Hackers Exploited U.S. Trusted Relationship With 3rd Party, Krebs Says
DAVID GREENE, HOST:
So how does the country's top cybersecurity official up until recently view the vast government computer hack? The impact is enormous. All levels of government - federal, state and local - were impacted. Thousands of private companies were also compromised. And Russia is believed to be responsible. Our colleague Steve Inskeep brings us this conversation with the former director of the Cybersecurity and Infrastructure Security Agency.
STEVE INSKEEP, HOST:
Chris Krebs was President Trump's choice to run an important Internet security agency. The president fired him last month for saying truthfully that the presidential election was secure. Now we know that some other systems were less so. Only after leaving office did Krebs learn that Russia corrupted software updates sent by a company called SolarWinds.
CHRISTOPHER KREBS: What I understand - it is, in fact, the Russians. It's the Russian SVR, which is their foreign intelligence service. They are really the best of the best out there. They're a top flight cyber intelligence team, and they used some very sophisticated techniques to really find the seams in our cyber defenses here in the United States and seem to be quite successful in penetrating some very sensitive places.
INSKEEP: You know, when I think about Internet security as a layman, I'm aware that one of the easiest ways to get at me would be to have me give permission to enter my own system, that I'm offered some update that's not an update or asked to click on a link that's not really what it purports to be. Does it surprise you that the government was caught in this rather straightforward way?
KREBS: Well, I actually would maybe characterize it a little bit differently in that the majority of attacks these days or cyber compromises are, as you described, getting someone to click on a link via an email or open an attachment. And that's really attempting to come in through the front door. This is a little bit different in that it is a supply chain compromise, and they're exploiting trusted relationships between the government, in this case, and a third party. So they go one step out to come in the back door.
INSKEEP: The principle is the same, right? The government opens the back door to this supplier, SolarWinds, not realizing that they are letting in malware.
KREBS: Correct. It is exploiting a trusted relationship with a third party. Software in particular is one of those things where you assume that when it comes to you and it's signed - you know, the certificate of authenticity that comes along with the software update, when it says it's good, you expect it to be good.
INSKEEP: It seems the Government Accountability Office raised this supply chain concern a couple of years ago. Did you discuss it at your agency when you were in the government?
KREBS: Supply chain security was a priority of ours at CISA. And in fact in 2018, we established a supply chain risk management task force to share best practices and the things that were working. But unfortunately, even if you know the right things to do, it takes commitment from executives, from leadership. It takes investment. So it can take months, if not years, to get into a really secure posture.
INSKEEP: Did the pandemic make it harder to detect because people were distracted, people were scattered, people were working from home, people were on systems that were a little more vulnerable even?
KREBS: And I think in March when COVID hit and everybody scattered to the four corners and were working from home, that introduced a number of additional vulnerabilities. Or another way to put it is it really expanded the potential attack surface for an adversary. So I suspect that it wasn't the principal cause of this, but it may have complicated the earlier detection earlier in the year.
INSKEEP: What is a proper strategic response to this kind of attack? When it's so hard to defend against, you want somehow to be on offense, but what would offense be in this circumstance?
KREBS: Well, I think we have to be very careful about this point because this is an espionage operation. So I think part of the going forward if I was, you know, national security adviser for the day, I think I would make a very strong statement to the Kremlin to say, we know you're responsible for this. And if you do anything destructive or damaging with the access that you may still have, that will be deemed as escalatory. And there are a set of capabilities that the U.S. government could bring. And in the meantime, you have to keep working through your incident response plan. You have to keep working through the detection activities to find the adversary and kick them out.
INSKEEP: Are Russia's systems as vulnerable as the United States' systems seem to be?
KREBS: Well, you know, here in the U.S., we are one of the most modern economies in the world. And unfortunately, a lot of that modernization is dependent upon IT infrastructure and communications infrastructure, so there is an element of glasshouses here. As for Russia, they are not as dependent upon the global economy as we are. So to a certain extent, geopolitically, they have some advantages, but also the fact that their cybercapabilities is one of the few things that does keep them relevant geopolitically. So it is something to keep in mind.
INSKEEP: Can I ask about President Trump's role in all of this? In the last couple of days, he's downplayed Russia's involvement, muddying the waters, contradicting intelligence agencies' findings on this, as he constantly has since 2016. When you were in government, how hard did the president make it to focus on the very real threat of Russia?
KREBS: Well, for our team at CISA, we had all the operational authority we needed to protect the elections, to work on the various cybersecurity initiatives that we had, irrespective of the adversary, Russia, China and really increasingly cyber criminals. So I feel like for domestic purposes, we had the room to operate we needed. We did not have, though, some of the authorities we needed or the budget that we needed, and that has been something that we've worked closely with the Congress on. And in this year's National Defense Authorization Act is probably the biggest cybersecurity legislation package in recent years. And it right now is unfortunately sitting languishing on the Resolute Desk in the Oval Office. And that bill needs to be signed immediately.
INSKEEP: I'm also just thinking about how vast the government is, how complex it is and how you would need a president to get everyone to coordinate and work together. Was it damaging that for four years you had a president who actively downgraded this very real threat?
KREBS: To your point about the scope and scale of the federal government, it's absolutely a monstrosity. It is 101 civilian agencies. I think we got through the last four years with support from our partners in the intelligence community. I think there's always room for improvement. There's always room for additional support from the highest office in the land. I think we did a remarkable job given the resources we had and the support we had.
INSKEEP: Well, Chris Krebs, thanks for talking. I really appreciate it.
KREBS: Steve, thanks so much. Happy holidays.
(SOUNDBITE OF SUBLAB AND AZALEH'S "VIDURA")
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.