USAID Hack: Former NSA Official Calls U.S. Cyber Insecurity A 'Chronic Disease'
MICHEL MARTIN, HOST:
We're going to take another look at the massive cyberattack Microsoft says took place recently. The software giant said it discovered the breach last week. They said they think it began with Russian hackers breaking into an email marketing company called Constant Contact, targeting the U.S. Agency for International Development, or USAID, among others. While the federal government has downplayed the attack, Microsoft says it appears to be connected to the same Russian group behind the SolarWinds attack late last year.
Now, this all comes just a few weeks before President Biden and Russian President Vladimir Putin are set to meet in Geneva. And, of course, this is just the latest escalation in the already tense relationship between the two countries. So given the frequency and severity of these cyberattacks, we wanted to know what can be done to prevent them. Or is this some kind of new normal that we have to manage if we can't fix it?
We called Glenn Gerstell for this. He previously served as general counsel for the National Security Agency and is now a senior adviser at the Center for Strategic and International Studies. That's a global affairs think tank here in Washington, D.C. Glenn Gerstell, welcome. Thanks for joining us.
GLENN GERSTELL: Thank you. Glad to join.
MARTIN: And I do want to mention in the spirit of full disclosure that Microsoft and Constant Contact are financial supporters of NPR. So with that being said, let's start from the top. How significant is this attack, in your opinion?
GERSTELL: The attack is significant more for its audacity and timing than it is for the actual consequences. So we just saw with the Colonial Pipeline's ransomware attack, a cyberattack that had far greater consequences with people lining up for gas shortages up and down the East Coast. This attack, as I said, didn't have the same physical consequences. But, boy, the timing was just extraordinary. Here we are just weeks after President Biden has issued an executive order trying to remedy the federal government's cybersecurity posture, weeks after the president announced sanctions on Russia and expelled some diplomats for the extraordinary SolarWinds attack. And here we see apparently the same people - not sure but certainly Russian-based, criminals or perhaps the state itself, the government itself - undertaking a very, very noticeable attack.
MARTIN: And so I was going to ask you - yeah - like, why do you think these attacks keep happening despite the sanctions that the Biden administration has already imposed, you know, on Russia? And do you think the government's doing enough to protect itself against these threats and also us, the public?
GERSTELL: Well, your question is really the key one. And I think the lesson we learn from this is that this in some ways, our cyber insecurity in this regard, is a chronic disease for which we don't have a single cure. It's not an illness for which there's a particular drug that we could take to get rid of it. So unfortunately, however, we're at the beginning end of this chronic condition. This is going to get worse before it gets better. It will ultimately get better. But in the meantime, we have sophisticated attackers, nation states and criminals who can co-opt legitimate servers and companies and computers and softwares. And this proves, unfortunately, that our current scheme of deterrents simply isn't working.
MARTIN: So as we said, Russian President Vladimir Putin and U.S. President Joe Biden are preparing for their summit in Geneva next month. Russia, I should say, has denied responsibility for this and the SolarWinds attack. But I think most people know by now that, you know, chaos is their brand - right? - that Russia - that one of their goals is just - is to create dissension and chaos. And we saw this in the 2016 election. We've seen that since. How do you think the president should handle this? Is there something you think should take place at this meeting to address this?
GERSTELL: Well, I'd certainly love to be a - so to speak, a fly on the wall in that meeting and listen to what's said. But I think we can probably predict what's going to be said, which is surely President Biden will take a very tough stance and complain to his Russian counterpart that this is utterly, totally unacceptable, that we've tracked this malicious cyber activity to Russia. There's no doubt it either is occurring because of the Russian government itself, probably through its foreign intelligence service called the SVR or through criminal gangs within Russia who apparently are allowed to operate because you can't imagine that anyone would dare do such an extraordinary thing inside Russia that would have international repercussions without at least a wink and a nod from the Kremlin.
And we know what the answer is going to be. Putin will say, oh, absolute nonsense, No. 1, no proof of it. You can't show me any particular hands on a particular keyboard that proves that it's Russian. And we probably can't. And also, he'll say what he said before, which is, look; if you're violating Russian laws, I'll crack down on you. But I don't see any evidence that anybody was violating Russian law, meaning, in effect, it's OK for Russians to engage in cyber maliciousness overseas. So I don't think the meeting itself, other than sending a message to President Putin, is going to accomplish much. We have to do a lot more. And I know the administration recognizes that. But this is a first step.
MARTIN: So before we let you go, you know, I feel like there's a whole - I assume that the government has a whole handbook around cybersecurity and cybersecurity response, like, you know, retaliatory measures or - as it were. But - I know this is a deeper subject than we have time to get into, but what about regulating cryptocurrency? This seems to be the mechanism by which these criminals and foreign malefactors get away with it, right? So is that something that needs to be on the table?
GERSTELL: Well, certainly. Two points there - one, regulating cryptocurrency, which is a very tough subject, probably would have a big effect in curtailing ransomware. It's not going to stop malicious cyber activity that is just aimed at purely creating havoc, and it's not going to stop spying, which is what the Russians are doing in many of these cases.
But more broadly, you were pointing to the fact that we need to do several things. In other words, it's not just regulating cryptocurrency. That's a step. We need to have international coordinated sanctions to make sure that it's illegal for countries to, in effect, export cyber maliciousness. We need to do a lot more here in terms of better connections between the private sector and the public sector to fight and stop cyberattacks as they occur. So there are a lot of steps we can take, and it all goes back to my point that this is a chronic condition, which you don't address with any one thing but a whole series of things, all of which cumulatively will make this problem much better.
MARTIN: That's Glenn Gerstell, former general counsel for the National Security Agency and currently senior advisor for the International Security Program at the Center for Strategic and International Studies. Glenn Gerstell, thanks so much for your time.
GERSTELL: Thank you so much. I appreciate it.
(SOUNDBITE OF MUSIC)
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.