[music]

Melissa Harris-Perry: This is The Takeaway, I'm Melissa Harris-Perry. On Wednesday night, Congress passed a $1.5 trillion omnibus spending bill that would fund the government through September.

[music]

Melissa Harris-Perry: It includes nearly 14 billion in humanitarian and military aid to Ukraine. The bill does not contain aid to continue battling the pandemic. Still, it's one of the largest spending packages in American history. One part of this funding package is directed toward new cybersecurity protections for the US, which the Senate passed last week. Republican Senator Rob Portman from Ohio spoke on the Senate floor last week, urging the House to act quickly in signing the cybersecurity bill.

Senator Rob Portman: What the Russians are doing is appalling and the entire freedom-loving world needs to stand up to it. We need to help Ukraine more. One thing they have also done is they've launched these cyberattacks against the Ukrainian government and against the private sector infrastructure in Ukraine. That too is a place where we can help. Again, we need to be sure that we have our own house in order here to be able to be more helpful, to be able to provide the best practices, and to help Ukraine be able to deal with these attacks, both kinetic attacks, these military attacks and also, the cyber attacks.

Melissa Harris-Perry: Although cyberattacks from Russia against Ukraine so far had been low level, there's rising concern that Russian-backed hackers could disrupt key infrastructure and resources like electricity or fuel in Ukraine. Now, Russia's big first cyberattack against Ukraine happened back in 2015 after Russia's attempt to annex Crimea. It launched a blackout attack against Ukrainian electric companies using malware that resulted in blackout for almost a quarter of a million Ukrainians.

Some lawmakers are worried about Russia turning its ire toward the US. Last May, a Russian hacker was responsible for a ransomware attack against the Colonial Pipeline that led to two widespread gas shortages along the East Coast, though Russian authorities said they arrested that hacker back in January. Now for more on this, we have Joseph Marks, writer at Cybersecurity 202 newsletter for The Washington Post. Welcome to The Takeaway, Joe.

Joseph Marks: Thanks so much for having me, Melissa.

Melissa Harris-Perry: In the midst of all of this, multiple responses, I work at a couple of different organizations, and yesterday, every IT manager with whom I work is sending emails saying, "Okay, you got to go to two-factor authentication," all the things we know are good practices. Let me just start by asking, are those the practices that will protect us from a significant cyberattack?

Joseph Marks: In the aggregate, they definitely are. The thing about even the most aggressive and savvy Russian hackers is most of what they do just relies on the lowest level things. They don't need to do anything too complicated, because we are so under-protected in most cases. Organizations that are doing just the basics of having two-factor authentication set up, making sure that when someone leaves that company, they don't leave that email account out there for a hacker to take over and start sending out spam emails to all of his or her co-workers, that sort of thing really makes a huge difference in protecting an organization.

Melissa Harris-Perry: Password123, that is an insufficient password, right?

Joseph Marks: That's correct.

Melissa Harris-Perry: Let's talk about what cyberwarfare does look like in this day and age.

Joseph Marks: That's a big question that people have been pondering over for a long time. It's interesting because the last decade, the ability of the most capable nations, Russia, China, the United States, to launch really devastating cyberattacks, has increased remarkably. There hasn't been a real major conflict, either between those nations or what we're seeing in Ukraine, which is a highly cyber-capable nation. Russia going after a nation that can't hack like Russia can, but Ukraine is definitely deeply connected and reliant on the internet for a lot of its business.

We haven't seen anything like that yet, a lot of people had thought what we would see is what they call hybrid war, where the military invasion was coupled with really substantial cyberattacks that shut off power for a lot of Ukrainians, that jammed communication, so their government and Ukrainian military couldn't communicate with each other, that really targeted citizens so that they would lose faith in their government. We have not seen that yet. There are a lot of questions about why that is.

Melissa Harris-Perry: Why do you think it is? That's exactly what I was going to ask, if given that that was the expectation. Certainly, there's some capability for doing that. Why does this look like, in some ways, such an, I almost hate to use this language, but an almost old-fashioned war?

Joseph Marks: There are a couple of big theories. One is, just wait, we're going to see it sometime in the next several weeks or months when Russia really needs that they're going to pull these things out. That's definitely a possibility. Another possibility is the most devastating cyberattacks take a lot of upfront work, and Russian hackers could have just not been terribly well prepared for this.

You've seen the military getting bogged down, things are not going as President Putin expected. It could be that the plans they had for cyberattacks just haven't come off as well as they might have. Another big theory is that a lot of the concern about cyberwar has been a little bit ginned up because cyberattacks are great when you're in asymmetric conflict. When you want to upset the US without getting into an actual war, you can do things like meddle in elections or launch ransomware attacks that hit Colonial Pipeline, things like that.

When it comes to an actual war, if you want to cause panic, you're already engaged with actual military weapons. If you want to take out power, you can send a rocket that does that much more easily than if you launched a cyberattack.

Melissa Harris-Perry: Right. The cyberattack is perhaps more valuable as a tool of warfare if you're not already engaged in this kind of hot war on the ground?

Joseph Marks: Right. When you're engaged in a hot war, it's often a lot easier just to use a rocket or a bomb or a gun to accomplish what you want to accomplish.

Melissa Harris-Perry: There have been some low-level attacks thus far, can you spell those out for us?

Joseph Marks: Most of those on the Russian side have been two things. One, what we call wiper attack. Even before the invasion began, Kremlin-linked hackers were targeting Ukrainian government organizations and some industries' energy finance, that sort of thing, and wiping data from their computers. That makes it much more difficult for them to communicate, communicate with the public.

We've also seen a little bit from the Ukrainian side toward Russia, mostly run by what they call a volunteer IT army, essentially doing what Ukrainians are doing on the streets now when they pick up AK-47s and defend their territory. These are people who work in tech either in Ukraine or with sympathy for Ukraine, who have volunteered to both defend Ukraine's IT infrastructure in the digital landscape.

In some cases, they've been launching some low-level offensive attacks. Most of those have been denial service attacks, where they try to basically overwhelm Russian government computers with traffic so that their websites can't operate anymore. In other cases, they've been doing a psychological warfare, where they'll send images of dead Russian soldiers to the population, trying to break through Russian censorship.

Melissa Harris-Perry: Talk to me about US vulnerability. We have definitely come to a point in this conflict where I'm beginning to get the text messages from well-meaning friends that are amping up my anxiety around some of this. Either talk me down or help me prepare here. What are some of the ways we should be thinking about US vulnerability? Again, strategically, what would be the value of cyberattacks either against the US or against Western Europe?

Joseph Marks: Well, the strategic value is much more-- Putin tends to lash out. With the barrage of really serious sanctions that the US and Western allies have imposed on Russia recently, he may want to send a message. US organizations have been on relatively high alert for weeks, if not months at this point.

One of the problems is, if you talk about the top firms in the United States, finance firms, things like that, they tend to have really good protection, they've spent a lot of time going through both the technological protections they need and the human protections because usually, the weakest link of these things is that one employee who clicks on a spam email, and that just has repercussions that redound for weeks upon weeks.

Those top firms are doing really well, but all of these smaller firms, they're interconnected throughout our landscape, may not have those terms of the [unintelligible 00:09:24] company that serves that IT firm, their suppliers for that firm. A lot of these companies don't have the kinds of protections that the big guys do, that's where Russia might get in.

Melissa Harris-Perry: Do you have a sense then of how this new cybersecurity bill-- I was worried a bit about such a thing, on the one hand, as I hear you talking about the ways that simply locking the front door can really make a big difference against this kind of crime, locking the cyber front door in this case. I'm wondering, in this cybersecurity bill that is now passed, and now has big funding behind it, are those the resources that will make a difference?

In that cybersecurity, are there any anxieties or challenges about freedoms, particularly maybe intellectual freedoms? War can sometimes lead us in our fear to make security-based choices that also then ultimately reduce liberty?

Joseph Marks: This is a start in getting the cyber landscape in order. One of the problems is we talk a lot about the cyber threat to the United States, but government, in particular, doesn't have a really good handle on how bad they are, because a lot of times there are hacks that we just don't know about. The requirements for companies to disclose when you're hacked are really minimal. They vary from state to state.

There's often a long lag time and even that often they don't report just that they don't know. The goal of this bill is to mandate that at least companies in critical sectors like finance, energy, healthcare, transportation, have to report to the government within three days if they suffer a cybersecurity incident and then a much larger group has to report if they pay a ransom.

The goal of that is, if there's something like a concerted Russian attack, hopefully, the government will spot it more quickly and then be able to alert other companies in that sector to protect themselves. Also, they'll just be able to gather better information so they can make smarter cyber policy in the future. Whether this invades liberties at all, it's I suppose conceivable that this could get more of citizens personal information to the government.

That's been a long-standing concern about bills like this. This one is relatively tempered because the information is only going to the Department of Homeland. It is pointedly not going to the FBI. Which is something the FBI had really lobbied for but did not get. In general, in terms of your personal information being exposed, that's happening by hackers so much already. You're really in far more danger from that than the government, perhaps getting us hands on the same information.

Melissa Harris-Perry: If part of warfare now is this cyber warfare, then I'm presuming that tech companies have a role to play that's perhaps distinct from something that they've previously done. I guess I'm wondering, in this particular moment, are tech companies ramping up to be soldiers in the cyberwar on behalf of Ukraine?

Joseph Marks: They are but a lot of what they're doing is what they've been doing for quite a while. We've talked about the government not having a lot of visibility into the hacking threat. The groups that often have much more visibility are companies like Microsoft and companies like Google that have customer accounts all over the world.

They're seeing what's going on often much better than the United States government is. Microsoft did an operation to take down one seemingly Russia-based attack against Ukrainian computers. There have been other announcements from companies like Cloudflare and Google about that. They're doing what they've been doing for quite a while but on a relatively heightened alert.

Melissa Harris-Perry: Joseph Marks is the writer of the Cybersecurity 202 newsletter for the Washington Post. Joe, thank you so much for joining us.

Joseph Marks: Thank you so much for having me.

[music]

[00:13:40] [END OF AUDIO]

Copyright © 2022 New York Public Radio. All rights reserved. Visit our website terms of use at www.wnyc.org for further information.

New York Public Radio transcripts are created on a rush deadline, often by contractors. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of New York Public Radio’s programming is the audio record.