Tanzina Vega: Earlier this month the Cybersecurity and Infrastructure Security Agency or the CISA warned federal agencies that a wide-ranging cyberattack had infiltrated a number of government agencies, including the Department of Commerce, the Department of Energy, the Treasury, and numerous private sector organizations. While the extent of the breach is still unknown, the CISA said the hack posed "a grave risk to federal state and local governments and businesses across the country." What does seem to be known is who's responsible for the cyberattack.

Mike Pompeo: This was a very significant effort. I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity.

Tanzina: That was Secretary of State Mike Pompeo on the Mark Levin show last Friday. On Monday, Attorney General William Barr agreed with Pompeo's assessment of the situation during a press conference.

Will Burr: From the information I have I agree with secretary Pompeo's assessment. It's certainly appears to be the Russians'.

Tanzina: The only one it seems who does not believe the Russians were behind the hack is President Trump who downplayed the severity of the hack on Twitter over the weekend. What this hack means for our national security and how a Biden administration might handle future attacks is where we start today on The Takeaway. Chris Painter is with me now he's the US is former top cyber diplomat at the State Department from 2011 to 2017. Chris, thanks for joining us.

Chris Paintter: Happy to be here with you.

Tanzina: Nicole Perlroth is a reporter at The New York Times covering cybersecurity and digital espionage. Nicole, welcome to the show.

Nicole Perlroth: Good to be with you.

Tanzina: Nicole, how were hackers able to infiltrate federal system?

Nicole: They came in through what's known as a supply chain hack in this case. We know there are multiple ways that they broke in, but so far the only way that's been confirmed is that they actually breached a Austin company that provides some backend IT software to federal agencies, to 425 of the fortune 500, to nuclear laboratories apparently. Basically what they did was they compromised the software update that made its way into these systems. When these businesses or federal agencies updated their software they did it with what was basically a Russian backdoor.

Tanzina: Nicole, is it confirmed that Russians are behind the attack? We heard Mike Pompeo say this. Former Attorney General Bill Barr said this. Do you as a reporter have that confirmation as well?

Nicole: I never want to say we have the confirmation until we've seen what they call TTPs, which are indicators of compromise, which are just techie speak for hardcore evidence that ties it back to this particular Russian hacking group. Everything I've heard suggests that right now the intelligence community believes it's the SVR, which is successor agency to the KGB. It popped up before, and Chris can probably speak to this, but they popped up in a pretty aggressive hack of the State Department and the White House back in 2014, 2015.

They're really known as one of the most sophisticated Russian hacking units that we know of and what makes them so sophisticated is they are very quiet. They are very targeted. They're very custom and their tooling, they use custom tools for much of what they do, which makes it really hard to anticipate when they're going to break in. Once they're in the plant back doors. One thing I remember from the 2014, 2015 State Department hack, is that they actually took control of the system, that incident responders were using to investigate the hack.

They would come in and they would think that they had eradicated the Russians from their system and what had really happened is this group had simply taken control of their tools and basically saw what they were detecting and use new implants that couldn't be detected.

Tanzina: Chris, let's turn to you. The Cybersecurity and Infrastructure Security Agency said that the government agencies targeted in this hack may have been compromised since March and there's data that shows it goes as far back as October, 2019. Why did it take us so long to discover this?

Chris: Well, as Nicole said, this is a very sophisticated actor, if it is indeed the Russian SVR, and that really everything points to that. The SVR is the equivalent of our CIA or NSA. They're an intelligence agency. They have very good tradecraft. It does look like it's gone back to the compromised back in October through this piece of software that people really weren't paying enough attention to.

Tanzina: I'll stop you there, Chris, because why weren't people paying attention? Isn't that someone's job?

Chris: Well, it's a lot of people's jobs, but here's the problem. First of all, offense is always easier than defense. You have to protect all your assets, all your different systems and a dedicated attacker, especially the sophisticated nation-state, [unintelligible 00:05:32] to concentrate on one vulnerability. Even with that, I'd say that we haven't either prioritized or resourced cybersecurity, particularly the defense, but not just the defense, throughout our entire government and really our country as a core issue of national security of economic security, where it needs to be. I think that's been a problem and it's been under-resourced too. We haven't put the money and resources or priority under this and during the Trump administration as you know--

Tanzina: I was just going to ask you, is that a political decision, particularly from the Trump administration, given that so far, and President Trump himself has downplayed this attack being from Russia, but his own a former attorney general and secretary of state are saying this is from Russia. Was this deliberately underfunded or not given the resources because the potential for Russia to have access to these systems?

Chris: I think from the very beginning, Trump has not been strong on cybersecurity. He's always not really paid attention to this issue. It was a very big contrast from Obama whose own campaign was hacked into until he made it a priority, maybe not enough of a priority. You certainly see that the Biden administration is looking to do that too, but Trump never really cared about this.

When it came to Russia, just incredibly, anytime Russia did any, what we call malign cyber activity, whether it be [inaudible 00:06:48] this activity or the big computer worm that was called not Petia that caused a lot of destruction around the world, including with respect to the Maersk shipping lines or the election interference. Even that attempted hack of the UN doping agency.

Trump would never say anything at best and at worst he'd undercut everyone else in his administration by saying the Russians didn't do it. What that does, if you don't have that consistent high level of messaging condemning this activity, it just emboldens the adversary and emboldens Putin to do this again and do it stronger and do it better and so that's a real problem. That's part of the solution is we need to be clear and strong that this is unacceptable.

Tanzina: Chris, we are talking here about a hack that could have, and potentially is has already affected the Department of Commerce, the Department of Energy, the Treasury, numerous private sector organizations. What does it mean to have those organizations or those agencies be hacked? What information is now available?

Chris: Well, it's unclear. This is going to be an ongoing story for a number of weeks, if not months. As Nicole said, it's very hard to get these folks out of our systems once they're in. It's hard to do the forensics to figure out what they've taken. This does look at this point that is an espionage campaign, and that's serious to be sure but we're lucky it's not a more destructive campaign. The question is always is there pre-positioning, which means that you're there to do something more destructive in the long-term.

Right now it looks like it's espionage, but even as espionage, there's incredible wealth of information, even on our unclassified systems at Treasury, for instance, dealing with sanctions and certainly Russia as the subject of sanctions of financial information. Homeland Security, how are we defending our networks, and how we're defending our physical infrastructure was there. There looks like an ever-expanding group of agencies that are targets of this and private sector companies. This is a mother load of potential information. Now how much has been gotten, how it's going to be used, unclear yet, but certainly this is a very sweeping and serious event.

Tanzina: Nicole, has President-elect Biden said anything about this so far?

Nicole: He has. He has said more than the President has said. Last week he said that he plans on imposing significant costs on anyone who would do this. He's just been much quicker to respond to it overall.

Tanzina: Chris, we've reported here on the show about before the pandemic there were a number of hacks on local government systems on school systems across the country. Do we know whether or not local governments and smaller networks like school systems across the country have also been affected by this hack, or is this really focused on the bigger players?

Chris: My guess is, and again, this is still an evolving issue. My guess is this is focused on high-value targets. Government agencies, big companies, unlikely more local targets. They're certainly the subject of intrusions and also disruptive attacks almost every day. That shouldn't make us feel better necessarily. On the statement about what Biden has said. The other thing he said, which I think is critically important is that he said in that statement that cybersecurity will be a priority at every level of my administration, which is a key thing because it goes back to what I was saying. We don't treat this as a core priority and not some outlier technical issue. We're not going to make the progress we need to make.

Tanzina: Chris, Mike Pompeo surprisingly split with the President when he acknowledged that this could, in fact, most likely were Russians here. Given that split, what type of repercussions would you expect to see if any before President Trump leaves office.

Chris: Repercussions for who?

Tanzina: Repercussions potentially for the Russians, the hackers, that people buy-- you laugh because there probably won't be any, is that right?

Chris: Yes. Look, I was pleasantly surprised that Pompeo was that clear and forthright and that Barr joined him Monday after the President called that on this. That's exactly right. I don't really expect any major costs being imposed on the Russians before the next administration. Again, this was espionage, but still, even if it's espionage, which everyone does, every country has done since the beginning of time, it doesn't mean we need to sit still and say, "Good on you." We can still take action. They don't really affect [inaudible 00:11:18].

Tanzina: Chris, just to be clear before we end the segment, you're saying espionage versus what?

Chris: Well, a more destructive attack. Espionage is just the theft of information, but a computer attack that might say cripple infrastructure, or go after the internet being [unintelligible 00:11:33] after financial systems. That's another class from this. That more destructive attack could be much more disruptive, but that again doesn't mean we can't react to espionage, especially as broad as it is and the way this has conducted that affected the supply chain that could have even broader consequences. We don't sit on our hands. We can and should take action, particularly, calling the Russians out, which unfortunately this precedent hasn't done.

Tanzina: We'll see if that changes in the next couple of weeks as a new administration takes office. Chris Painter is the US has former top cyber diplomat at the State Department and Nicole Perlroth is a reporter at The New York Times covering cybersecurity and digital espionage. Thanks to you both for joining us.

Chris: Sure.

Nicole: Thanks, Tanzina.

Copyright © 2021 New York Public Radio. All rights reserved. Visit our website terms of use at www.wnyc.org for further information.

New York Public Radio transcripts are created on a rush deadline, often by contractors. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of New York Public Radio’s programming is the audio record.