The Daily - Hacking the Russian Power Grid
Episode Date: June 18, 2019A New York Times investigation found that the United States is actively infiltrating Russia’s electric power grid. We look at what that means for the future of cyberwarfare. Guest: David E. Sanger, ...a national security correspondent for The New York Times and the author of “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age.” For more information on today’s episode, visit nytimes.com/thedaily. Background reading: The cyberattacks on Russia’s power grid are intended partly as a warning, and partly to be poised to act if a major conflict broke out between Washington and Moscow.In response to The Times’s report, the Kremlin warned that American attacks could escalate into cyberwar.
Transcript
Discussion (0)
From The New York Times, I'm Michael Barbaro.
This is The Daily.
Today, a Times investigation reveals that the United States
is actively infiltrating Russia's electric power grid.
David Sanger on what that means for the future of cyber warfare.
It's Tuesday, June 18th.
So what happened in 2008 was the Russians did something pretty brilliant.
They dropped a bunch of USB keys,
you know, the kind you might get at a convention or maybe it's given to you at a hotel,
in parking lots around American bases in the Middle East. People would pick these things up,
bring them into work, and believe it or not, put them in their computers at work.
Jeez.
Somebody got away with the most serious breach of Defense Department computer networks ever. And what happened was those keys essentially put some malware into computers that got the
Russians inside something called Sipronet.
The drive contained malicious coding that spread through classified files and stole information.
The official name is
the Secret Internet Protocol Router Network.
But the main thing to know is
it's the Pentagon's secret network.
We didn't think that was possible
because it's completely separate
from the Internet.
And suddenly they were able to drain out
of the Pentagon
some of its most secret communications, all because
somebody picked up a USB and stuck it in their machines.
And one day, a woman named Debbie Plunkett came into the office at the NSA.
Remember, this was just ahead of President Obama's election.
And she discovered this breach.
And basically, she said, we've got to get them out.
And this started a massive effort secretly inside the NSA to clean out the Department of Defense's systems.
In fact, after a while, people began using superglue to seal the USB ports on Pentagon computers.
So that no idiot would go pick up a USB from someplace and put it in.
It was a low-tech solution, Michael, but it worked.
So beyond super gluing the USB ports on computers inside the Defense Department,
what is the response from the U.S. to this incursion?
The response was near panic. I mean, think about what had happened just in that year or two.
The Chinese had gotten inside Lockheed Martin and stolen many of the designs for the F-35,
the most expensive fighter jet that you've ever paid for. And that's why the
Chinese today are producing what looks like an F-35, although it's a lot cheaper than ours.
The United States was launching its own big, sophisticated cyber operation against Iran's
nuclear enrichment plant at Natanz. And the Russians, of course, were coming inside the Pentagon.
And everybody realized this is now not just a big intelligence problem, this is a big military
problem. And we don't have a military unit of size and sophistication to deal with it.
And that was the birth of what is now United States Cyber Command.
So what does this newly established Cyber Command do about Russia,
the culprit of this really damaging attack on the Pentagon?
Initially, Michael, not much.
U.S. Cyber Command was just getting organized.
It didn't have many troops.
It didn't have much expertise.
It was based at Fort Meade,
but it was highly dependent on its next
door neighbor, the National Security Agency, for most of its capability to look inside networks,
much less attack back. So they spent years sort of watching the Russians and building their forces,
building cyber sort of expeditionary teams that they could put out with American Army units and Navy units and the Air Force and others.
But the big concern was, what do you do in time of warfare when the Russians or the Chinese or
some other adversary might do more than just get into your communications networks? They might go
in to try to change data, like supposing they altered the targeting on a missile.
Supposing they just got into the medical database and changed the blood type of every soldier and sailor.
You can imagine the havoc that they would bring about.
So the question was, how would you find them?
How would you counter them?
And then what's the right retaliation?
What's the deterrent to
keep them from doing that? Of course, while the U.S. was having this debate, there were some real
attacks happening. The White House is considering a response to the crippling cyber attack on Sony
Pictures. Federal officials are pointing right at the source. They say the attack was launched
from inside North
Korea. The North Koreans went into Sony because they didn't like a bad movie called The Interview.
Right. And they took out 70% of Sony Picture Entertainment's computer systems. It raises
huge questions about vulnerability and national security. They call this new kind of attack
cyber extortion. And suddenly the Obama administration had a debate.
What do we do in retaliation?
Well, the answer was they put a few sanctions on the North Koreans
and they cut off their Internet access through China for a day or two, but not much.
And then, of course, the Chinese came in and they stole 22 million security files
from the Office of Personnel Management.
That's the office that does security reviews for everybody applying for a clearance.
OPM did not specifically say what information the hackers got their hands on,
but it could include everything from names to social security numbers.
So suddenly the Chinese had all this information about 7% of the U.S.
population, a very elite 7%.
We've learned the breach goes back 30 years to 1985 and affects nearly every government
agency.
One of the largest thefts of U.S. government data ever.
And no one knew what to go do in response other than try to negotiate some agreement
about not stealing intellectual property with the Chinese. But all this was very frustrating inside Cyber Command and inside the NSA,
because the number of attacks on the United States was expanding like mad.
It reached its high point really in 2016 when the election attacks happened from Russia.
And it wasn't just the election system they were into,
because at the same time that the Obama White House was beginning to understand what was
happening as the Russians got into the registration systems in Illinois and Arizona and all that,
they were getting this other stream of intelligence about much more aggressive attacks on nuclear power plants, on regular
power plants.
The Russians got into a communication system in a nuclear power plant that's in Kansas
that caused all kinds of disruption.
And suddenly we were beginning to see warnings coming out of the Department of Homeland Security and the FBI saying, hey, every utility
in America, not just the power companies, but people who ran gas pipelines and water
systems and all that, had to be on the lookout for malware and that could cripple you.
It's not that the Russians had used that to go turn off the lights yet.
They hadn't, at least in the United States.
But that they were prepared to do so.
So, David, you've described a series of cyber attacks against the U.S. against these kinds of attacks, isn't doing very much about it?
Well, for a couple of reasons.
First, the primary defense for the United States is supposed to come from the Department of Homeland Security. The Pentagon was only supposed to get into this game when the attacks became so severe that they threatened
the viability of the United States. The second reason is that Cyber Command didn't really have
the authorities to do much more than defend the Pentagon. That's what its legal authority was.
And there was this great frustration because everybody inside Cyber Command and the NSA and many others realized that no foreign adversary was paying much of a price for attacking the United States.
But then this remarkable moment came because President Trump ended up nominating—
A meeting would come to order.
The committee meets today to—
Lieutenant General Paul Nakasone.
Committee meets today to... Lieutenant General Paul Nakasone.
Consider the nomination of Lieutenant General Paul Nakasone
to be commander of the U.S. Cyber Command and director...
He was nominated as the new head of the United States Cyber Command
and the director of the NSA.
One person holds both jobs.
That's quite a bit of stuff there.
And he came up in March of 2018 for his
confirmation hearing. And he's asked by Senator Dan Sullivan from Alaska. What do you think our
adversaries think right now? If you do a cyber attack on America, what's going to happen to them?
So what do you think our adversaries think about us right now? They do not think that much will
happen to them. They don't fear us. They don't fear us. So is that good? And his answer was essentially not much.
It is not good, Senator.
And what did he propose to do about that?
Well, he didn't say this in public,
but what he had been proposing for years
was a concept really drawn from American special forces,
which is defend forward.
Don't wait to get attacked. You know, the special forces
had learned in the war on terror that if you're going to stop a terror attack in Times Square,
you better go hit the living room in Pakistan where it's being planned. And Nakasone sort of
had the same concept, which is the United States has to have what he called persistent presence in foreign computer networks around the world.
Because if you weren't already buried inside that network, you were never going to see an attack coming, and you wouldn't have any way to retaliate.
In other words, you have to go on the offense to really be on the defense.
And you have to live in your adversaries' networks.
You have to be inside their computers
before they attack you, not after.
And he was confirmed,
and that began a real new era
for how Cyber Command went on the offense.
We'll be right back.
So, David, you've spent the past few months trying to understand what it means for the Trump administration to go on the offense when it comes to cyber.
What exactly have you found? Well, the first thing I found was that the Trump administration and Congress enabled Cyber Command to go on the offense
much more aggressively than they had been before.
In August of 2018, President Trump signed a long-awaited executive order.
It was called National Security Presidential Memorandum 13. Its contents are
still classified, but essentially it allows the Cyber Command to go ahead and conduct all kinds
of operations inside foreign networks without going back to the president for prior approval.
Our computer networks around the country were under such a constant barrage of attacks
that Cyber Command needed much more freedom to be able to get inside those foreign networks
and begin to combat it, and that it couldn't be going to the White House every time it wanted to do this.
Just the way the Navy doesn't go to the White House every time it wants to go run a group of destroyers down through the South China Sea or go do patrolling along the DMZ in South Korea.
In other words, it's an acknowledgment that cyber is such an active place that the president could spend his entire day signing off on every decision that needed to be made.
That's right. And Congress authorized Cyber Command to do even more.
It basically said, you know, these kind of operations in cyberspace are part of traditional
military activity, and you're authorized to go ahead and do them the same way that you
would do ordinary patrols.
And so what does this newly empowered Cyber Command do with this authority?
this newly empowered Cyber Command do with this authority? Well, the first thing it did was go after those units in Russia that were responsible for a lot of the election hacking. They shut down
the Internet Research Agency in St. Petersburg, which, of course, had designed many of those
Facebook ads and other social media ads for a couple of days right around the midterm elections.
They went after the GRU, the Russian military intelligence unit that had been responsible
for breaking into the DNC and then making public much of that data. They sent text messages to
individual Russian officers and hackers saying, we know who you are, we know where you live,
we know your phone number, and if you mess with us, you're going to pay a price.
So a lot of that action to counter the election malfeasance was made public.
Right.
What wasn't made public was a parallel effort to go inside the Russian power grid,
to put some code in places where the Russians would see
it as a warning, but put other code in places where the Russians wouldn't see it in case the
U.S. ever needed to act against Russia's utilities as the Russians were putting malware in our systems.
So the U.S. now has the ability to interfere with the Russian power grid in the
same way that Russia can already interfere with the U.S. power grid. That's right. The U.S.
wanted to get deep inside the Russian systems, this time not just for surveillance, but to be
able to place malware there, basically ticking time bombs or what you might think of as digital landmines
that they could set off if we got into a broader conflict with the Russians.
David, how significant is it that the U.S. took this step of basically infiltrating
Russia's electric grid?
Oh, I think it's a big step, Michael, but it's also a pretty risky
one. So classic deterrence theory would tell you, do like in the nuclear age, right? If they can hit
you, show them you can hit them back. But, you know, I think the Russians have some doubts that
we'd really be willing to pull the plug. They know that we're limited by all kinds of legal and ethical considerations,
and that unplugging a country except in the midst of a war
would cause a lot of civilian deaths.
I mean, the people who are most vulnerable if you unplug the grid
are people in hospitals or nursing homes.
So there'd be a great reluctance to cause civilian casualties.
But wouldn't that presumption be true on both sides?
It might be, but one of the remarkable things about cyber is how well you can go hide the
causes of a cyber attack. Most cyber is used in short-of-war conflicts, not full-scale war, but instead this quiet war of
attrition where countries are trying to seek advantage or gain power by manipulating the
data in your financial systems or making ATMs unavailable or turning off the power in certain
parts of the city, but maybe not in others.
So it's pretty subtle. And the Russians are really smart. They do not want to trigger
a general military conflict between the U.S. and Russia. Most other countries don't either.
So they want to use their cyber capability in the most subtle way possible.
David, given that, as you just said, the battlefield is much more subtle
when it comes to cyber than traditional warfare,
but the consequence is just as significant,
at what point does Cyber Command,
do all these officials with these new powers
granted by the Trump administration,
at what point do they need to seek the approval
of the president and of Congress
to conduct these operations, like
entering the Russian electrical grid in the way that they would for traditional warfare?
You know, it's a fascinating question, because if you look at the law and from what we've heard
about the presidential order, they have the authority to do this themselves. Now, the law does require them every quarter to bring their congressional overseers up to date with what they're doing.
So they'd have to report what they're doing in the grid, maybe after the fact, but they'd have to report it.
The big question that we were trying to answer is, did anybody go to the president to tell them that we were conducting this traditional
military activity inside the Russian grid? And what did you find? What we found was a lot of
people saying to us, we don't think the president knows very much about it. He may have been told
generally that, of course, we're doing cyber operations, but there's a great reluctance inside the intelligence community and certainly inside
the U.S. military about what they tell the president about operations against Russia
and that's because every time the president hears the words Russia and cyber his mind immediately
goes to the charge that the Russians put him in office or somehow were responsible for
his election because of what they did in 2016. And that sets him off. So we've seen time and time
again that people sort of avoid the topic. So it's quite possible that the president learned
about this operation to get inside the Russian electrical grid from your reporting? We think that's possible. He issued two tweets the night that it came out,
on Saturday night. The first suggested that publishing it was perhaps an act of treason.
He called you a traitor, basically. Yes. And then in the second tweet, he said,
and it's all wrong. David, the treason charge seems worth asking you about.
Did the people you talked to inside the U.S. military, the cyber command, the intelligence
community, did they discourage you from reporting on any of this? They didn't. They refused to
comment on the specifics that we had found about the U.S. operation. But, you know, we've been
doing this for a long time, and we're accustomed to going to the government and saying, here are the facts
we're going to lay out. And if you have any national security objections to our publishing this,
let us know now before we print, and we'll make some judgments about whether to hold back some
details. And over the years, I have held back details, including about some American cyber
operations when the government
made the case that the adversary didn't know about it. But in this case, they came back and said,
we have no national security objections. In fact, it may be that people in the Trump
administration, perhaps not the president himself, but those around him, may have wanted
you to report this. Or certainly they didn't see a downside to it.
You know, there's this great scene at the end of Dr. Strangelove
when they've been building this huge nuclear gadget,
and they're keeping it a deep secret,
and the whole premise of the end of the movie is,
if you don't tell them about the gadget, what good is it?
Right.
So we have sort of the same problem in cyber. David, from
everything you've explained, the U.S. goal here is deterrence, and it reluctantly entered a more
aggressive phase in its approach to cyber with the goal of preventing our adversaries from attacking
us. But at what point does a strategy of deterrence inevitably lead to an
arms race where you have to keep up with your enemies and their approach to cyber? And on and
on it goes until eventually we're in a deeper phase of cyber conflict. Michael, we're deeply
into that arms race already. We're building up new weapons. Everybody else is building up new
weapons. But there's a lot of discussion these days about whether you should have something akin to a digital Geneva Convention.
You know, the old, the real Geneva Conventions protect civilians from being gassed, tortured, or starved.
In the digital Geneva Convention, you might say there are some systems that are so critical to civilian life that we have
to protect them. Power grids because they power hospitals and nursing homes. You might say that
election systems should be off limits. You might say that emergency communication systems,
communications to ambulances or the police or the fire department are off limits. And these all seem
like pretty attractive ideas, and a lot of countries have signed on to them, although not
the United States so far. And one reason, I think, is that many in the U.S., inside the government,
believe we have a big advantage and that we don't want to give that advantage up and deprive a future president
of the United States of the ability to use one of these weapons that we've spent billions of
dollars developing. They might want to be able to go to a president and say, you know, it would be
better to manipulate the results in this election than end up with another Nicolas Maduro, the
dictator in Venezuela. Or it might be better to be able to go into the central bank of
this country and drain a dictator's bank account or keep a terrorist organization from being able
to spend any money. So if we're going to be able to do those things, we probably wouldn't want to
sign up to an agreement that prohibits them. And that's the big argument we need to have as a
country, which is what cyber capability are we willing to give up in order to begin to set some
norms of behavior that we're hoping other countries will adhere to as well?
David, thank you very much. We appreciate it.
Thank you, Michael.
David, thank you very much. We appreciate it.
Thank you, Michael.
On Monday afternoon, a spokesman for Russian President Vladimir Putin said that Russia was confident it could repel U.S. attempts to hack into its electrical grid,
but warned that such attacks could eventually escalate into a cyber war with the U.S. We'll be right back.
Here's what else you need to know today.
Change lives! Change lives!
On Monday, the Chinese government expressed strong support for Hong Kong's chief executive, Carrie Lam,
after days of massive protests against her by hundreds of thousands of Hong Kong residents.
But the support from China could ultimately backfire by reinforcing protesters' fears that Lam is acting on China's behalf. The protests began after Lam pushed for a law that would allow Hong Kong residents to
be prosecuted in China — a plan she has since suspended in response to the protests.
And...
We have a deal that will allow more than 300 kilos of waste...
Iran has announced that it plans to violate one of the central terms of the 2015 deal
to limit its nuclear program by increasing its stockpile of enriched uranium beyond what
the agreement permits.
If Iran follows through with the plan, it would have enough fuel to produce a nuclear
bomb in less than a year. The threat appears designed to pressure European countries
who remain in the nuclear deal
to offer Iran assistance
that would offset the economic damage
caused by the Trump administration,
which imposed sanctions on Iran
after withdrawing from the deal last year.
That's it for The Daily. I'm Michael Barbaro. See you tomorrow.