S1: The problem with trying to understand the massive data breach the United States is dealing with at the moment is that the list of industries and agencies that have been impacted just keeps growing their Fortune 500 companies, places like Microsoft and Cisco and then their state and federal government, the city of Austin, the U.S. nuclear weapons agency, the Department of Homeland Security and Slate’s Fred Kaplan. He says right now all these places have got a bunch of workers scouring their back end systems, looking for clues.
S2: What they’re doing, they’re going through logs, who has come into this system and they check the, you know, the digital ID of the IP address of whoever has come in.
S1: So they’re checking the guest list. You’re kind of.
S3: And they now know about it, 15 or 20 of these that are associated with the hack, so they look for those I.D., they are looking for signs of a perniciously quiet kind of infiltration, infiltration made possible by malware. That road in is part of a software update they got pushed through months ago to nearly 18000 clients of a firm called Solar Wins.
S4: The malware would be downloaded, but then they wouldn’t take advantage of it for days, weeks, sometimes months. So you have to dig deep into the logs to try to even find this thing.
S2: We’ve never really seen anything like this.
S1: Everything about this hack is shrouded in unknowables. Who is the target? The target seems to be everyone. What information have the hackers taken? We might never know. The only thing cybersecurity experts do seem sure of is who was behind the plot.
S2: You seem very confident that this was Russia, it’s just the kind of thing that can really only be done by a state actor. I mean, it’s been traced to Russia for a lot of reasons. But but one kind of inferential reason is that really not many other countries could have done this. I mean, they individualize the malware for each different target they put on it. This was something that took a long time and a lot of money that there is really no private hacking company that could have financed this.
S1: It’s just too expensive. Yeah, yeah. And the only reason any of us know about this operation in the first place is because the people behind it got too ambitious. They tried to hack into a Silicon Valley security firm who noticed the infiltration and raised the red flag if they had been hacked, if the Russians had said, no, let’s not go there, then we probably still wouldn’t know about it. You know, on the Sunday shows this morning, a senator went on and basically said, well, you know, the good news about this hack, it looks like, you know, the confidential servers have not been breached. And you know where we’re finding out more and more every day, does that reassure you?
S2: So that might be true. But, you know, a lot of these discoveries, whether in unclassified or unclassified systems, are discovered accidentally. I mean, I find it not at all assuring that the federal government, which has intrusion detection systems, they didn’t detect this for eight months. So, you know, any time something like this happens, you catch it. You you have a sigh of relief. You go looking for other things. You don’t find them. You have a very tentative sigh of relief. But then you’ve got to wonder what’s out there that we haven’t found yet.
S3: Today on the show, this hack leaves the U.S. facing an urgent question. When you’re dealing with a digital incursion, what are the rules of engagement? I’m Mary Harris. You’re listening to what next? Stick with us.
S1: There’s a name for how this huge hack is playing out, it’s called a supply chain attack and it works like this. A hacker plans malware in code used by a software company to build its products. It’s called organizing because the malware then gets popped into the software companies own code. So when they send out an update, it’ll give hackers access to all of these private networks. So instead of hacking the government, you’re hacking someone who already has access to the government. As digital security has gotten tighter, complicated hacks like this one have become more popular, especially because supply chain attacks are difficult to detect. Can we talk a little bit about what this hack might mean? Because it feels so unknowable. It’s not like a million credit card numbers were stolen. It’s vaguer than that. So when you look at what’s happened, what are your sources telling you about the potential goals?
S2: Well, a lot of it’s just espionage. How are you doing your thing? How are you managing your security?
S1: I love how you said that. It’s just espionage because it sounds like we’re used to a little espionage here.
S5: And again, this is massive, massive espionage, but it’s also. Especially something like the National Nuclear Security Administration. OK, let’s say the classified part of that is is off limits to these guys. Let’s assume that it is there are still things you can learn about the budget, about programs where the money is going. In other words, if you took a comprehensive pile of information that happened to be unclassified and put it all together, you could come up with some secrets. You could come up with some things that cumulatively would be classified.
S1: So in some ways, the hack is so big that it’s not just one goal, it’s many goals. So what is so frustrating about this hack, according to Fred, is that the government should have seen it coming.
S2: The U.S. has been vulnerable to cyber attacks since way back when the Internet was first created, going back to the very, very beginning, the dawn of the Internet age in 1967, they were about to roll out something called it was then called the ARPANET was the progenitor of the Internet. But there was a computer scientist named Willis where he was the head of the computer science division of the RAND Corporation, and he was on this scientific advisory board of the NSA. And he wrote a memo at the time and he warned Ticketek, OK, look, this is a great thing. But you have to realize that once you set up something like this where you have multiple unsecured access to information that might be confidential, you’re creating inherent vulnerabilities. You might not be able to keep secrets anymore. And when I was doing research for a book I wrote about all this called Dark Territory The Secret History of Cyber War. I went to the guy who ran the ARPANET program. His name was Steven Lukas’s. And I said, were you aware of elsewheres paper? And he said, Yeah, I knew I was sure. And I said, Well, what did you think of this paper? And he goes, Well, I took it to my team and they read it and they said, Oh, God, listen, don’t Sattler’s with a security requirement to I mean, look how hard it took us to get to where we are. This would be like telling the Wright brothers that their first plane at Kitty Hawk had to be able to fly 20 passengers 50 miles. Let’s do this step by step. It’ll be decades before the Russians can do anything like this anyway. And it did. It took about three decades for the Russians to be able to do this. And in the meantime, hold networks and systems had grown up with no provisions for security. Now, since then, there have been provisions for security, but they’ve sort of been back loaded on to this system that makes them vulnerable to, I imagine. Oh, yeah. But I mean, the basic structure, you’d have to start all over if you wanted to have a hack proof thing.
S1: It’s just it’s in the nature of the technology, which isn’t to say people didn’t try at one point or another to make our cyber networks more secure. But there was always some holdup or objection that led to the can getting kicked further down the road. Part of what stands out to me reading your work over the last number of years is that this kind of hack, this wasn’t a failure of imagination on our part. Like you tell a great story about how Ronald Reagan saw the movie War Games with Matthew Broderick, where a teenager hacks into a defense system and said to his people, hey, could this happen? And commissions a report. And the answer is, yes, it could.
S5: And that that was in 1983. And that was the unlikely beginning. That led to a directive, which was the first government policy on what we now call cyber security. But it didn’t go anywhere because the guy who wrote the directive was working for the NSA and basically he wanted to give the NSA the authority to to set the standards for all computers in the United States, private, public, everything. And there were civil liberties activists in Congress and elsewhere who quite rightly said, no, this is not a good idea. And so the idea was kind of sort of disappeared for about another decade until real hacks started to appear on the scene in the 90s when Clinton was president. There were, you know, colonels and generals in the military who never used the computer. You know, Clinton didn’t use the Internet. It was all very new. And then there were there were measures proposed to impose mandatory cybersecurity requirements on what they call critical infrastructure, you know, things that make society run, banking and finance, waterworks, oil and gas, electrical power, stuff like that. And these are all in this country, mainly controlled by private companies. And they resisted any such requirements as onerous regulations and they kind of got away with it.
S1: The head of U.S. Cyber Command is a guy named Paul Nakasone. And I was struck by the fact that back in 2013, he was speaking to Congress and basically admitted that the U.S. is a punching bag when it comes to. You know, our. Access to data and this hack seems to have proved that right? But it does make me wonder, like, is he not doing his job?
S2: Now he he’s doing his job, what he’s doing, he’s reciting a fundamental and inherent fact about this technology when people are still going around the country giving speeches. I did some of these and I would always tell conferences of cybersecurity people that your job is secure. You are going to have this job for a long. We could find the cure to cancer and set up colonies on Mars and you will still have your job.
S3: When we come back, what Fred Kaplan thinks the U.S. should do next.
S1: Can we talk about how hard this hack is going to be to clean up, because I was struck by the op ed in The New York Times by the former Homeland Security chief, who basically said, we’re talking years like I just wonder as soon as this news broke where people in homeland security like setting fire to their laptops in order to go out to shut down anything that had solar winds on it.
S2: But is that even possible? Well, I don’t know. It’s a lot of computers. So then what do you do? You just sit there, you know, having messengers take things back and forth every like 30 years ago. No, I mean, is I was told last Friday that it is still not known where this malware came from. In other words, they know that it was inserted in the back door and some supply chain, but they don’t know exactly where. So the same supply chain could be, you know, providing the ingredients for some other networks as well that we just don’t even know about.
S1: So that kind of brings me to this question, which is what do we do now? I’m curious what you think the prescription is, both in terms of how we deal with Russia and then also in terms of how we beef up our infrastructure?
S2: I think we do have to go back to the idea of some kind of mandatory security requirements. So regulation there is a lot of industries where you have these you just got to be able to install certain things as a matter of course, in terms of what you do about Russia. Now, I’m not really sure. I think at some point you say, look, this one just stepped over the line. We’ve got to take some measures. And I think this is something I’m still thinking through and I’m talking with others who are thinking it through. One of the things you do is you do something that damages Putin personally.
S2: Why does he had to approve this? And you’re saying here we’re punishing you personally. You know, the CIA, for example, knows where all of Putin’s money is, but there are certain I think it’s time to step up, that kind of thing. I’m not quite sure what it involves, but, you know, for a while we were like issuing indictments to the heads of some Russian or Chinese cyber groups that, you know, come on, that’s not nobody’s going to extradite these people. I guess if one of them was foolish enough to travel to the United States, they could be arrested on the spot.
S1: But that’s not going to happen. Fred says the problem with drawing a line like this is that the rules of engagement are actually pretty unclear. Humans have been engaging in armed conflict for a long time, but cyber warfare that is brand new.
S2: There has not been very much systematic thinking about what is cyber deterrence like nuclear deterrence. Weeks after the bomb hit Hiroshima and Nagasaki, there were civilians who are thinking, OK, is this a fundamentally new kind of bomb is just just just a regular bomb, but it’s a lot bigger? Or does something fundamentally change here? And it’s fundamentally changed. The big task now is to prevent war. And so how do we deter another country from attacking us? And they came up with this idea. Well, we have to have a secure second strike capability, some weapons that we can keep relatively invulnerable. So they attack us. We can attack that. We can answer them in kind. Well, and that, you know, that’s that’s pretty much it. And it’s kind of worked with cyber. Where do you draw this line? You can’t just say you attack us with cyber, we’re going to attack you because there are millions of cyber attacks. Where do you draw the line? What is the difference between, you know, a nuisance attack and something that genuinely harms national security? And if a bank is attacked, well, that’s the bank, what, a dozen banks are attacked? Is that something the federal government should get involved in protecting? I mean, there are all these questions, very nasty questions. Where do you draw the line? What are you going to promise that you will do? And while there have been some think tanks that have talked about this, this has not yet been worked out. There is no real systematic strategy in terms of analogizing into nuclear weapons where we’re still like in nineteen forty six. We haven’t worked out the concept. We haven’t worked out what a cyber deterrence conceptually.
S1: Huh. Like we’d know if some soldiers marched across our border like oh being warfare.
S2: But when someone marches into our computer systems, not so much Robert Gates when he was secretary of defense, this is when Bush was still president, he kept getting these daily reports about all these things getting hacked. And he put a question to the Pentagon’s general counsel saying, at what point? Do these attacks amount to an act of war as defined by international law? And you got a he got the answer back like months later, and it’s under some circumstances, it could be deemed an act of war, but they didn’t really say much more than that. I mean, a little vague things like maybe if somebody is killed or significant property damage, whatever that means. So this is something I mean, we’re in the thick of this. We’re in the thick of it. And the technology has gone way, way, way, way ahead of policy. And we haven’t worked out a basic strategy, much less an operational one, to deal with this.
S1: I do wonder if the fact that this hack was so broad makes our response more simple, because there are so many people, countries, companies that were affected that we have a lot of allies if we know how to use them.
S2: Well, that’s true that whatever it is we do, we shouldn’t do it alone. It should be done with a lot of allies. And, you know, there are about 20 countries that have militaries with cyber offensive units in it to one degree of effectiveness or another. But, you know, that’s the other thing. In this book I wrote Dark Territory where the title comes from. Is that what Robert Gates, the secretary of defense, getting all these these briefings about when a hacker or another at one point he told some colleagues, just like we’ve got to get together, even during the height of the Cold War, there were certain rules that the US and the Soviet Union followed. For example, we don’t kill each other’s spies. We’ve got to get together with the cyber powers and work out some rules of the road, some rules of engagement, because we’re we’re treading on dark territory. Accidents are going to happen. OK, that was back when there were maybe four or five countries that that you could have dealt with and probably could have got together some big forum where they would work out of kind of Congress of of Vienna to figure out how they were going to do this. Now, you know, these countries include Iran, Syria, North Korea. You know, how are you going to go to Congress of Vienna, including these people? It’s it’s really sort of spun out of control.
S3: Fred Kaplan, thank you so much for joining me. Thank you. Fred Kaplan is Slate’s war stories correspondent, his most recent book is The Bomb Presidents, Generals and the Secret History of Nuclear War. And that’s the show What Next is produced by Davis Land, Daniel Hewitt, Alaina Schwartz and Mary Wilson. We’re getting a ton of help right now from Frannie Kelley. We are led by Alicia Montgomery and Allison Benedikt. And I’m Mary Harris. You can track me down on Twitter. I’m at Mary’s Desk. Thanks for listening. I’ll be back on your feet tomorrow.