Why you should be paying attention to ransomware cyber attacks
We may not have seen notable foreign interference with the 2020 election. That doesn’t mean we’re in the clear.
It’s been over two weeks since Election Day, and as the days continue to pass with no concession from President Trump, concerns are growing about the lack of a formal transition process. One thing is clear: Trump and many of his supporters are not giving up the claim that the election was somehow rigged, despite no evidence of widespread voter fraud.
Last week, the Cybersecurity and Infrastructure Security Agency released a statement calling the 2020 election “the most secure in American history.” Shortly thereafter, Trump took to Twitter to fire Christopher Krebs, the Agency’s director, who led the effort to verify the security of the 2020 election and combat allegations of voter fraud.
David Sanger, the Chief Washington Correspondent for The New York Times and a seasoned cybersecurity reporter, has been writing specifically about election disinformation for years. While there was no serious threat to the security of this election, he raises concerns about the federal government’s ability to properly respond to ransomware and other cyber threats, whether they be from within or outside of the United States. We know foreign actors like Russia and Iran are a threat to America’s national security. But to what degree are we a threat to ourselves?
The following transcript has been edited for clarity.
John Carlin: From CAFE, welcome to Cyber Space. I’m your host, John Carlin. Every other Friday, I explore issues at the intersection of tech, law, and policy with guests who’ve made an impact in the world of cybersecurity. My guest this week is David Sanger. He’s an author and long time national security correspondent for the New York Times where he’s been part of three teams that have won Pulitzer Prizes. His 2018 book, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, has been adopted into a new HBO documentary of the same name. Both examine the emergence of cyber conflict on the international stage and its lasting impact on the nature of global power.
Before we turn to that interview, I did want to quickly share some thoughts about the news that broke after we taped my conversation with David Sanger. On Tuesday evening, President Trump abruptly fired Chris Krebs, one of the nation’s top cybersecurity officials, after disagreeing with his agency’s characterization that the November 3rd election was the most secure in American history. Less than an hour after Trump tweeted about his dismissal, Krebs tweeted from his personal Twitter account, “Honored to serve. We did it right.”
Krebs has been widely praised for his oversight helping to secure the election from foreign adversaries and cyber related misconduct. I could say working with him in his role at Department of Homeland Security, not only did he help to protect the country from cyber threats, he showed great ingenuity in using that agency’s authorities in new ways to try to help during the difficult times of implementing unprecedented measures to protect American lives against the pandemic and COVID. It’s a shame that an official would be fired not only for doing their job, but for doing it successfully.
You would think it would be a moment to take a step back and say, boy, this was a success for American democracy that despite fears, many of which we’ve talked about on this podcast about foreign interference with our election through hard work by state and local officials of both parties throughout the country, volunteers and the folks at the Department of Homeland Security working with other government agencies, that we secured our elections in an unprecedentedly complex period where it is the first time certainly in living memory that we’ve had to have an election on this scale in the midst of a pandemic. And now I turn to my interview with David Sanger.
So great to have you on David. Let me start by asking you, I know you did a lot of work pre-election into what could go wrong. Are you surprised that the election went as well as it did?
David Sanger: I am, and I’m surprised it went as well as it did on the foreign interference side, but I’m even more surprised that it went as smoothly as it did domestically given the fact, John, that we had such an overwhelming number of paper ballots, mail-in ballots for the states to go process. I think the big question on the foreign side is, did it go so well because US Cyber Command was pushing back, and we can talk later on about how they were doing that, because the US continued and accelerated something that you had gotten started during your time at the Justice Department by indicting bad actors, because DHS had so hardened defenses, or in the alternative had the Russian simply determined that we were doing such a great job tearing down the integrity of our system by ourselves, the president in particular with his comments, that there was really nothing that they could do to help.
John Carlin: Let’s start with the last one because that’s quite provocative. Do you really think that while it might apply to Russia, but when you think about Iran, China, that all of them form that collective view, and that’s why we didn’t need to worry about hacks. Or do you think there’s something to all the different efforts the government and state actors were taking to protect systems?
David Sanger: I think there was something to all the actions that were taking place, although I don’t think that these two answers are mutually exclusive. Take the Russians first. In the case of the Russians, I think they recognized that there was such a tension on the election process here that they would probably be wiser to strike at another time in another set of targets, that there was just too much pressure here and that they had pretty well achieved their goal because there was so much concern within the United States and still is about the integrity of the system.
And remember, they may not particularly have cared about the outcome. I don’t think that Donald Trump was of great use to them in the past couple of years because he wasn’t able to give them what they wanted the most, which was relief from sanctions, and Biden had made it pretty clear during the campaign that he was going to take a much tougher approach to dealing with Putin. So the big question I think for the Russians was, was there value added in just adding onto the chaos versus the downside of being caught, especially if they thought that Trump might not win and that they would have to go deal with Biden later anyway.
John Carlin: Let me pause for one sec before you switch to your end because there’s a lot in that answer. I think of it as maybe dividing it into two categories because the first part of your answer would be one of the strategies that was supposed to be employed post 2016. In other words, publicly putting attention on the fact that the government was aware that there had been Russian interference and also implying, stating, taking actions to show that if they were to try to interfere again, that there would be consequences. So I would view that as part of a successful perhaps strategy of using all tools to try to discourage and interrupting this election. The second part of what you said though would be not necessarily consistent, which would be that Russia reached a calculus that said, hey, they’re doing it to themselves. So we don’t really need to do anything to undermine confidence in democracy, if I’m hearing you right.
David Sanger: That’s right. What I was suggesting was both could be right.
John Carlin: Sure, because it’s a cost benefit.
David Sanger: It’s a complete cost benefit for them. And I think that the Russians recognized that the pressure would be on a second time to actually make them pay a price. And as you recall in The Perfect Weapon in the book and again in the documentary, I was pretty critical of the Obama administration for not calling them out and for under-reacting during the election season in 2016. And then they only had a short period of time to go take action against Russia before they left office. And you’ll remember that in the last phase of the Obama administration, that’s exactly what happened.
They threw out dozens of diplomats who were actually intelligence officers and agents, and they closed two Russian diplomatic facilities, not embassies, but outside facilities. And it was as one member of the outgoing Obama administration, one of your former colleagues said to me at the time, the perfect 19th century response to a 21st century problem, which is to say that we did the most traditional diplomatic response and one that I think many people who were in the Obama administration now in retrospect think was insufficient to the size of the offense.
John Carlin: And certainly measured against 2018 because really this isn’t the first federal election. This is the second federal election. In 2018 we did see Russian attempts to interfere with the election, so that would be an indication that it was not sufficient retaliation.
David Sanger: That’s right. And we also saw in 2018 the first of US Cyber Commands pushbacks, and they later on made some of these public; some directly, some indirectly. But basically they went in and shut down the internet research agency in the days surrounding the midterm elections in 2018 so they couldn’t interfere both in the election but also in information operations surrounding any aftermath to the election. And they made it pretty clear to a number of members of the GRU, the Russian military intelligence unit that they knew exactly who they were and they were watching their every move, partly by sending messages to their cell phones, which is kind of personal.
And I think it’ll probably be a few weeks or a few months before we learn how they stepped that up in 2020, but we have already reported on one step they took, which is they went to dismantle something called Trickbot, which was a significant ransomware tool site for fear that the Russians might use ransomware against cities and states. As it turns out, we didn’t see any ransomware against the election infrastructure.
John Carlin: And actually according to your reporting in a statement, there was no evidence that the November 3rd election was compromised and that was put out by the Department of Homeland Security. And they said that the 2020 election was the most secure in American history. Do you agree with their assessment?
David Sanger: Their assessment based on the evidence we’ve seen so far seems to be accurate.
John Carlin: There’s a lot of anxiety right now about the state of our democratic processes. And as I think you were alluding to in terms of Russian motivation that it might not be to favor one particular candidate but be consistent with, it seems like Putins view the democracy itself as an existential threat and that’s why you see them interfering in elections not just here but across the world. What do you think of the fact that, and how do you analyze that we have a commander-in-chief who is not on board it seems with all of the rest of the professionals that work for him that this was a fair election. But how do you think our institutions did under that type of unprecedented pressure from the president?
David Sanger: They did remarkably well and it really does remind you of the wisdom of the founders here in making sure that the president didn’t have anything to do with elections in the United States and why this is largely a state function. What’s been interesting is that while even Republican leadership has sort of stuck with the president uttering somewhat meaningless phrases like he’s got to let all of his legal options play out, and he certainly has every right to have that done. The federal officials have not stood up, the elected federal officials, to say that there was a clean election here. But many of the state officials and state Republican officials have stood up. It’s one of those rare moments where you get a real life view of why the separation of powers built into a federal system is so critical.
John Carlin: That’s an optimistic, which is nice these days, assessment. Quick question for you about, although all worst case scenarios didn’t come to fruition, one that you had written about and talked about was the possibility of misinformation. And although it may be amplified by, it doesn’t seem to be coming from foreign nation state actors. And we are seeing on online platforms numerous sites saying that the president elect, Biden, is no longer president elect or that the election was stolen. There’s one in particular, there’s a YouTube video that incorrectly states that there’s been a formal finding that Joe Biden should lose his status as US president-elect that racked up more than a million views. How do you think we’re doing on disinformation and what do you view your role as as a prominent reporter for the mainstream media?
David Sanger: Obviously we were prepared for a lot of disinformation in this case and as it always turns out, was a lot of the American public. But we have seen these amplifications, mostly though they’ve been amplifying statements the president has been making. So that’s one of the big differences with 2016. They’ll remember that the disinformation in 2016 was largely of foreign origin, right? You had the Internet Research Agency making up foreign personas trying to pretend that they were your neighbor, John, in Washington or Texas or something like that. So this time around Facebook was sort of ready for that. They took out a good number of cases in which there were foreign interference where clearly there was what they called inauthentic behavior going on.
But they’re much less capable of dealing with the amplification of something that truly originates in the United States. So if the president says there is evidence that votes were stolen from me, or if the president says we weren’t able to get our observers into the polling places, which does not appear to be true, or if the president says that Dominion software changed 2.7 million votes, which he claimed in Twitter and also seems completely unsubstantiated, then it’s a lot easier for them because all they’re doing is replicating what is permissible if irresponsible political speech in the United States.
John Carlin: It’s more difficult in your job as well, correct? If it’s something being amplified but coming from someone not only within the United States, the president of the United States, what do you do?
David Sanger: All you can do is lay out the basis of the disinformation. In today’s New York Times we have a very extensive three or 4,000 word story that explains how the Trump campaign prepared for this moment and prepared to make the argument that the votes were stolen from the president before there was any evidence, and continue that even in the absence of evidence, instructing their election observers to object to every ballot and every bit of counting even though there was no real demonstrable objection. This is why you’re watching the Trump campaign suffer defeat after defeat in different courts as judges throw out their arguments because they can provide or so far have provided no evidence of it.
What can we do in the media? Well, we came up early in the summer with the concept of the daily disinformation, a little feature that would run online every day that showed you another bit of disinformation, dug into where it came from, how it was being spread. We would have screenshots of the disinformation but with a thin red line diagonally across it so that it was clear to people that we were not replicating this as something that we were representing as the truth. The best antidote to disinformation I think is really deep reporting. First, debunking the information if it’s wrong, and second, explaining how it was spread. But the fact of the matter is that for people who are predisposed to believe it, they will take almost any information that reinforces their worldview. And that’s true on all sides of the political spectrum.
John Carlin: I know Iran features prominently as well in your 2018 book, The Perfect Weapon, that later becomes a documentary of the same name. But turning to Iran, what do you think went on with their calculus in regards to the 2020 election?
David Sanger: I think the Iranians were a lot less sophisticated than the Russians. They first played in this arena in 2018. As we reported last week, the US had the advantage that they had literally stolen the Iranians playbook. It was a pretty good coup for American intelligence agencies. And you’ll remember that a few weeks before the election, the Director of National Intelligence, John Ratcliffe, along with Chris Krebs and others came out and made a public announcement about a series of emails that had been received by some voters in Florida and Alaska, there may have been some others, that purported to be from the Proud Boys, the right-wing group, that were awfully written.
I mean, if you read these emails which threatened voters and said, we will know how you vote and so forth, the mangled syntax of them made them look like or read like they had been written by the script writers for a really bad movie along the way. And these got exposed within about 48 hours as Iranian in origin. And the decision was made by Director Radcliffe and others that because they thought this could be the leading edge of the activity they saw laid out in the Iranian playbook, that by exposing it they could pretty well undermine the Iranians. And that’s really what turned out apt. The other Iranian activity wasn’t of much note.
John Carlin: So that’s a combination then of, according to your reporting, covertly acquiring information about what the adversary’s intentions are, Iran’s playbook, and combining that with both presumably collection defending systems and publicly announcing what you know as a strategy. In doing that, there was some criticism not of Director Chris Ray from the FBI or Chris Krebs from the Cybersecurity and Infrastructure Agency but of the Director of National Intelligence because he didn’t just say that Iran was attempting to influence the election. He said specifically, which was kind of curious just given the facts of the scheme, pretending to be the Proud Boys but sending messages that would discourage Democratic voters from voting. He said that the motive was specifically to hurt Donald Trump. What did your reporting show, is that 10% a teapot or was that a real concern that he was shading intelligence for political purposes? What’s your view?
David Sanger: Well, it’s hard to know. Director Radcliffe is certainly a pretty partisan animal. A couple of things seemed clear to me from looking at the evidence they made public. First is, it’s really hard to tell whether this was directed at hurting President Trump or hurting Biden because it was so clumsy that you could imagine in ways that it could have cut either way. But second, I think that there was a strong desire on the part of Director Radcliffe and others in the intelligence agencies to show the problem was not just Russia. That they had taken the message from President Trump who said, “Russia, Russia, Russia. It’s all Russia hoax.” And they went out and emphasized the Iranians.
Now, events played in their favor because the Iranians were a lot more obvious in what they were doing than anything the Russians managed in the last few weeks, whether that’s because the Russians were just more skillful or had pulled back as we suggested before, or whether it was just that the Iranians were still pretty clumsy at this. But it was pretty obvious activity on the part of the Iranians and I didn’t think it would be effective.
John Carlin: Right. It occurs to me just in asking you that question where there were three different directors involved. Who is in charge when it comes to cyber from your view reporting on this. Is there a clear person in charge?
David Sanger: There still isn’t and this was an issue that you encountered when you were in office during the Obama administration. And I had thought that the Trump administration was on its way to helping solve this problem. In the beginning of President Trump’s term, his two years, you’ll remember he started with a talented cyber coordinator in Tom Bossert. He had a deputy who came from the National Security Agency who was quite good and quite talented. Also held a public job in the Trump White House. They were all fired and their positions pretty well eliminated by John Bolton when he became National Security Advisor. I don’t think because he had any particular concern about their cyber work, but because he didn’t want people with direct access to the president who might threaten his own position there.
Bolton said at several points, “Cyber is everyone’s responsibility.” Well, you know what that’s like in government. When something is everyone’s responsibility, it’s no one’s responsibility. So I think the administration which started off pretty good lost its way in the last two years. We also know that Kirstjen Nielsen attempted to hold some national security council level meetings on election interference in her last weeks as the Secretary of Homeland Security and was shot down by the then White House chief of staff who argued that any such meeting would only raise the hackles of the president who didn’t like to hear discussion of Russian activity because he thought it was calling into question his own mandate to govern from 2016. And so while they held a lot of meetings, they did it without much central command from the White House.
John Carlin: And taking from what you said, do you think that it was a mistake to disband the having a advisor with access to the president in the White House who had the cyber security portfolio underneath them? There’s been a little bit of a debate though about whether to restore and empower that position or as the Solarium Commission and what Chris Inglis discuss in this recommendation proposed making it a Senate-confirmed position. You’ve covered so many different administrations over the years. Do you think it makes a difference whether it’s Senate-confirmed or not? And then as a second part of that question I’m curious, some have said the position might be more powerful if it is not Senate-confirmed, if it has direct access to the president like a National Security Advisor or other positions because they’re in the room and speak purely for the executive while others have said you need both cloud and tempering function that comes from exposure to the Senate. I’m wondering if you have a view on that.
David Sanger: Those are part of those debates that only fascinates people who live in Washington, right? Whether it should be a Senate-confirmed position or an advisor to the president, one of the difficulties is if it’s a Senate-confirmed position, they are required to go up and be able to testify and may have to testify independently of the administration’s position. If they are just an advisor to the president, even a highly empowered one like the National Security Advisor is, then you are covered under the exemption for private presidential discussion. I can see the argument either way. My own view is that this person is probably most powerful as a deputy National Security Advisor, which would not be a Senate-confirmed position.
But I think what is important is that we’re in a world right now where DHS handles defense, Cyber Command with the help of the NSA handles offense, the Justice Department investigates and indicts bad cyber actors along the way. There are many other agencies of the US government that have a piece of this. And what concerns me is cyber is territory where you can’t separate the offense from the defense. So if DHS is operating in its own world and Cyber Command is in its own world; and meanwhile you have the private sector playing defense in its own world, you have a lot of uncoordinated activity underway.
And we saw some of that in the Trickbot case, John, were both Cyber Command a few weeks ago was moving to take down some of the servers and the activity in this Russian speaking, we don’t know if it is Russian origin, group of players who support and provide very sophisticated tools to ransomware operators. And then we saw Microsoft and a group of companies use legal process to do the same thing, getting orders from a federal judge that enabled them to take down some of the servers because they ran through Microsoft networks.
And we saw very little coordination between the private sector and the US government. Partly that’s because the private sector does not want to seem to be an organ of the state. Microsoft’s got a lot of customers all around the world. The last thing they need to be seen is as a division of Cyber Command. And yet you do wonder what are the risks of having a lot of uncoordinated activity. So my hope is that by having somebody at the White House with a fairly decent size and sophisticated team, you could have overview on both the policy side, the enforcement side, and the combination of offense and defense.
John Carlin: That’s a great example. Let’s talk about it a little more, and I think you did a good job outlining how difficult it is. One of the points I’ve made over the years is just the billions of dollars and the new departments and agencies post September 11th: Department of Homeland Security, Director of National Intelligence, National Security Division, which I led. They were all post September 11th reforms with the idea of sharing information more effectively within and between governments. And that was hard and we got better at it. Maybe not where we need to be with the mantra that partly 3,000 innocent civilians lost their lives because information wasn’t effectively shared across the law enforcement and intelligence divide.
And now with cyber it’s exponentially more difficult because it’s not just sharing information within and between governments, it’s within and between governments at the speed of cyber space and with the private sector. Trickbot I think is a good example to maybe dig a little deeper on. So just in terms of what Trickbot is, it’s a code or bot net. So hundreds of thousands of compromised computers, millions in this case, that gets used to steal passwords and then they use the access from those infected computers to access their email accounts. It’s been estimated up to 250 million email accounts. And then they use those email accounts to send new malware infections to the victims contacts. So it just keeps growing and growing through the contacts of people that are compromised. So it’s called sometimes a malware-as-a-service feature.
And it was used then to deploy many different types of ransomware, but it’s not a national security tool unless you found differently. I mean, it was something designed by crooks that makes the ecosystem insecure, if you will, and then could be used by criminal groups or apparently from the perspective at least of Cyber Command Nation-states. From the perspective of Microsoft, it looks a lot like the way other criminal groups cause mischief. And I’m curious, when you open it up that way, there are a lot of criminal groups operating right now doing ransomware and extortion techniques. That would traditionally be a law enforcement problem, a private sector problem, but not a military problem. Do we need to be concerned that it’s being over militarized if we’re using Cyber Command to attack things like botnets or vice versa maybe. Maybe we should be concerned we’re not doing enough.
David Sanger: The timing of the Cyber Command activity was pretty clear, both Cyber Command and Microsoft were acting when they did for fear that these criminal groups could be hijacked, used, enticed, paid for by the Russians or others to go attack registration systems during the election. And certainly we’ve all seen lots of examples. And in fact, I think you called out a number of examples when you were still in government of groups that are largely in this game for profit but who recognize that they need to do something for the state that hosts them if they’re going to keep prosecutors or investigators off their back.
And so this distinction, which seems so clear to many between private groups operating for profit and state actors is in reality not as clear. China, for example, has long used hacking groups to go obtain intellectual property that they want. And they seem to be operating with at least the implicit approval and perhaps under contract for Chinese Intelligence [inaudible] or the Chinese military.
John Carlin: I do agree that it’s called the blended threat sometimes, but you’re seeing it increasingly with all four of the big adversaries: China, North Korea, Russia, and Iran, that they both seem to work with and exploit criminal infrastructure. And then also the state actors themselves sometimes act on behalf of the state and sometimes act as crooks to line their pockets. I know you’ve thought a lot about different authorities over the years. And when that occurs, it does pressure the way we’ve always been structured so that pure criminal activity creates national security risk. And so then there’s this line question, I know it’s something you talked about both in your book and the movie about where is the line when it should be where crossing it will cause the United States to use all tools including military and intelligence tools to respond?
David Sanger: Well, I think one thing that’s pretty clear is that foreign actors have looked at the divisions that we set up for ourselves and the restraints we put on ourselves, and they figured out how to work the seams of those. So, for example, before we get to your example of this, the Russians are acutely aware of the fact that the NSA and other intelligence services are not allowed to operate in the United States. So they were moving more their activity to servers inside the United States so they would only have to worry about the FBI and DHS and so forth because they recognize that our legal strictures would keep the intelligence agencies out of the picture.
In what you’re describing, this division between criminal activity and state activity, very clear in the US structure, often something that decides whether or not you would use the power of the Justice Department or the power of US Cyber Command is much less of an important distinction to the Chinese or the Russians, which might well tolerate a private profit-making activity on the part of a group of hackers as long as their talents were available to the state when the state needed them.
John Carlin: And do you think that we should imitate what’s been successful for China or Russia, countries that are not democratic, or isn’t important because of who we are as a people and a country and how we govern ourselves to keep those distinctions and we just need to get more effective working within them.
David Sanger: Yeah, I think it’s important that we keep the distinction, but that we begin to close off the seams. Now, you actually saw in this election I think a much better movement of data between Cyber Command, NSA and so forth, and their domestic equivalent, FBI, DHS and all that. The intelligence sharing problem there seemed largely solved. I’m not sure it was solved with the private sector for the reasons I described, but just as 9/11 taught us how to share this stuff much better, I think the 2016 election taught us about the dangers of keeping cyber information encapsuled in one agency or another.
One thing we’re getting a little better at, John, but I think we’ve got a long way to go is the assumption that most cyber data that you’re collecting has a very brief lifespan as useful intelligence and therefore should be, in my view, largely assumed to be unclassified, except perhaps the details of how you obtained it so that you can spread it much more quickly; because if you’ve got live information, as they did in the case of the Iranian Proud Boys emails, if you don’t act on it within hours or days, it’s going to be useless within a week.
And we had a system in 2016 where people would spend weeks or months trying to decide whether to declassify something. My view would be, if you really want to ramp up your deterrence, don’t classify it to begin with except in the most extraordinary circumstance. In other words, assume that it’s unclassified until you can make a case to the contrary instead of assuming that it classified and then trying to disentangle that.
John Carlin: I think that’s very interesting idea and definitely points to a current problem, which is if it is default classified, although there’s been a lot of work done to speed that process, it’s still, you’re right, too slow for purposes of operational collaboration. So by the time it gets declassified or shared, let’s say for a private company that’s under attack or otherwise, then as you say, it’s no longer useful to them. It’s too late. And there’s been a lot of work to try to change that. I have one just to poke at you a little bit on. Sometimes I wonder with, how do we keep this in the public’s mind when there’s not a national security anchor or an election angle, even though it may create the same long-term threat?
To you use a concrete real example, right now we have a major, Trickbot existed pre-election and even without Trickbot, it’s just one example of a scheme that can be used for ransomware. We are, I think this year we’ll be setting another record in terms both the number of ransomware attacks; attacks that malwares deployed where people can’t access their own systems without paying the bad guy to get a key or get a decryptor. And they also those same bad guys are stealing information day in day out from companies in order to extort them for payment or they say they’ll release it and damage the company.
I think we’ll have a record year both in volume but also in the amount that’s getting paid to these bad guys. And it’s an unvirtuous cycle where the bad guys take what is paid to them and invest it into research and development and hiring more people to do the hack. But I wonder, where’s the attention going to go when the election is over, precisely because it is so commonplace. How do you cover that? How do you keep it in the minds of the American people and the world?
David Sanger: Because at some point it becomes like the drug trade that’s going on as background activity but it’s not really hitting the headlines. COVID may give the opportunity to focus attention on this. I spend as much time as I can up in Vermont and the University of Vermont state hospital up in Burlington has been dealing with a two week long very severe case of ransomware which The Times has written a little bit about in recent days, that has basically frozen their ability to get at their files on patients at a moment that we’re seeing COVID surge around the country.
You would think that that alone would focus this kind of attention. But the fact of the matter is that ransomware happens in bits and pieces against small towns and small hospitals and it’s not the big Pearl Harbor like attack that turns off all the power from Boston to Washington. And therefore it’s very difficult to get people’s sustained attention to it. And it’s turned into such an ordinary business that we see many companies, even law firms, I’m sure you’ve heard of this in the legal profession, basically reaching quiet settlements with the ransomware actors because the embarrassment of having to admit to your clients that their data was insecure and had been obtained in an attack is so huge. So one of the big questions in my mind is, should there be laws requiring companies that are hit by ransomware to make it public?
John Carlin: And where do you fall out on that? So just for our listeners, the current state of the law is that it is legal to make an extortion payment as the victim if it is a normal criminal group. If it is a designated entity, this is an authority of the Treasury Department to designate certain entities to sanction them and put them on a list of sanctioned actors. And that might be individuals, it might be criminal groups in the cyber arena. One, it makes it easy for you to determine whether they’re good or bad because they name themselves Evil Corp or Evil Corporation, they’ve been designated, or it could be a nation-state. And that is not, that would be unlawful.
And in fact, that regime is strict liability meaning even if you didn’t know, and you unintentionally made a payment to a sanctioned group, you could still be subject to an enforcement action from treasury. And if you intentionally made a payment to certain groups like terrorist groups, that might even be a criminal prosecution that you support terrorism or other statutes.
So we’ve made it lawful and because we’ve made lawful I actually think for many, we’re having to advise clients in this area, they have to consider making the payment, right? If you’re a publicly held company, you have a duty to your shareholders and essentially you need to decide whether it’s better or worse in your individual instance to make the payment. You can think about the background of, is it better for all, but really it’s specific to your situation. And for some of these, as you outlined David, if it’s a hospital, it could be a life or death situation. We’ve seen police departments pay ransomware. What would happen if tomorrow we made it unlawful? I mean, are we ready for that? Or what would happen?
David Sanger: The first thing is I think the treasury rule is a little bit ridiculous because with the exception of when you’re hit by Evil Corp, you’re not likely to know whether the person or organization at the other end of the Bitcoin line is in fact a sanctioned entity or not. And so your chance of getting convicted I would think would be pretty low because you could argue that you had no way of knowing who it was.
John Carlin: But just as a reminder though, the Treasury Department in the OFAC guidance, it’s strict liability. You don’t need to know. So they could do an enforcement action, they’d have the grounds even if you really had no idea. The guidance they put out said essentially we’ll consider certain factors though. Normally you’re supposed to have factors like know your customer to avoid sanctioned entities. But here you know it’s a pretty bad customer because they just criminally hacked you demanding extortion. So you think it starts at a pretty bad level.
David Sanger: Yeah, it does. My own view is it would probably be pretty unenforceable to take criminal action for paying these, although I can imagine a few examples. But I do think that you could require that they make it public. And let me give you some examples first of all. If you are a publicly held company and you’ve been forced to pay ransomware, I think you have an obligation to report it to your shareholders. Right now that’s usually enforced only if the ransomware is and the breach was big enough that it could be a noticeable effect on earnings. But I think that should be made public.
If you are a public entity, a police department, a school district, a public hospital, I certainly think you need to go make it public because you’re spending taxpayer dollars to pay off the ransom and your tax payers may have views on that, right? We have had cases where cities and towns have paid the ransomware, and we have used local Freedom of Information Act requests to get the details, how much they paid and when they paid and all the circumstances of that, and we’ve seen cities and towns try to resist our Freedom of Information Act requests on the basis that their own taxpayers don’t need to know and that it would only encourage further attacks if it was made public that they paid.
Well, that may be the case, but I can’t… If the public deserves to know how much money you spent filling potholes, I think they deserve to know if you spent several million dollars from your budget to pay off ransomware. And I think that making the forcing it to be public will probably be a bigger inhibitor on paying than the possibility of legal action.
John Carlin: Interesting. As reflected in our respective biases, I’ve been thinking that there should be a mandatory reporting to law enforcement before you make a payment, but public reporting would be interesting as well. Do you fear a little bit it might have the opposite impact though? So if you have to report it publicly, number one, depending on who you are, they might be outraged that you did not pay ransom. Although presumably there’ll be some focus on what you did beforehand about whether it’s a company that supports other businesses or if it’s customer information that they could get back or a police department that might be down for two weeks. The pressure might be to pay, that’d be one concern. And then the second, I guess, but linked would be that it’ll normalize it even more and may not change behavior. And then we’ve just gotten into a business as usual of paying large amounts to criminal groups. Curious on your thoughts.
David Sanger: It’s a really interesting question. We have a little bit of empirical evidence here. Baltimore refused to pay when their systems were locked up and we play this out in the documentary, The Perfect Weapon, and they ended up paying millions of dollars more to reconstitute their systems than the ransomware actors were demanding from them. Now, of course we don’t know, had they paid the ransom would they really have gotten all their data back. That’s an unknown in these cases. We have had other cases. There’s a small town in Florida that did pay and did get everything back and feels like they made the right decision because they point to Baltimore as an example of a group that had to pay a lot more.
I think every time you pay it, of course as you point out before, you are simply financing their R&D to be more sophisticated and increasing their incentive to go strike others. So, that’s why at a minimum I would call for making it public if you had to go pay because then you’ve got to go explain to your constituents, whether they are shareholders or taxpayers or someone else, why you didn’t pay enough attention to making sure your data was safe to begin with.
John Carlin: And what about the step further? Do you think it’s… Why allow the payments at all?
David Sanger: I’m not arguing that in some cases you shouldn’t criminalize it. I just think that these are going to be very hard cases to make stick. If you go to a jury, I think it would be a really hard criminal case to argue. We have seen cases where the Securities and Exchange Commission has fined some companies that did not make public data or that paid amounts that could be material to earnings and we’re trying to hide that as well.
John Carlin: So it could be civil. What you’re saying is it could be a fee. And then similarly OFAC, the regime we were talking about before when it comes to sanctions, that’s civil enforcement and that’s partly why it doesn’t require intent.
David Sanger: That’s right.
John Carlin: And so that might be an in-between measure if I’m hearing you right where it’ll be another deterrent?
David Sanger: Yeah, I think it might be. But if you tried a criminal case, and you would know this better than I would, John, you would have a sense that you were sort of punishing the victim. Somebody came along, they were first off the victim of the ransomware attack and then they got prosecuted for paying the ransomware. I think those are going to be tough cases to win, but you would know better than I because I’ve never prosecuted cases and you have.
John Carlin: Well, tough to win and also not sure it’s the right thing to do. It’s always hard, I think, to use a criminal tool to punish something that you know causes an externality. So causes overall is not good for society. But for the individual you do think of them more as a victim rather than someone who did something wrong. Those are some of the hardest in the areas where there is prosecutorial discretion cases to bring. And so if you could change behavior with something short of that, civil or your other suggestion I think is public shaming, essentially yeah.
David Sanger: Or just publicity. Also that would give us, the public nature of it would give us a better metric about how widespread the problem is. We all know that it’s taken off in the past year, but I’ve not seen what I consider to be reliable statistics that enable me to measure by how much it’s taken off. You might have that because as you know, in your legal practice you see victims come to you, but you are sworn to confidentiality about the cases.
John Carlin: No, it’s true. And I’ll say it was privy to all this information in my government hat, but actually it’s sitting here on the private side working with victims I’ve learned more about the extent of say the ransomware issue than I did on the other hat, which goes towards that potential in-between step of right now, even if you’re a publicly traded company, I actually think the OFAC guidance is going to change behavior and encourage people to report more than they did. But only half if half of companies reported to someone in the government that they’d suffered a ransomware attack and may have paid ransom, which makes it very difficult to do an analysis on the scope of the problem.
And similarly just going to your public solution, I wonder part of what is regulated now revolves around certain categories of information and whether or not they’re taken. So if it meets the definition of personally identifiable information, then you are required to tell the folks whose information was taken, that gives publicity to an event and it distorts in some ways the public reportings. So you get more public reporting around events that involve personally identifiable information, whereas ransomware may not and doesn’t trigger any reporting.
I mean, that might be an argument in favor of your approach. On the flip side, it does seem like we get, I don’t know about you but I get notices all the time that my information has been stolen. And I know there’s nothing, and I’m in this field, you study this field, it’s what we do. I still don’t know what to do with that information. And so you get kind of inured to it and you start to ignore the notices.
David Sanger: How many times have you gotten these and you’re thinking, okay, so the Chinese have my credit card number, they have my social security number and so forth. So here I’m somewhat critical of the way the federal government has done its own notifications. And I was critical in the book. And let me go to a hack which exposed I suspect some of your information, John. It’s the OPM hack, the Office of Personnel Management.
John Carlin: I’ve shared before that that was my daughter’s essentially first piece of mail. She was very excited because it had her name on it, but it was a notice saying her identity had been stolen from the OPM hack.
David Sanger: Yeah. Well, there you go. But what did that letter also have in it? It was missing who did the hack, which was the Chinese, right? It’s now widely reported that it was China, that we now believe that it was not OPM alone, but the same or related Chinese entities were stealing the data from Marriott, actually Starwood, which later was acquired by Marriott from Anthem Healthcare. And now we know from Equifax, right? So they’re putting together a much bigger database. It is not just information about John because he’s got a security clearance, but about John’s travels, John’s healthcare, maybe John’s credit rating, which I’m sure is excellent, John, right? And this all goes into a much bigger sort of cross-reference big data database.
What is interesting is that none of the data from OPM that I’ve found has ever been linked to say a case of credit card fraud or identity theft. Nobody’s tried to go take out a loan on a house based on information that they got from the OPM hack, at least that we’ve been able to find, which tells you that this was an intelligence mission not a criminal mission. And you were around for the debates, John, inside the Obama administration about whether or not to publicly name and shame China. And the decision was made not to do it.
In fact, when Jim Clapper once came out, he was the Director of National Intelligence at the time, and named China in the course of a public interview, he was kind of forced to walk it back shortly after that. Now, I hope we’ve evolved beyond that. But the same thing happened with hacks sponsored by Russia, some by Iran against the financial sector in 2012, against the Sands Casino which we describe at some length in the film. One thing I think you have to give credit to the Trump administration for is they did identify Russia as behind NotPetya and they have identified North Korea as behind WannaCry. So there has been some progress here.
John Carlin: No, I think that’s right. I think it’s a trend lines. I’ve long believed that unlike other areas that this is one that can’t be solved without making more public. And that’s both because the victims are mostly outside of the government so they can take steps to protect themselves and it’s also because you can’t influence the behavior of the adversaries in this space, I think, without figuring out who did it, and then making it public and importantly, and I think we’re still struggling for the magic formula in this, deterring them, causing pain or punishment because you figured out that they did it and made it public.
And so I think one way to do that is through the criminal justice system. You’ve seen an increase in indictments and it’s one of the few areas of continuity between administrations that didn’t agree on much was using all tools, including leaning towards making public when you’re able to do attribution in cyber. One thing I really worry about, and we’ve had this conversation before though from the reporting side is for those who are expert and do the reporting, and you tell me, I’ve never been a reporter, but it seems like you live to discover and write the story that others don’t know.
And so there’s a premium on that which is secret. And I worry a little bit if the default is making it public that you stop reporting because it’s too easy and keep focusing on that secret. I already feel, and we talked about this, that there’s a little bit of a distortion where what I see both here in private practice and in government is the vast majority, well over 90% of the attacks, even from various sophisticated actors, they use existing vulnerabilities and Tradecraft. And yet if you were to read, the coverage disproportionately focuses on that 1% of zero-day or tools that are only at the highest providence of nation-states. I feel like that may be a little bit of the phenomenon because that’s harder to report on. So you’ve had to do a better job as a reporter to dig out those stories.
David Sanger: Well, John, you make a really good point because we don’t cover every car accident that happens every day, and car accidents take a lot of lives in the United States. But you do tend to cover more bizarre or unusual crime, right? And that’s sort of the definition of news. And so I think that there is a significant risk that the vast majority of cyber crime doesn’t get reported because it is so common, and that we focus on things like what has fascinated me, which is the state use of cyber as a weapon.
That said, there is something important in focusing, I think, on the state use because this is not simply cyber being used by America’s adversaries against America. It’s cyber being used by the United States as a short of war weapon, which is really where I focused much of The Perfect Weapon and I focused a lot of my past reporting, and I recognized that your colleagues in the United States government are far more enthused about us covering the United States as a victim of other cyber actors than as a instigator of and user of cyber weapons themselves.
But the fact of matter is you can’t understand one without understanding the other. And you certainly can’t go around talking about how we’re going to set norms of behavior for nations around the world here until we’re willing to both admit to some of our own cyber activity and say what would be off limits for us. And so it becomes all the more important to go focus on state activity because it’s not just about the United States as victim, but also the United States as cyber actor. And we spend a lot of money on Cyber Command on the development of cyber weapons. We lose some of these cyber weapons, that’s what Shadow Brokers was all about. Played out in both the book and the documentary. And there’s very little accountability for that.
John Carlin: One of the things we’ve discussed today and otherwise is that in order to make us safer and to set rules of the road in this new space, it requires making accessible, making people understand what the current threats are. And one of the problems doing that in cyber has been the fact that it can get too technical, so people don’t understand it, but another has been the problem with visualizing. You call it The Perfect Weapon, but if it was a bomb going off or guns being shot, there’s all sorts of visual representations. When it’s cyber, not so much. And so you had this great success of getting your book made into an HBO documentary. I wanted to end by just asking how did that go? How was it trying to visualize the cyber threat?
David Sanger: Well, we’ve done, this is not the first documentary I’ve worked on. Confront and Conceal turned was a big part of a documentary called Zero Days which was about the US attack on the Iranian centrifuges. And there there was an effort almost to use graphics and modeling to show how you could use a cyber weapon to blow up Iranian centrifuges because we didn’t have video of that actually happening. And that was done by Alex Gibney and I felt it was an interesting and creative approach to it. The HBO documentary was done with John Maggio, a really brilliant director who previously had done a documentary called Panic about the 2008/2009 financial crisis, another topic that doesn’t lend itself that easily to graphics.
So this is sort of his specialty. And he had a really interesting insight that really goes back to our discussion before about ransomware, which is focus on the victims. Make it clear there are human beings behind this. This is not a bunch of ones and zeroes flying around in victimless crime. And so for the Sony hack, you saw the president of Sony, Michael Lynton, being interviewed. You saw the star of the movie The Interview, which was the movie about an effort to… It’s a crazy comedy about an effort to assassinate Kim Jung-Un that became the instigation for the North Korean attack on Sony.
When we got to the Sands Casino, we actually found casino workers who had been in the control room that day that the Iranians melted down their systems. When we got to the Russia hack of the 2016 election, we sat down with John Podesta and with Hillary Clinton and others and got them to talk about what the real life effect of the hacks was. And when I initially heard this, I thought, well, I’m much more interested in the attacker than sort of the personal stories out here, but I realized as time went on, he had it just right. That if you’re going to make this really resonate with people who don’t think about cyber for a living the way you and I do, you’ve really got to go focus that way on real life human stories.
John Carlin: Oh, that’s a great end, it gives me an opportunity to end by poking fun of you because I believe we first really met because I was angry at you for covering our original groundbreaking indictment on the People’s Liberation Army by focusing only on whether it would change Chinese behavior and not on the victims. And it was very much from the point of view of prosecutors in this space and changing the way we thought the criminal justice system was to prioritize victims and victims’ stories the way we do in every other area of justice and not re-victimize or try to re-penalize the victims.
David Sanger: It pains me to say this John, but you may have been right.
John Carlin: Only the one and only John.
David Sanger: But no, look. The story of the PLA using cyber as a way to go steal data that they needed for state owned companies was a fascinating use of state power. And that’s why I was fascinated by it. But you’re also right that they were real life victims out here and we probably did undercover that.
John Carlin: I have to stop because I may never get something like that out of you again.
David Sanger: Enjoy it. But now you’ve got it on tape.
John Carlin: But thanks so much today and for the work you’ve done covering this and helping make it accessible to not just the American people but people around the world. Congratulations on the documentary, The Perfect Weapon, and I hope many of our listeners see it.
David Sanger: Thanks so much. Great to be with you.
John Carlin: Cyber Space is presented by CAFE. Your host is John Carlin. The executive producer is Tamara Sepper. The senior producer is Adam Waller. The senior audio producer is David Tatasciore and the CAFE team is Matthew Billy, Nat Weiner, Sam Ozer-Staton, David Kurlander, Noa Azulai, Jake Kaplan, Calvin Lord, Geoff Isenman, Chris Boylan, Sean Walsh, and Margot Malley. The music is by Breakmaster Cylinder. Today’s episode was brought to you in collaboration with Brooklyn Law school’s BLIP Clinic. Special thanks to Amanda Kadish, Isabel Agosto, Jordan Khorshad, Alexa Pantelidis and Bryttni Yi.