HARI SREENIVASAN, PBS NEWSHOUR WEEKEND ANCHOR: British officials say 97 percent of hospitals effectively shut down by a massive cyber attack yesterday are back to normal. The ransomware disrupted health, transportation and telephone systems across Europe. American companies, including Federal Express, said they were hit, too.
The hackers may have exploited a vulnerability in Microsoft Windows software on older computers, a vulnerability the U.S. National Security Agency once identified and turned into a cyber weapon. Microsoft is offering to make fixes for free.
The cyber attack occurred the day after President Trump signed an executive order to review and upgrade cyber protections of government agencies and infrastructure like energy grids. This will build on efforts started by the Obama administration.
Joining me now from Washington is one of the architects of those defenses: John Carlin, the former assistant attorney general for national security, now with Morrison Foerster.
Thanks for joining us. When you started to see these headlines yesterday, what did you think?
JOHN CARLIN, FORMER ASSISTANT ATTORNEY GENERAL FOR NATIONAL SECURITY: That maybe on a bigger scale, but it’s more of the same. Ransomware attacks have been up by over 300 percent according to FBI reporting since 2016 alone. I tell you, day in, day out, both when I was in government and now in the private sector, I talked to companies who have been hit by ransomware.
SREENIVASAN: You know, this particular code was something that we had a couple of months’ warning on. There was patch out there. There was news articles about how this code got out into the wild. But it could be a lot worse.
CARLIN: Yes, it could be worse in a couple different ways. Number one, I mean, the good and the bad side is, hey, this was something that was already known. I think a lot of time, a lot of energy, a lot of print is spent talking about the highest level actors, nation state actors, but the fact is most of what we’re seeing today, taken advantage of by criminal groups, isn’t the highest level most sophisticated hack. It’s exploits like this where the patch was released in March 2017.
But a couple things happened. One, it gets on to people’s systems through what’s called phishing or spear phishing. They send you an e-mail and an unwitting user inside the company clicks on the attachment. That’s how the bad stuff gets in. That’s how the malware gets in.
Number two, a lot of companies are not patching or updating their systems in ways that could stop known vulnerabilities, like this one. And number three, assuming that the worst can happen, we need the move both in our private companies and in government towards thinking about resilience. What happens if the worst happened, have I backed up my information in a way I can get back to doing business?
SREENIVASAN: I also want to pivot to the executive order that the Trump administration just signed. Your thoughts on it, given that you’ve helped craft some of the cyber defense policy that exists today.
CARLIN: Look, I thought the executive order is a good step in the right direction. There are a lot of reports ordered through it, and one thing I do worry about given the scope and scale of the threat we currently face, as was made quite vividly clear with this massive 100-country ransomware attack, I’m worried we’re not doing enough, fast enough.
In that report is a call for a study to increase our deterrents. I think vital to the solution to this problem is going to be deterrents, figuring out a way to make bad guys — be they’re terrorists, nation states or crooks — worried about taking action in this space in a way they simply aren’t right now.
SREENIVASAN: One of the concerns always has been is how fast government can actually kind of practice what it preaches. I mean, you guess were very good at giving, you know, clear guidelines for the private sector, but when you think of the number of computer systems spread out throughout government and how quickly they’re able to implement some of this, I mean — I don’t know how long that’s going to take.
CARLIN: I think that’s right. It is a concern. I think one thing that was good about the approach in this executive order was the idea of making the cabinet secretaries responsible for figuring out what the risks are and ranking them on their own systems, and then making the White House responsible, looking across government to figure out, hey, what is the type of attack, what’s the type of material that causes the highest risk, so we can devote our resources to it. That’s the same approach we’re now just seeing private companies employ on their own systems. Both the government and the private sector need the move faster in that regard, given what the threats are, and start thinking of this like a risk mitigation exercise.
You know, as troubling as this attack, ransomware attack was, one key thing to remember is, this was a crook. This was a criminal group trying to make money. What if they use that same technology and it’s a terrorist group? And what they’re trying to do is cause people to get harmed and they hit hospital systems?
Then, if you pay 300 bucks, you don’t get your records back? Or what if it’s a nation state and they do what they, say, they did with our elections in 2016? They tried to undermine confidence and the integrity of an election. And instead of hitting the electoral system, what they do is some type of massive attack like this on a day that people are trying to vote that says, if you don’t stay home and keep clicking this button on your computer, you won’t be able to get access to your records?
That’s a way of — one attack that was used for one purpose, being leveraged to accomplish a different goal. And that’s the type of thing we keep seeing happened.
So, whether it’s stolen information, it used to be people stole information for the monetary value. Now, they weaponized that stolen information to try to achieve nation state gains. That’s what we saw North Korea do with Sony. It’s what we’ve seen Russia do.
So, I think as we look ahead, the problem right now is going to get worse before it gets better, and it’s incumbent upon both the executive branch, Congress and the private sector, to put this at the very top of the agenda, in the way I don’t currently think it is right now and say, what can we do to move as quickly as the threat it?
SREENIVASAN: All right. John Carlin, the former assistant attorney general for national security — thanks for joining us.
CARLIN: Thank you.