Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Former Government Cybersecurity Head Blames Russian Intelligence For Massive Hack

Christopher Krebs, former director of the Cybersecurity and Infrastructure Security Agency, appeared on Capitol Hill on Dec. 16. Krebs told NPR that Russian intelligence is responsible for the massive hack that's affected the U.S. government.
Greg Nash/Pool
/
Getty Images
Christopher Krebs, former director of the Cybersecurity and Infrastructure Security Agency, appeared on Capitol Hill on Dec. 16. Krebs told NPR that Russian intelligence is responsible for the massive hack that's affected the U.S. government.

Christopher Krebs, the former top cybersecurity official in the U.S., says Russia is to blame for a massive breach that's affected the State Department, the Pentagon, the Treasury Department, the Department of Homeland Security and other departments and agencies.

"I understand it is, in fact, the Russians," Krebs told Steve Inskeep on Morning Edition.

"It's the Russian SVR, which is their foreign intelligence service. They are really the best of the best out there. They're a top flight cyber intelligence team, and they used some very sophisticated techniques to really find the seams in our cyberdefenses here in the United States and seem to be quite successful in penetrating some very sensitive places."

Determining blame for cyberattacks is complex. The agency Krebs led until November, the Cybersecurity and Infrastructure Security Agency, described the hackers as "patient, well-resourced, and focused," but did not blame any one entity.

But Krebs joins Secretary of State Mike Pompeo, Attorney General William Barr, and lawmakers including Sens. Jim Inhofe, R-Okla., Jack Reed, D-R.I., and Mitt Romney, R-Utah, in pointing toward Russia as the culprit.

President Trump has instead suggested China could be behind the hack.

Trump fired Krebs in November after Krebs said the November election was secure and free of interference.

Krebs talked with NPR about how the hack happened, if it's an "attack" or "espionage," and how the U.S. should respond. Here are excerpts:

When I think about Internet security as a layman, I'm aware that one of the easiest ways to get at me would be ... that I'm offered some update that's not an update or asked to click on a link that's not really what it purports to be. Does it surprise you that the government was caught in this rather straightforward way?

I actually would maybe characterize it a little bit differently in that the majority of attacks these days or cyber compromises are getting someone to click on a link via an email or open an attachment. And that's really attempting to come in through the front door.

This is a little bit different in that it is a supply chain compromise and they're exploiting trusted relationships between the government in this case and a third party. So they go one step out to come in the back door. ...

It is exploiting a trusted relationship with a third party. Software in particular is one of those things where you assume that when it comes to you and it's signed, you know, the certificate of authenticity that comes along with the software update when it says it's good, you expect it to be good.

The Government Accountability Office raised this supply chain concern a couple of years ago. Did you discuss it at your agency when you were in the government?

Supply chain security was a priority of ours at CISA. And in fact, in 2018, we established a supply chain risk management task force to share best practices and the things that were working. But unfortunately, even if you know the right things to do, it takes commitment from executives, from leadership, it takes investment. So it can take months, if not years to get into a really secure posture.

Did the pandemic make it harder to detect? Because people were distracted, people were scattered, people were working from home.

I think in March when COVID hit and everybody scattered to the four corners and were working from home, that introduced a number of additional vulnerabilities. Or another way to put it is it really expanded the potential attack surface for an adversary.

So I suspect that it wasn't the principal cause of this, but it may have complicated the earlier detection earlier in the year.

What is a proper strategic response to this kind of attack?

I think we have to be very careful about this point because this is an espionage operation. ... If I was national security adviser for the day, I think I would make a very strong statement to the Kremlin to say, "We know you're responsible for this. And if you do anything destructive or damaging with the access that you may still have, that will be deemed as escalatory, and there are a set of capabilities that the U.S. government could bring."

And in the meantime, you have to keep working through your instant response plan. You have to keep working through the detection activities to find the adversary and kick them out.

Are Russia's systems as vulnerable as the United States' systems seem to be?

In the U.S., we are one of the most modern economies in the world. And unfortunately, a lot of that modernization is dependent upon IT infrastructure and communications infrastructure. So there is an element of "glass houses" here. As for Russia, they are not as dependent upon the global economy as we are. So to a certain extent, geopolitically, they have some advantages, but also the fact that their cyber capabilities is one of the few things that does keep them relevant geopolitically.

When you were in government, how hard did the president make it to focus on the very real threat of Russia?

For our team at CISA, we had all the operational authority we needed to protect elections, to work on the various cybersecurity initiatives that we had, irrespective of the adversary, Russia, China and really increasingly, cyber criminals. So I feel like for domestic purposes, we had the room to operate we needed.

We did not have, though, some of the authorities we needed or the budget that we needed. And that has been something that we've worked closely with the Congress on. And this year's National Defense Authorization Act is probably the biggest cybersecurity legislation package in recent years. And it right now is unfortunately sitting, languishing, on the Resolute Desk in the Oval Office. And that bill needs to be signed immediately.

Ryan Benk and Kelley Dickens produced and edited the audio interview.

Copyright 2021 NPR. To see more, visit https://www.npr.org.

Steve Inskeep is a host of NPR's Morning Edition, as well as NPR's morning news podcast Up First.
James Doubek is an associate editor and reporter for NPR. He frequently covers breaking news for NPR.org and NPR's hourly newscast. In 2018, he reported feature stories for NPR's business desk on topics including electric scooters, cryptocurrency, and small business owners who lost out when Amazon made a deal with Apple.