nation's , um, the national protection and programs directorate now called the cyber security and infrastructure security agency. You managed , uh, I mean, a lot of the budget that was supposed to protect government agencies in this hack is not only about , uh , companies, but also many government agencies, such as treasury that have been hacked into.

Speaker 1:

Yep . So the, you know, this is not a case where you can say the system worked, the system did not work. Um, but, but I will say the system was not designed for government agencies. They , uh , intrusion detection system, which we call Einstein was not designed to catch things that we'd never seen before. Uh, and that's something that, you know, they've been working on, but what needs to needs to happen. We need to get, we've been telling our private sector partners this , uh, we need to get to a point where we can detect malicious activity , uh, that we've never seen before. Right? We need to understand how to detect anomalous behavior. So there was a failure there, but there's also, this should also be a reminder to folks that our planning needs to assume that everything we put in place will fail in terms of keeping the adversaries out of our systems and that we will be breached. And now how do we mitigate the consequences of that breach? What are our mission essential functions? How are we going to make sure they continue?

Speaker 3:

Surely that was already framed around cyber security protections in the United States? Was it not ? I mean, you know, that you're in a constant chess game, not only with hackers and individual hackers, but I mean, people like the SVR in Russia and the FSB and the NSA and the FBI and Homeland security are saying that this is an ongoing hack. What does that mean? And are they not able to very quickly shut it down and limited ? Well, no, they

Speaker 1:

Have to find it first. Uh, and once it's in your system, very difficult to get the adversaries out , uh, on a permanent basis. What we've seen in the past , uh, with the very actors that we suspect are behind this , um , hack, is that they will do hand to hand combat. I mean, you, you will think you've gotten them out of one place and they'll pop up somewhere else. They don't just melt away quietly and go away when they are detected. And so , um, it will be a long time finding all the places that they may have managed to infiltrate throughout our system and, and a very long time , uh , rebuilding in a more secure way

Speaker 3:

Comment on the fact that president Trump eliminated the role of cyber security coordinator in 2018.

Speaker 1:

Well, I think it was a huge mistake. Uh, and I was pleased to see , uh, the , uh, Biden incoming Biden administration announced yesterday that they are going to restore , uh , central cyber security coordinator in the white house. I think it's critically important. We have so many parts of the government and the private sector that bring important capabilities, resources, authorities, to bear, and it needs to be coordinated from the white house.

Speaker 3:

I just played this eternal chess game with Russia where, you know, we try to block them. They try to go around, they try to get in, or does it become, I mean, at what point is it, I mean, is this just an , another layer in spying and espionage or at a certain point, do presidents speak to one another and say, wait a minute, there's gotta be some rules here. You are intruding into critical systems in America. And we view that with great disdain and there will be a penalty.

Speaker 1:

Absolutely, absolutely. And so , uh, certainly in the Obama administration, in which I served, we worked very hard to establish norms , uh, around the protection of critical infrastructure upon which a civilian society depends. Uh, I don't think that we just can just dismiss this as traditional spy versus spy espionage. Uh, we need to assume that they're doing at a minimum reconnaissance that would enable them to cause disruptions in the future.

Speaker 3:

It's naive of me to think that a conversation is going to solve it because the Russians or the Iranians or the Chinese, whoever they be are going to continue to just go at this whenever they can, if they can steal secrets, they'll steal it .

Speaker 1:

Absolutely. But the lack of a conversation is, is more damaging. You can, a simple conversation is not going to deter or stop our adversary, but not having that conversation. Certainly emboldens them.

Speaker 3:

Last question to you. What do you think the damage is potentially that was done? When do we know? And are you worried that they were doing more than simply stealing secrets? They were trying to embed something.

Speaker 1:

So I'm worried , uh , about all of the above, but what I'm most worried about is that they may have been doing reconnaissance, you know, getting access, for example, to industrial control systems that control machines or the electric grid. It's not sufficient to have a really damaging impact through a cyber attack. You need to understand those operational processes. You need to understand what would be hardest, for example, to, to repair, to recover. Um, how can you have that impact? That requires a fair amount of reconnaissance. And, and my worry is that , uh , while we didn't see them necessarily get into operational technology, that they're gathering information to be able to have that kind of disruption, perhaps with access they've already achieved,

Speaker 4:

Should the public be worried about it?

Speaker 1:

I should be worried about it, not, not losing sleep over it, but they should be demanding that our public officials , uh , take this seriously and act with the sense of urgency that is required. And I was pleased to see the Congress enact , uh , many of our recommendations from the solarium commission in this new , uh , most recently signed defense bill. That's what needs to happen. We need to, we need to move forward on the things we know need to be

Speaker 4:

Suzanne Spalding at the center for strategic and international studies to , public's got a lot of things to worry about these days. Don't they? Thank you so much. Thank you . All right. Adam Darragh serves as the director of intelligence for vigilante in South Dakota, a US-based cyber intelligence firm. Hi Adam. Thanks for joining me. Appreciate it, Dan . Thank you. There are now seeing the 250 companies were hit by a Russian intrusion. Um, and there've been all sorts of characterizations and descriptions of this hack. How would you characterize it? It seems unprecedented.

Speaker 5:

Yeah, it does seem that way. Uh, but I characterize this as , uh , espionage , um, your standard espionage operation , um, which from an adversarial point of view, they consider inbounds and they are probably thinking we are doing the same things to them. So , uh, I don't see this as a , I believe it to be unprecedented in terms of what we know about it publicly. Usually these types of intrusions are kept , um, much more quieter, but , uh, yeah, this is , uh, this, it just demonstrates the sophistication and the vigilance of our adversaries. They are, they are , um, very sophisticated. They are aggressive and they are relentless.

Speaker 4:

It sounds like it's Russia, according to the NSA, Homeland security , uh , the FBI, everybody, but Donald Trump is naming Russia.

Speaker 5:

Well, you know , um, there are only,

Speaker 4:

Which means that's probably an, a confirmation

Speaker 5:

Perhaps. Um, uh, yeah, th the , the Russian, the Russian security services definitely meet all the requirements of this type of intrusion and this type of espionage campaign. They're very good. Probably the, one of the best in the world.

Speaker 4:

So the, the, those agencies also declared it as an ongoing operation nearly a month after it's discovered. So I now, you know, talking to people who don't know anything about computer hacking, does that mean once they're in there, they're like rats in your attic trying to get them out.

Speaker 5:

It is, it's a , that's a very good analogy. Um, and not calling the Russians rats, by the way, just saying , um, that, but yeah, that's a very good analogy. Um, there are very smart and capable people on the inside. And so when an intrusion like this is discovered , um, you know, th the , the sophisticated nation States like Russia, like China, and in , in some very small pockets of Iran, actually , um, they they've used this initial intrusion to pivot because they want the family jewels. They want the crown jewels , uh, on classified systems. And so , um, this is, this is , uh, probably why , uh , these very good agencies are saying things like, yeah, like we, this is an ongoing thing because the forensics that are being done behind the scenes by very smart people , uh, you know, it takes time , uh, because they're good , uh , though the Russians are very, very good. And so it does take time to make sure that you pull on all the threads and follow each thread to its logical conclusion, because again , um, they want intelligence, they want to know our plans and intentions , uh, and they want to use the information gleaned from such a substantial , um , intrusion such as this to , for onward intelligence, operations, human, and human intelligence, operations, technical , onward, technical operations, internal counter-intelligence operations. I mean, this is a , this is a rich targeting set that they've had.

Speaker 4:

How were they able to do this? Because, you know, we've had hacks before, and then we hear that everybody's going to overhaul their system. Um, the idea that they would actually penetrate , um, private companies and then government agencies and agencies like treasury , uh , and worse, and then remain in there for months at a time. I mean, it's, you know, somebody again , uh , a layman listening to this, it just amazes me that we're not better at detecting.

Speaker 5:

Yeah. Um, that's an excellent question, Dan . Uh , and, and when you have, when you have multiple buildings dedicated to this endeavor , uh, in the Russian Federation, you have some of the, you have some of the world's most foremost technical , uh, experts with incredible acumen , um, and a very aggressive mindset. Uh, vis-a-vis the United States. So , uh, the way this works is a full as a full approach, they use open source intelligence, they use human intelligence, they, they use company insiders, you know, nothing is off the table with regard to a sophisticated intelligence operation. And this, this has all the makings of somebody that probably was recruited by the intelligence services to help them understand more. Now they may have been an agent is what we say on the inside. Uh, they could have just had a really cool friend that they bounced code off of. Um, the Russians may have also recruited, you know, third party foreign nationals in other countries to, you know, hire as contractors. So again like this is , uh , this is a really, really well thought out and a sophisticated operation that , um, that they almost certainly used a full whole of government approach in , in orchestrating this, this particular hack .

Speaker 4:

And it was done inside the United States

Speaker 5:

Almost certainly. Yes, that's, that's what that, that's what gets me that feeling in my stomach of like, Oh my goodness. And, and, you know, on the one hand you want to, you , you, you are legitimately outraged, right? One can be legitimately outraged , but on the other hand, you think, well, I tip my hat. Now we need to be better.

Speaker 4:

Mr. Warner, the vice chairman of the Senate intelligence committee said, you know, we need to make it clear to the Russians that any misuse of compromised networks to produce destructive or harmful effects is unacceptable and will be promptly met with a strong response. Is that the answer? I mean, Russia is going to do whatever it can to steal whatever is stealable, isn't that the game

Speaker 5:

It is the game. And, you know, and , and let's separate the games, you know, politicians have a game to play, and I understand that. And, and I think it's respectable those comments, you know, those are, those are those need to be said, you know, we need to send a message that, Hey, you got us, but, you know , um, we're going to do what we can to defend ourselves. I mean, that , that is a political message that, you know, I'll leave that to the politicians to figure out how to best message that. But as far as you know, when we talk about the game that we play, it is a shadow, a game of shadows. It's a game that's played , uh , behind the curtain, and you can see this. Um, you can see this in the response of , of the two different, you know , um, societies , let's call them the two civilizations. You have the Western civilization that is much more open. Uh, and so I applaud the response of, of the companies of the government, you know, even internal government , um, not being on the same page, you know, internal, like , uh , robust disagreements that that's, that's the consequence of living in an old , more open society, you know, but the Russians, you know, they, they reacted, you know , in such a way that they're signaling to us, in my opinion, that they want to go back to the way it was before 2016, which is the , Hey, let's keep this, you know, let's keep these things behind the scenes. You know, they're, they're now they're denying it, of course, because that's their job. I mean, that's, their job is to deny it. I mean, you don't say yes, that was us, which they did in 2016. They said, yep . That was us. Um, as a signal to us, that to say, Hey, look, let's get back to the old way of playing this game. Let's keep it behind the, let's keep it, you know, for lack of a better term spy versus spy. But , uh, my goodness, what's the answer. The answer is , um, you know, to continue to recruit the best talent , um, everybody must be vigilant. And th the mindset has to be that if you are a private person or a private company that does business with the United States, federal government, you are inbounds . You have a target on your back too . You already legitimate recruitable intelligence, target, and entity. And so adversarial governments are going to come after you, your networks. And because they want to know what we're up to, just like the United States wants to know what other countries are up to our adversaries. Also want to know,

Speaker 4:

I remember reading a book about , uh , the black volt and the beginnings of the NSA. And in that book, there's this incredible chapter because I've been to come Chaka peninsula inside Russia when I was a correspondent. And that was where a lot of their submarine pens are. And the fact that, you know, in that book, they revealed that an American submarine went to the bottom of the [inaudible] peninsula and buried into a cable which monitored military communications , um, from the , the main sort of Russian mainland out to come Chuck it to the peninsula. And it was revealing in the sense that it showed that a lot of the Russian critical communication, especially military communication was, you know , certainly not computerized in those days, but even in Y2K, Y2K days in 2000, you know, a lot , a lot of it was not put on the computer systems and that it was hardwired and it was old school and old style because they understood the vulnerability. Forgive me for a long question, the vulnerability of computer systems. Right. And do we understand, are we overconfident in the West about our , uh, protection systems? And do we think that we're never going to be, our systems are going to be penetrated the way that the Russians have just shown us once again , uh, that they can and will do.

Speaker 5:

Yeah. Um, I don't think the people in my former circles and current circles , um , circles , uh, definitely don't think that we're, we're untouchable. Let's just say , uh, the , the, you know, in the, in the cybersecurity community , um, there are a lot of individuals who, you know, their default is their default is, Oh my gosh. Like they only see our vulnerabilities, right. Same in the intelligence community. Uh, especially in the, in the smaller circles of like , um, offensive , uh , technical operations, defensive, technical operations, all those wonderful individuals see are the vulnerabilities. Uh, and so I don't think , uh, from the United States point of view, we've never thought or under , and we definitely do not underestimate , uh, the Russian capability , uh, with regard to what they can do against us and what they do against us. Uh, the mindset is if this is what we imagine, what we don't know,

Speaker 4:

You don't think to use your term, they got the crown jewels.

Speaker 5:

Oh gosh, no, I don't think so. I think that's what they want. Uh , and I think that's why they do these, these operations , um, you know, and don't get me wrong. Um, if I was sitting at my desk at my former job and I had access to the Russian equivalent of the information that they got, I mean, your careers made, I mean, that's, that's just unbelievable. And it it's a rich targeting set, no matter what, even if they didn't get the family jewels or the crown jewels , um, that it's a very rich data set. And we can learn a lot from, from the type of people, they employed, what they talk about , uh, people people's personal problems and, and, and also Danna . They're watching us very closely, both from a technical perspective, like what, how did we respond once we knew? What did we do? What countermeasures did we take? How was this playing in their media? I mean, this is a very, very interesting time. And there are many, many people back in the Russian Federation watching us and figuring out, okay, how do we pivot what's next? Now that the Americans did this, they message this, we did this, what can we do next?

Speaker 4:

It's just a never-ending chess game, but do we do the same to Russia?

Speaker 5:

Yes. Uh, we have a wonderfully talented people who have been students of that fascinating civilization guys, like you that live there and they get it and they've studied it. And they've, they've gone head to head with the Russian target, you know, behind closed doors. And , and so there, there is a rich understanding of, of the Russian mindset and there's a rich understanding of, of their capabilities. We do not underestimate them. Um , at least behind closed doors, we do not underestimate them. And , uh, a lot of really intelligent people on both sides of the pond are fully engaged. In this question,

Speaker 4:

You sound very confident that we're still pretty smart in the West. And yet this was such a broad, deep hack across so many businesses and agencies. And I mean, the one company, you know , um, um, out of Texas, you know, handled some 18,000 companies. I mean, it's , it sounds like we , we didn't do very well.

Speaker 5:

Well, here's the thing Danna like , uh , and I want to , this is another clear cut . This is an example of the difference between a more open society and an a in a , in a different mindset, right? You have, Russia has a very different mindset here. I applaud the, these public companies who had, who had to do a public Mia culpa. I mean, that's not easy, you know, but we live in a more open society. So I applaud fire. I applaud solar winds that they came out Microsoft. I mean, nobody has run away from this and is pointing fingers. Um , but that , that's very Western. It's very American dare I say. Um, because like, we want to be better. Um, yes, we have egg on our face. Don't get me wrong. There's definitely egg on our face. But , uh, you know, again, it's, it's this do the dual nature of man . On the one hand we have this like indignation, we're angry. We're like, let's get , I'm like, ah, we're embarrassed, we're angry. But on the other hand, it's like, okay, I tip my hat, you won this round. Like, but we're going to be better. Uh, but you know, something like this, this type of disclosure, let's say, hypothetically, this happened to the Russian equivalent of these companies. There wouldn't be public discussion about this. Um, and so again, like it , it's not better different or worse, different, we're just different. And, and these types of disclosures , you know, the, our press is doing its job, Bravo. Our government's doing its job. You know, the press is keeping us honest, you know , uh , you know, they're editorializing this, that's fine. We welcome these robust discussions. We welcome them here in the West. Um, uh, but you know, and , but you know, Russia, Russia is good. They're very, very good. And they're very, very motivated to , uh , find out what the heck we're up to here in America. And in , in the UK, in the West in general,

Speaker 4:

Adam Dara , the director of intelligence for vigilante, US-based cyber intelligence for him . Good to talk to you, Adam. Thank you.

Speaker 5:

Thank you, Dan . Appreciate it.

Speaker 4:

All right. Glen Chism joins us now. He is in California and he's the CEO at obsidian , uh , which protects cloud services from account takeover. Uh, they say that , uh , they protect from insider threats and identity sprawl, which I have no idea what that is. Glenn , what is identity sprawl?

Speaker 6:

It's just the normal effect of a company's changes, gross motor movements. And, you know, everyone has an identity in the computer system and whether those accounts are , and those identities are properly maintained and reduced and controlled over time.

Speaker 4:

All right . So there's a lot of firms out there that claim that they do computer protection. I mean, yours in particular , uh , you say among others on your leadership team are former members of the national security agency. The NSA is that right?

Speaker 6:

Yeah. Two of my co-founders are ex NSI .

Speaker 4:

All right . So you should be very muscular in terms of security, computer security, and you should tell me , um, how in the world, and I know you're not responsible for it, but how in the world do you think 250 companies and government agencies have been hacked likely by Russia?

Speaker 6:

I think what you're dealing with is I very thoughtful and deliberative. Who's willing to spend significant amount of time and preparation and resources to get into their targets. Um, and given that type of mentality, then you are going to expect some degree of success

Speaker 4:

And you would expect that these guys would just keep on coming. I mean, that's, that's always been the game, isn't it? That the Russians or whoever are trying to hack into American system?

Speaker 6:

Yeah. I mean, I think it's, it's, feticide this, this class of attacks is often referred to as IP today's, which are advanced persistent threats. And the reason why they're persistent threats is because the opponent is resourced and motivated in a way that allows them to continue to target you. Um, they don't have to score some immediate return . This isn't a pedestrian criminal that has to make money. This isn't a crime scene together. That's going to look for the easiest opportunity to get a cash return. Uh, these are people whose motivations are nation state oriented, and with nation state orientation comes patients time and just the continual repetition of the attack.

Speaker 4:

How would you describe knowing what we know about it? And I assume you don't have any firsthand knowledge of it, but how would you describe the depth of this hacking and the seriousness of it?

Speaker 6:

I mean, I think this is, this is obviously going to be one of the most iconic , uh , computer security breaches of all time is , is , is I think a reasonable statement. Uh, I don't think there's any hyper ball in that from a , from a , from a depth and approach perspective. Um, you know, this is what is referred to as a supply chain attack. You know, you, you look at that target, the target may be difficult to get into it, maybe well defended , um, it may have good controls in place. And so it becomes the easiest way to do it is to find the weakest link in the supply chain or , or let me rephrase that . That's unfair find a link in the supply chain that you can explore it once you're in that link into the supply chain, use that to move into the other companies. And that's what was done here. It's find a software supplier that is broadly used break into that supplier, sit there for a period of time, make sure you're not detected, modify this software to let this software allow you to get into other organizations and then sit there for a period of time, make sure don't have to take to it . And then start to extract information at the value .

Speaker 4:

This was a Texas firm named solar winds, reportedly.

Speaker 6:

It does. The P is solar winds was a key component in this attack, but it also appears that there were other suppliers in the supply chain that were targeted. Um, and it's, it's fair to say that because we do know that the company that found the bridge , uh , and the one that I think has, has, has shown themselves to be extraordinarily responsible and thoughtful about this, which is, which is far I, and I have no stake in fire. I have no shares. It's nothing like that. It's just that nice down the breach that we're very public about it though. They assisted everyone else and understanding the nature for the breach and help track it back to its souls , which is solar winds . FARA is also a supplier . So, you know, if , if they were targeting FireEye, that was another element of the supply chain that they were targeting and that work's going to use that to get it elsewhere. So I think it's, it's that there's, there's more to this than just solar winds. It's, it's, it's a broader attack and a broader set of approaches that we use to , to , to gain access to these organizations.

Speaker 4:

I mean, the depth of this seems pretty serious. I mean, because , um, the , the one company in Texas , uh , solar winds , actually, maybe it's not fair to say it's solar winds customers, but reportedly there are 18,000 entities here, mostly private corporations. They use the comprised Orien cyst Orion system. Um, so I mean, that's, that's a huge number of companies that may have been affected including government system .

Speaker 6:

Yeah. So, so obviously the attack, the guide access to solve the winds , and then they modified the specifically, are there , there are a product called the Ryan 18,000 people, took the update that , uh , that had this , this malicious code in it now. I mean, it's also fair to say that all the [inaudible] thousand people, the vast majority of those would not have been accessed by this particular opponent, but it did give the opponent the opportunity to access them , whether it was now a LIDAR . Um, and so, you know, thoroughly identifying this attack, the approaches to the attack is important to make sure we clean all of those 18,000 organizations right through from top to bottom to make sure the attacker can't come back into one of those and then start the process all over again.

Speaker 4:

We know that they've left. If you're saying come back in. I mean, it may be according to a statement yesterday by a Homeland security, the NSA and the FBI, I believe said it was an ongoing operations. So it's that, that seems to flirt with the idea that they may still be inside those systems.

Speaker 6:

No, I, I think it's very fast side that the, the, the general understanding that most computer security people, particularly incident response teams applies that the attacker is still going to be there. And the task number one is containing, where are task number two is removing them and clean and tossed . Number three is applying controls to prevent return. So, I mean, certain organizations may have expelled the attack or others might be in the process of doing so. And maybe in the process of doing so for the next six months, do you work with government agencies? Uh, we have some experience with working with some agencies. Yes.

Speaker 4:

What kind of information are we talking about? I mean, when you're called in to protect somebody system, is everything vulnerable, everything from treasury to, you know, I don't want to be over overly dramatic and I'll tell you why I even raised the idea, but to , to say nuclear launch codes. I mean, how serious does it get?

Speaker 6:

Uh, I mean, this type of attack is, is, and, you know, you can see it from the nature of the disclosed. Victoza is far more at the civilian agencies, rather than the DOD type entities, the DOD type entities have far more disconnected systems that aren't connected to the, you know , to the internet or connected to external systems that would prevent this type of attack of had even any , uh, uh , Y successful. Now, obviously there are other ways that the tax code, and there are other approaches that have been applied , um, and, you know, for disconnected systems, we've seen, you know , in the past approaches that have been applied that have been very successful and, you know , um, but, but , uh, what, what I would, what I would say is that the information is going to have value. So the question is, is , uh, what, like what information would you as treasury have that would have information on sanctions programs, individuals who are going to be targeted to sanctions what treasury understood to be components of sanctions, you know, us programs around the economy, et cetera, et cetera. So, you know, the information is very rich and so, you know, there's value to it. Uh, there's value to it, to nation state attackers.

Speaker 4:

So how do you, you know, leave me with lessons learned , um, you know, it , it reminds me like back in 2000, when I was a correspondent in Moscow, we're working for NBC, we recovering Y2K. And the idea that all of the computer systems around the world were bugged in my crash, transportation networks , uh, nuclear launches, and the Russians kind of said, well, you know what, w we're not really on the computer. We're not really computerized very much. So, I mean, a lot of our, I mean, that's 20 years ago, but a lot of our systems, they said at that time, weren't really vulnerable, like Western , uh , systems from, you know , banking and economics to maybe military to , um, were , were any lessons learned there or did the Russians just, you know, catch up or, I mean, and what are the lessons coming out of this? Like, how do you protect like this very important information from both private corporations and government?

Speaker 6:

The, the coalescent is to always be looking and to understand the nature of your environment and the intimate of your environment with every other environment. Um, you know, lessons are always learnt and the processes, and , um, you know, this is, this is, this is different to Y to K Y K I is, you know, or in most situations, you know, what you have to understand is that computer systems are built to be resilient. Um, you know, security systems are built to be resilient , um, the built to be reliable. Um, but you have an opponent, you have a highly intelligent opponent that's highly motivated. And so, you know, this is a unique situation. This , this isn't a normal sort of , uh , set of controls. That one has to balance that is, is, is the standard for managing risk. Um, you know, if you're managing risk in a bank against fraudulent activity , um, you know, you, you don't necessarily have nation States attempting to defraud you when you're managing risk in this case. Um, you know, the nation state may be attended to for the bank, maybe North Korea, because they're attempting to get foreign currency. Um, people tending to target treasury, maybe the Russians, because they want to understand, you know, and I use this as an example, without any direct knowledge of the exact target, but something like sanctioned programs against their individual members of government. Um, they may want to understand, you know , uh, various programs, the us government is running so they can try and identify, you know , intelligent sources of interest . So all of these things are very, very complex.

Speaker 4:

It just seems like it just seems like a chess game that we can't afford to never win that every time we lose that game, whether it be China, whether it be North Korea, whether it'd be Russia, whether it be Iran , um, the , the, the costs are, I mean, we'll probably never know exactly what they got , but the costs are huge.

Speaker 6:

The costs are huge. And so, you know, the lesson learned is investment understanding what your information is, building defenses for your current problems, not yesterday's problems. And that's typically one of the biggest issues that can be faced in computer security is people are very focused on what the loss for each was not what the next breach will be. Um, and so, you know, one of the things I've said before is, you know, your defenses need to be oriented towards where you're going, not where you were. Um, I think that people, people have to understand that to allow themselves to be more resilient against these types of attacks. And then most importantly, with anything, whether it be a human agent or a computer security breach , um, the most important thing you can do is, is detective detection is key because breaches happen . You know, people do become foreign agents. People become, you know , breaches happen. Detection is what matters, identifying the breach as quickly possible, minimizes the scope of a loss. And that is what truly matters, right? Except in this case, nobody know , knew that there was a breach and it apparently went on for months. So it's an it's, it's an unusual one. No, unfortunately it's not unusual. That's the problem. It's, this is more normative that the breach goes on for a period of time. And that's, that's the problem. You know, these type of nicest state breach is getting to take it very quickly is unusual. So that's why the controls need to be so well thought out. That's why detection needs to be so well thought out. And that's why you have to be moving to where the attack is going. Not where the attacker was when Chisholm with the obsidian. Thank you so much, Glenn . Thank you. Appreciate it.

Speaker 2:

That's our backstory on a computer hack that still hasn't been untangled in is ongoing. And we really don't understand yet the loss and the thread it's posed . We appreciate you subscribing sharing, supporting us by spreading the word on backstory. I've now started a daily newsletter to help people navigate the news. And that includes news links. So you can read original sources news. I think that's fair and impartial and not anchored in the disinflation . That's confusing. A lot of people it's Dana's backstory on sub stock . Please sign up. I'm Dana Lewis in London. Thanks for listening. And I'll talk to you again soon.