Will Russia Resort to Cyber Attacks?

CHRISTIANE AMANPOUR: Cyberspace has become part of the combat zone. And the U.S. Senate has passed major cyber security legislation this week following warnings of the potential for Russian attacks. Michael Chertoff was Secretary of Homeland Security, and he tells Walter Isaacson what NATO needs to do now to prevent such an attack.

(BEGIN VIDEO CLIP)

WALTER ISAACSON: Thank you, Christiane. And Michael Chertoff welcome back to the show.

MICHAEL CHERTOFF, EXECUTIVE CHAIRMAN AND CO-FOUNDER, THE CHEFTOFF GROUP AND FORMER U.S. HOMELAND SECURITY SECRETARY: Good to be back.

ISAACSON: You were Secretary of Homeland Security. Your job was to protect our country from attacks. What type of attacks, particularly cyber-attacks, are you worried about now?

CHERTOFF: I think cyber-attacks are the thing I’m most worried about. We’ve seen the Russians use cyber tools and cyber weapons against Ukraine, and against other countries. As we turn up the pressure and sanctions, particularly on the financial system, there is a concern, and I know that U.S. government has articulating this, that our banks will become targets for cyber-attacks, ransomware or other kinds of attacks that are designed to affect availability, integrity or confidentiality of data. The other area I worry a little bit about is the energy sector, again, that’s an area that Russia is deeply invested in. They’re going to pay a price with sanctions and they may try to visit the price on us.

ISAACSON: When you were Homeland Security Secretary, did you worry more about a Russian state attack or did you think they were going to use proxies and kids in St. Petersburg, and hackers around the world in ways that are harder to defend?

CHERTOFF: Well, this is going to sound strange, but back when I was secretary, which was 2005 to 2009, we didn’t worry about the Russians. The Russians were generally reasonably friendly to us because they were concerned about Jihadi terrorism. And so, they cooperated, to some degree, with us in terms of what we were doing in Afghanistan. And we thought that conflict with Russia was a historical artifact, not anything we were going to see again. What’s happened in the last, you know, dozen years, is Russia has transformed back into more of an adversary state. We also now worry about China, and we continue to worry about terrorism, although now it’s domestic terrorism as well as international terrorism. So, the kinds of issues that we have to be concerned about for security have multiplied. And as we’ve seen in the last two weeks, it turns out we haven’t met the end of history, we just turned the page and now we’re back to the history of the cold war.

ISAACSON: Do you think we were unprepared then, since we weren’t focusing on Russia in the early 2000s, that we were unprepared for understanding what they’re capabilities might be?

CHERTOFF: I don’t think it was that we were unprepared. I mean, we always knew they had capabilities. I think we thought that their mindset had changed more or less permanently, and I think what we didn’t see, and I’m sure there are analysts who are looking at this now is that Putin would become more and more hostile, particularly in the last 10 years. And in the last couple of years, he’s apparently isolated himself because of the pandemic and I’m sure that has an effect on his mental state. So, I mean, this is a question of intent rather than capability. And it is true, though, that, you know, 15 years ago, most of our intelligence was focused on the next Jihadi terrorist attack, and we may have lost some of our intellectual resources directed at Russia and China. And now, all of a sudden that’s back.

ISAACSON: Why do you think our national intelligence capabilities and our assessment capabilities did not spot the possibility that Vladimir Putin was going to change or understand what his motivations were changing would be?

CHERTOFF: Well, I can’t speak for whether the intelligence community saw this coming. I think certainly since the election in 2016, there’s been a general recognition by the intelligence agencies that Russia has become much more hostile, and there’s been a lot of focus on misinformation and cyber-attacks. We saw, for example, solar winds, which was a major cyber- attack that was by the Russian intelligence services. So, we did see that they were migrating to hostility in becoming more adversarial. What I don’t know is whether we actually anticipated that Putin would decide he wanted to engage in an old-fashioned land war. And I’m sure that, right now, the intelligence community is examining itself to make sure they’re not missing other cues that might be out there that we need to be aware about.

ISAACSON: Explain to us what happened in that solar winds attack, which was a cyber-attack from, I think, the Russian government itself. What happened and what did we learn from it?

CHERTOFF: Well, Walter, usually what we see when the Russians attack is they use a criminal group as a proxy. In this case, they were able to identify direct attack from the GRU Russian Military Intelligence on a network service provider that provides network management services to thousands of customers. And what they did is they embedded a vulnerability there so that everybody that was using that service to manage a network wound up importing a vulnerability into their own networks. It’s a little bit like dare I say, the way a virus transmits itself to human beings, we have a carrier, and then everybody who comes in contact winds up potentially getting sick. So, they embedded that, and then they were able to use that, not to hack every single network but to find the ones they wanted to hack and then have basically a back door. And along with colonial pipeline, which was your Russian criminal group that basically forced our pipeline to shut down for a period of time, you could begin to see the Russians expand the scale and scope of what they might do in cyber space.

ISAACSON: The Russian criminal groups like the ones that attacked colonial pipeline, are those coordinated with the Russian government or are those out of control?

CHERTOFF: I don’t think they’re out of control, and I think that basically the message the Russians send is, you do what you want, just don’t do it against Russian victims. And when we need you to do something, play ball with us. And I think that’s been going on really for years. The Russians use this as deniability. I’d go back to when I was secretary and there was an attack on Estonia in 2007. And when we tracked it to Russian servers, the Russians said, oh, it’s not us. It’s patriotic Russian criminals who are doing this. And I don’t think we really believed that, but we understood that they were using criminals as a cutout in order to have deniability.

ISAACSON: When Russia does such an attack and when it’s clearly been able to be traced to the Russian government, is that an offensive attack and if it’s on Estonia, which is a NATO member? Does that trigger NATO’s collective defense article?

CHERTOFF: Well, actually we did work with Estonia when I was in office to help them with (INAUDIBLE). The bigger question is, other than acting defensively, what are we prepared to do in terms of retaliation or deterrence? And that’s been a topic of debate for several years now. I mean, I do think there have been some instances where we have struck against a server that has been used to attack us, but we’ve not really mounted, you know, a very consequential cyber-attack because we haven’t, frankly, wanted to escalate and get into a real conflict. That’s a phenomenon we’re now observing in real-time, which is we have to make sure in the physical world we’re calibrating our response so as not to actually trigger something worse. But I think if we do see significant cyber-attacks going forward, I think we may yet engage in having a little bit more of a forceful response. But again, calibrating so we don’t trigger something that gets out of control. And to be honest, this is what makes this kind of a global situation very fraught because you want to be tough, but you don’t want to be reckless.

ISAACSON: What type of offensive capabilities do we have?

CHERTOFF: I mean, we have — I think we’re better than anybody in the world. I don’t think there’s anybody better in our ability to hack and then take steps if we wanted to with various kinds of tools to either shut down or delay or otherwise have access through a cyber system. We generally don’t do that. There may have been a couple of instances in the past where we’ve taken offensive measures. But most of the time, we use our cyber for purposes of simply collecting intelligence, which is traditionally what the intelligence community does.

ISAACSON: Do we have the capability to try to hack and stop communications or other computer systems of Russia as they go into Ukraine? In other words, break down their command and control, and should we?

CHERTOFF: Again, I can’t tell you exactly where our capabilities are in this situation. In general, I would say we have a lot of capability. The challenge is, again, calibrating what is a reasonable response to one that triggers something that gets out of control. And certainly, Putin’s comments about nuclear weapons suggests he’s, you know, quite attuned to threatening us if we get involved in an actual conflict. That’s one of the reasons I think the administration wisely said, we’re not going to enforce a no-fly zone over Ukraine because that would put us in direct conflict with Russia, and then things might spin out of control. And I have to say, Walter, traditionally, whether it’s in Ukraine or Syria or elsewhere, we have been careful to make sure that we don’t overstep in a way that might get the Russians paranoid and then we could lose control of the situation.

ISAACSON: Why haven’t we seen a major cyber-attack from Russia, either orchestrated at Ukraine or orchestrated at us?

CHERTOFF: Well, I have to say that’s been a little bit of a puzzle. Now, there have been some attacks on Ukraine that preceded the physical attacks, but they were actually relatively nuisance attacks, not anything compelling. For example, they didn’t shut down the grid, energy grid as they had done in prior years for a period of time. And so, it’s a bit of a puzzle as to why they’ve held back from doing that. But I wouldn’t assume that that’s not going to happen at some point. It may be right now they’re so focused on using physical resources and kinetic resources against Ukraine that they’re not thinking about cyber- attacks. But that could easily change in a moment.

ISAACSON: Do you think that there are problems with their physical attacks, with their movements of tanks and troops, the fact that they haven’t been able to just roll right over Ukraine might cause them to change their thinking in that regard and hit with cyber-attacks?

CHERTOFF: I think it’s very possible that they might decide to use cyber- attacks, particularly because their on the ground assaults seems to be faulty. And now, they’ve moved from what I was, I think, they imagined would be a lightning blitzkrieg, which turned out not to. They have now moved into basically dropping huge amounts of ordinance missiles on civilian areas. If that doesn’t wind up getting them what they want, they may do cyber or they may do all of the above. What’s not clear now is what the objective is. I don’t know that they really want to occupy all of Ukraine. I don’t know what they have done actually allows them to install a puppet government. To be honest, I’m not sure they have a game plan at this point. And I don’t know, as David Petraeus, you know, said many, many years ago, how does this end? I don’t think they’ve thought about that.

ISAACSON: President Biden said that if the Russians attack our infrastructure or even attack our critical companies, that we’re prepared to respond. Are we?

CHERTOFF: I have no doubt about that. I’m quite sure that we have the capability to respond against their resources, their command and control, their servers. The issue will be calibrating the response so it has key, but so it doesn’t spiral out of control. And to be honest, I think one of the reasons Putin has made some of the statements he’s made recently is what they used to call the madman theory of politics. If a political leader acts crazy enough, it may deter people from responding to an attack because they’re worried what he’s going to do next. So, there is a little bit of that madman theory that I think Putin is using now. But again, it’s very hard to — I can’t read his mind. I don’t have access to what he’s actually thinking. And so, taking care to be very calibrated about response is, I think, of critical importance.

ISAACSON: I remember when you were Homeland Security secretary, and then when you were one of the leaders of the Homeland Security Group at the Aspen Institute, a topic that you kept discussing which was, what is our critical infrastructure? In other words, do we have a critical infrastructure list in which we say, if you attack this it’s a major attack, i.e., if you shut down our electricity system, if you break open our dams? What is critical infrastructure and how do we define that when we tell the Russians don’t go there?

CHERTOFF: Right. We’ve published publicly, and it’s revised from time to time, you know, a list of the areas, the critical areas that we consider critical infrastructure. It’s obviously things like finance, communication, health care, energy. We don’t give them — we don’t announce or publicly state specific enterprises, but it’s not hard to figure out that if you attack and wind up causing a loss of life or significant economic damage, we reserve the right to respond, not only in kind but using others kinds of tools. And we have said that publicly over the years. So, I don’t think there’s much of a doubt about what we would treat as critical infrastructure. The issue would be, what is the degree of consequence that has to ensue before we take steps in response to retaliate, and what would those steps be? And I think there you do want to have a little bit of strategic ambiguity. You don’t want to give a road map to the adversary. But I think that they are aware of our capabilities. It may be that is determined to some extent or it maybe they’re waiting on something else. But I think we are prepared. I think one thing the administration has done in the last year is they have been really working operationally to coordinate with the private sector in defending and responding to attacks. And so, I think we are improving literally week by week, but, of course, the adversary is also changing and evolving.

ISAACSON: You talk about critical infrastructure, you say it’s pretty clear which ones that if the Russians attack were going to respond. Should our election system be considered a critical infrastructure?

CHERTOFF: I believe that one of my successors, actually, Jeh Johnson, announced for the 2016 election that we were going to treat the election system as critical infrastructure. And certainly, in terms of cyber-attacks against, for example, servers, we’ve been working with state and local officials to have them increase their cyber security. The good news is that the actual voting machines themselves are generally not connected to the internet, except very briefly when the election is carried out to send results in, and we can also create a paper back up. The bigger problem with elections is disinformation. Where the Russians attempt to create disunity or to mislead people about things involving voting in a way that would make it difficult for some people to vote. But actually, disinformation piece, which I think we saw in 2016 and 2020, is the biggest tool that the Russians and other adversaries use to try to undermine not only our elections but our sense of trust in the government.

ISAACSON: Secretary Michael Chertoff, thank you so much for joining us.

CHERTOFF: Thank you, Walter.