Episode 6: Stop Keeping Your Password on a Sticky Underneath Your Keyboard
Cyber criminals and states like China and Russia are targeting the computer networks of everything from America’s hospitals to the water coming out of the kitchen tap. Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) breaks down the biggest cyber threats and what the government, companies, and the rest of us need to do about them.
Please note: Our show is produced for the ear and made to be heard. Transcripts are generated using a combination of speech recognition software and human transcribers, and may contain errors. Please check the audio before quoting in print.
###
[SOUND OF A FAUCET TURNING ON]
Did you know that a cyber attack could be as close as your kitchen tap?
ARCHIVAL Newscaster 1: This morning, the FBI and Secret Service Cyber Units are investigating the hacking of the municipal water supply system in Oldsmar, Florida.
ARCHIVAL Pinellas County Sheriff: We don't know right now whether the breach originated from within the United States or outside the country.
ARCHIVAL Newscaster 1: A hacker gained remote access to the computer system inside the city's water treatment plant.
ARCHIVAL Pinellas County Sheriff: One of the functions opened by the person hacking into the system was one that controls the amount of sodium hydroxide in the water.
Luckily a plant operator was paying attention and noticed that someone else appeared to be controlling his computer’s mouse. The operator was able to go into the system and restore the sodium hydroxide to normal levels. So the water wasn't poisoned.
ARCHIVAL Newscaster 2: ... cybersecurity experts tell us this attack is significant. And while luckily it was caught in time, they say it should raise red flags about the vulnerability of our utility systems.
Here's how the mayor of Oldsmar, Florida put it.
ARCHIVAL Oldsmar Mayor: The important thing is to put everybody on notice. To make sure that everyone realizes these kind of bad actors are out there. It's happening. So really take a hard look at what you have in place.
That 2021 hack into the water system in Oldsmar is something that got the attention of Jen Easterly.
Jen Easterly: It's something I worry about a lot. Some of these water facilities, they don't have cybersecurity teams out there. They're not like Morgan Stanley where you could spend hundreds of millions of dollars and you had hundreds of people doing it. You have generally very few resources dedicated to that.
Easterly is one of the top cyber officials in the Biden Administration. She heads up CISA, the cybersecurity and infrastructure security agency. It’s the government agency that helps defend the United States against cyber threats.
Jen Easterly: The world is all digitized. We all have to operate online. And it's really important that we understand the basics of how to keep ourselves safe and secure.
And the roughly 153,000 public water systems in the United States aren’t the only things that Easterly is worried about.
Jen Easterly: You know, there's just a ton of vulnerabilities and a vulnerability for your audience, vulnerabilities are basically glitches in code that allow bad actors to weasel into those glitches and cause bad things to happen. Whether it's stealing data, causing disruption, corruption of data, or destruction of data.
I'm Peter Bergen. Welcome to In the Room.
Up next, CISA director Jen Easterly tells us about what cyber threats worry her the most, what governments and companies need to do to make sure we're better protected, and what you need to know to keep yourself and your families safe online.
[THEME MUSIC SURGES, THEN FADES]
A Rhodes Scholar, Jen Easterly is a problem solver.
Jen Easterly: Okay. So these are very special because it has the CISA seal on it and it's also a bit of a - bit of a speed cube. Um, so you can manipulate it much, uh, faster… [FADING UNDER NARRATION]
Whether it’s confronting terrorist networks, a cyber threat or solving a Rubik’s cube puzzle.
Jen Easterly: Like mess it up in a way that, uh, let's see.
Peter Bergen: This is, you've messed it up completely now.
Jen Easterly: Yeah, but I mean, I also like to do that.
Peter Bergen: You're doing it behind your back.
Jen Easterly: It's the hard part.
Peter Bergen: Oh my gosh.
Jen Easterly: There you go. There you go.
Peter Bergen: That was 10 seconds?
Jen Easterly: Nah, I don't know.
Peter Bergen: Wow
Jen Easterly: Yeah, now you're gonna have to learn how to solve it.
She has served three presidents: George W. Bush, Obama, and now Biden. And spent 20 years in the U.S. army, where she earned two Bronze Stars. Growing up she wasn’t particularly into computers. But she did well in school. Her dad was a Vietnam vet. And she always knew she wanted to be in the military. She didn't even visit the United States Military Academy at West Point before going there for college.
Jen Easterly: West Point is an engineering school, so you have to take four semesters of advanced calculus and physics and chemistry. And then I also did a lot of international relations but my master's degree was in politics, philosophy, and economics. And so I didn't really get into this world of cyber, into a more technical world, until I got to the National Security Agency.
At the NSA, she worked on counter-terrorism efforts. And in 2006, during the war, she went to Iraq.
Jen Easterly: It's when the violence against Iraqi civilians and our troops was at an all time high.
Lieutenant Colonel Easterly helped run a then-highly classified program that helped to decimate al-Qaeda in Iraq. Her team provided intelligence to American troops about where terrorists might be located.
Jen Easterly: I was asked to operationalize a new high technology capability called Real Time Regional Gateway or RT-RG. And essentially what we were trying to do was to take all of the collection in theater whether that's what's being collected from human intelligence or satellite intelligence or phones and integrate it and correlate it and enrich it so that we could illuminate terrorist networks on the ground, not in weeks or days, but in hours and minutes, and we could provide that information to the folks on the ground. And it provided a capability to the troops on the ground that ultimately helped them take thousands of insurgents off the battlefield and save lives. And that was the revelation for me, the power of tech to save lives. And so we have to think about the great things we can do from technology, but also the downrange safety consequences.
At CISA, she's focused the agency's attention on vulnerabilities in some key areas: critical infrastructure like hospitals and water systems and also school districts.
Jen Easterly: I call 'em target rich, cyber poor. They just don't have a lot of cyber capability cuz they're small and they're making tough decisions. If you're a hospital, you're looking to use your next dollar to ensure you've got the best doctors and surgeons. You're not upgrading your software. They're targeted heavily by ransomware actors.
Peter Bergen: What is ransomware?
Jen Easterly: You can think of it as like a virus on your computer, on your networks that essentially locks up your data and then you'll get probably a big skull and crossbones saying, your data's been locked up. And to unlock your data, you must pay us X amount, usually in some type of cryptocurrency. Bitcoin. And this has been a big scourge. But one of the cool things we just rolled out recently was this, pre-ransomware notification, and it's really to call people up and say, hey you got ransomware on your network. You need to do something about it. You need to isolate it. You need to shut down that part of your network.
If an attack is identified early enough, shutting down the part of the network that’s been hacked can prevent the hackers from locking up all the data. Through its pre-ransomware notification program, CISA works with researchers to identify where hackers have gained access to a network to try to stem the damage. The agency also has a tip line to flag computer servers that might have been compromised.
ARCHIVAL Tip Line Voice: To report a cyber incident please press 1
Jen Easterly: We've done this just since the beginning of the year. I think we've done it 60 times and we've gotten feedback on dozens that this actually caught it in time. They were able to mitigate damage and we are able to help people not have their data locked up, not to have to go through the incredible stress the anxiety, particularly if you're a small business, if you're a hospital responsible for people's lives or a school superintendent. And so feeling that direct impact of what you can do to help the American people, it's a gift and a privilege.
Peter Bergen: Typically, who are mounting these ransomware attacks?
Jen Easterly: Generally cyber criminals. They're sort of groups that are loosely connected around the world. A lot of them are based out of Eastern Europe. Some of them are given safe haven and sponsorship by nation state actors. They're really hard to drive down. It's a little bit Medusa-like you cut that person off, you arrest, and then you'll see a little bit of a lull and then they'll come back in.
These attacks are a big problem for companies. In 2021 cyber crime cost businesses more than $6.9 billion dollars. The same year just one criminal hacking group known as “the Hive” targeted more than 1500 organizations and received more than 100 million dollars in ransom payments. But it’s hard to find good data on just how often these attacks occur because a lot of companies don’t report them; after all it’s embarrassing to be hacked and then to pay a ransom.
Jen Easterly: You know, paying a ransom is not illegal– we highly discourage it– but even if you pay, it's not clear you're gonna actually get your data back.
Easterly says there's something else we need to be concerned about when it comes to these ransomware attacks-the chaos that can ensue when a major company’s system is held hostage.
ARCHIVAL Newscaster: Federal authorities are investigating a major cyber attack targeting America's energy infrastructure.
Like what happened with the Colonial Pipeline attack in 2021…
ARCHIVAL Newscaster: Georgia-based Colonial Pipeline says it was hit by ransomware. The company responded by shutting its entire system down to protect it.
This ransomware attack led to long lines at gas stations, especially in the South. The governors of Georgia, North Carolina and Virginia even declared a state of emergency.
Jen Easterly: It got on their business network. So essentially their IT that runs their payroll. It did not get on what we call operational technology that actually runs the pipelines but they were shut down in an abundance of caution because it wasn't clear whether the malware could move from one part of the business network to the operational technology networks.So that created a panic across America, I think if somebody's watching that panic and we all did, certainly across the country, I think we need to think about what our adversaries are thinking about cuz that's exactly what they wanna motivate. That's what the Chinese are looking at and that's what they wanna motivate. That type of societal panic. If they want to move to block the Straits or reunify Taiwan, that's the kind of thing they wanna create here but on a much larger scale.
Peter Bergen: How would they do that?
Jen Easterly: I'm a retired intel officer, so we're always trained to think like the adversaries. So I would do everything I can to delay mobilization of our forces to create chaos at home. So I'd go after pipelines, I'd go after transportation, I'd go after communication, I'd go after water, I'd go after healthcare. I think we have to worry about that. It's why we're out of the days of prevention. Peter. We are such a highly digitized, highly connected world and a lot of vulnerabilities there. And so we want to prevent, of course, but we have to prepare for disruption. We have to assume disruption is going to occur, and we need to build our people, our networks, our system to be resilient.
Peter Bergen: There were certainly a lot of concerns that the Russians would have cyber attacks on Ukraine and perhaps elsewhere when they went in and it seemed like the dog that didn't really bark. Do you have a theory about why that's the case?
Jen Easterly: So we were very worried. I think we were very legitimately worried About potential attacks on our critical infrastructure. We haven't seen that yet. We’ve certainly seen major attacks in Ukraine. My theory is that Putin massively miscalculated. He miscalculated in thinking it was going to be a gentle cakewalk into Kyiv and flowers would be strewn. He massively miscalculated in that the world wouldn't come together in a unified way, to condemn his actions, to impose very punitive costs on him.
I do think he correctly calculated that a specific deliberate, cyber attack on our critical infrastructure would be highly escalatory. So I think they have held off. I don't think we should sort of say we're out of the woods and, you know, the dog's gone to sleep. I think we need to continue to be vigilant. It's never a time for complacence because whether it's Russia, whether it's China, Iran, North Korea, or the ecosystem of cyber criminals, these types of capabilities are broadly available. And given the fact that the software has a lot of vulnerabilities that can be exploited by bad actors I think we need to keep those shields up.
After all, the U.S. government has been the target of cyber attacks before. Back in 2015 there was a major breach of the Office of Personnel Management, which is basically the government’s human resources office. More than 22 million current and former federal employees had their personal information stolen in the hack.
ARCHIVAL Newscaster: The Office of Personnel Management or OPM said today it is highly likely that anyone who went through background checks to apply for a government position since 2000 was affected.
Peter Bergen: The Chinese took records of current and former federal employees, which would be pretty useful for them. Right. So was that a big deal?
Jen Easterly: Yeah, absolutely. I mean, any sort of theft of you know, the data of our citizens and, and that one in particular was, theft of security.
Peter Bergen: Yeah. And in a sense the Chinese were being pretty smart. Cause it's one thing to like try and penetrate the Pentagon, but the Office Personnel Management probably was not particularly well defended. I mean, they're looking for the weakest link at every time, right?
Jen Easterly: Yeah, it's a pretty lucrative target in terms of the information that they have. It's the Office of Personnel Management so at the end of the day, you wanna use this data so that you can build profiles. Yeah. Um, to understand, um who is in positions of power and authority. And so, you know, this is part of the overall strategy that, you know, it's not, um, a secret, right? They're going after data in our government going after major corporations. The whole discussion around TikTok, right? The massive data that they can collect from TikTok.
Peter Bergen: Well let's talk about TikTok. I mean, cuz I'm struck, you know, 150 million Americans are using TikTok, which is like just under half the population. It's the fastest take up of any social media. I mean obviously it's a government policy issue that is still sort of being adjudicated on some levels.
ARCHIVAL Newscaster: Today TikTok’s CEO went to Washington to tell lawmakers that they have nothing to fear from his social media platform that almost half of all Americans now use
Peter Bergen: I mean, it is ultimately owned by the Chinese, however you want to slice this thing.
Jen Easterly: Yeah, I think it's very worrying. It's why the decision was made to remove TikTok from any, any federal government devices. I would be significantly concerned if, uh, anybody that I knew was using TikTok — from just a data security perspective and the collection of troves of data to include troves of data on our children, I think that's very problematic. I think what's also instructive is how TikTok presents in China versus how TikTok presents in the U.S. It's much more restricted in China. So what you'll see if you went to China was, my friend talked about this and talked about spinach TikTok, museum visits, education, discussions about Nobel Prize winners. You're not seeing all the things that our kids see here in the U.S.
ARCHIVAL Various TikTokers: I got your nose, I got your nose. I need to get my story straight. And then bam she got hit by a big truck, what? Umm may I help you, like do we got a problem, and twenty seconds
Jen Easterly: And so you can think about this strategy about what is happening to our children here in the U.S. with the type of things they're seeing in TikTok and what is happening with the children in China. And I think it's a very, it's a very purposeful and deliberate strategy.
Aside from her concerns about what the Chinese are up to, Easterly also worries about something else. Artificial intelligence, you know, things like voice replication.
Jen Easterly: You can have the voice of my CEO and you can say, this is urgent. I need you to move this money, I need you to do this. What I understand is it actually only takes about three seconds.
Peter Bergen: It does, it is so easy and it's also pretty convincing. I mean, unless you were maybe married to Jen Easterly or you, you'd have to know you so well to know that because it's just using what's publicly available, you've already said. Right? So it's in your voice. So this seems to be like a potentially huge advantage for bad actors or states or whoever.
Jen Easterly: I've gotten more and more anxious and more and more worried and frankly scared. And you know, I've been down range quite a bit, and I don't get scared easily, but really worried about where we're moving as a society because there are amazing things that this technology can do. But if you see, um, the evolution in such a short period of time and what that technology can now do without the type of guardrails that you would want to be placed on it. When you think about the most powerful weapons of the last century, right, Peter? It was nuclear weapons.
Peter Bergen: Yeah.
Jen Easterly: And governments created them and governments could work together to control them. These are the most powerful technologies of this generation. And they're not created by governments. They're created by businesses that inherently want to make profit. And so you have this competitive drive between some of these companies to instantiate this technology into production so that we're starting to use it now without fully understanding the safety consequences so...
Peter Bergen: What can we do about it?
Jen Easterly: Well, we're starting to have pretty robust conversations about how we can slow down and ensure that there are real guardrails. You know I've heard people say, well, of course it'll be regulated and all that. That's not a trivial thing. You don't wanna just put regulation in place. First of all, that doesn't happen quickly. And you don't wanna put regulation in place peremptorily because we don't want it to crush innovation. But what we do need is a real conversation about what we can do whether it's export controls or regulations or mandatory things that companies need to do before this is shared more broadly.
Peter Bergen: In one of your previous jobs when you were running counterterrorism for Obama, I mean a very related issue was the question of social media companies propagating a lot of terrorist content and although it's not perfect solution, but there was buy-in from the bigger companies that you helped orchestrate where they took bad material down quickly, and they shared best practices. So could you imagine something sort of analogous where we'll have some kind of agreement where we all sort of share the same rules of the road?
Jen Easterly: That administration, even though we saw devices being used for recruitment and radicalization, we were very sensitive to concerns around content moderation and, and doing anything to look like we were trying to censor any of the content out there. We all went out to San Jose as opposed to dragging all the tech leaders to Washington.
We went out to them to meet with the top tech leaders. There were about 50 people in the room and there was huge skepticism, And so it was very tense at the beginning. It ended up being this just fantastic three hour conversation where everybody was listening. And we heard from our concerns about how ISIS was using this tech for recruitment and radicalization.
ARCHIVAL Newscaster: There are thousands of online forums where jihad is the draw. Why aren't they being shut down? Well I mean some of them are hard to find. What are you going to do - shut down all of Twitter or all of Facebook?
Jen Easterly: We heard from the tech community. And actually what came out of that was the “technology versus terror” efforts that I ran from a White House level to work with some of the big companies about what are the things that they can do voluntarily on their own to prevent their technology from being co-opted by terrorists like ISIS.
Easterly says ultimately the solution is not going to be to try to arrest cyber criminals or getting states like China to observe a set of norms. Instead, more of the burden for security needs to be shifted onto corporations — the institutions providing you access to financial transactions, communication, transportation, healthcare.
Jen Easterly: So the vast majority of all of that is not owned by the federal government. It's owned by the private sector. These adversary nations and these criminals will do things that we won't do. So we're not gonna beat them, there's an asymmetry of ethics that will always be imbalanced with us. So we have to take a different approach. The first is getting technology companies to build safer tech, to build technology that is secure by design when it comes off the manufacturing shelf. So a lot more of these features should be seamlessly baked in, in the same way that you get in your car and you have the seatbelt and you have the airbags, and you have the anti-lock brakes and the crumple zones. Baked-in security. So that's one.
The second is this idea of corporate cyber responsibility. Leaders, whether it's public companies, private companies, nonprofits, uh, small businesses, leaders need to recognize that they own cyber risk just as they own all types of other risks. We have to have leaders from the top who are embracing this as their responsibility because it's the safety of their clients, it's their reputation. And quite frankly, if you're a critical infrastructure owner or operator, it's national security, it's economic security, it's public health and safety.
Peter Bergen: And the way to do that is to make CEOs and board members more accountable. It's not just like at a private company, but I mean, you know, there are tons of foundations and even charities or whatever, any, any organization, this should be sort of front and center of what they're worried about and thinking about.
Jen Easterly: A hundred percent. Totally agree with that. And we all have to play a role collectively in our defense. I saw this when I was in the private sector. You know, it's not just having a meeting once a month and you really have to be constantly in a space where you are sharing information from the private sector, from the federal government. You are being responsive, you are being transparent, you are being value added from a government perspective. And then companies need to put collaboration over self-preservation. Cause you need to recognize that a threat to one is a threat to all.
And she knows this from experience. She spent a stint heading up global security for Morgan Stanley, the financial services company.
Jen Easterly: That time at Morgan Stanley was absolutely invaluable for this job understanding how the private sector defends its networks, understanding, uh, how the private sector looks back at government. Understanding how the private sector operates gave me so much credibility to be able to walk into this job and talk to CEOs in the language of business cuz you had to be able to do that or to have credibility with the business side. You couldn't just have a bunch of nerdy tech speak.
Peter Bergen: How paranoid are you when you sit down at a computer?
Jen Easterly: I would never describe myself as paranoid.
Peter Bergen: Yeah.
Jen Easterly: First of all, me personally, I'm not worried about sitting down at my computer because I know how to keep myself safe.
Peter Bergen: Right.
Jen Easterly: We all have to operate online. And it's really important that we understand the basics of how to keep ourselves safe and secure. So enabling multi factor authentication. Yeah. Uh, two factor.
Peter Bergen: What does that mean in English?
Jen Easterly: It means that you need more than a password to be able to secure your account. So instead of just a login and a password, you should use a second factor. You know, whether that is, an SMS text or whether you use an authenticator app or it could be a fingerprint or it could be a security key. And what you choose two-factor, multi-factor authentication is really about your threat model. So as the director of America's Cyber Defense Agency, people probably wanna come after me. You know, if you are not somebody who is going to be targeted or in high risk, using an SMS code, using an authenticator app is probably fine. But these things are important for us all to understand because things like multifactor authentication, if you only do one thing, do that, because that's the best thing you can do to drive down risk of having cyber threat actors, in particular cyber criminals come after you try and steal your data or steal your money.
Peter Bergen: So I work at Arizona State and I can't sign in without, you know, they send me, they send me a text and they send or a phone call. Right? You have to, there's no way you can sign on and there's nothing you can do without signing on at this university.
Jen Easterly: Perfect! Perfect. But you know, there's also the basics about password hygiene. Getting a password keeper, unique, complex password, stop taking your password and putting it on a sticky underneath your keyboard. Ensuring that you're giving your employees training on how to recognize phishing. Phishing is getting better and better and more sophisticated. You know, the old days of, you know, ‘please to provide your information’ are going away and they're gonna be able to craft phishing emails that are socially engineered to make it think like it comes from your employer or comes from your spouse. And so we need to be trained to be able to think really hard before we click on things that could then infect our whole network. And the last thing is to upgrade software. But you know, I wanna live in a world where technology companies bring me safe software so I don't have to constantly, constantly patch it.
Easterly is also the mom of a teenager. And she spends a lot of time thinking about the long-term effects all this technology will have on people. I get that. It’s something I worry about too. My son isn't a teenager quite yet but he and his buddies already spend a lot of time online.
Jen Easterly: As a mom, I have a lot of concerns about our kids walking around and you know, everybody walking around with what I call weapons of mass distraction.
Peter Bergen: Yes.
Jen Easterly: You walk down a street, everybody's stuck to their phone. We don't look at each other anymore. We don't read books. It's hard to have conversations. I mean, I worry a lot about just the changes in our society because we’re so glued to these devices now. So when you talk about some of the things that were created to connect us and to join the world, and there are good things that have occurred, but there's also studies that show that some of these capabilities are causing major mental health issues. Having lost my own little brother to suicide I think anything that makes people sort of look at it and feel bad about themselves or, you know, I, I think social media has been playing kind of a role that's not a very positive one when it comes to the mental health of our kids. So I do worry.
###
If you want to know more about some of the stories and issues that we discussed in this episode we recommend The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age by David Sanger.
IN THE ROOM WITH PETER BERGEN is an Audible Original.
Produced by Audible Studios and FRESH PRODUCE MEDIA
This episode was produced by Alexandra Salomon, with help from Holly DeMuth.
Our executive producer is Alison Craiglow.
Katie McMurran is our technical director.
Our staff also includes Erik German, Laura Tillman, Luke Cregan, and Sandy Melara.
Our theme music is by Joel Pickard.
Our Executive Producers for Fresh Produce are Colin Moore, Jason Ross, and Joe Killian.
Our Head of Development is Julian Ambler
Our Head of Production is Elena Bawiec
Eliza Lambert is our Supervising Producer
Maureen Traynor is our Head of Operations
Our Production Manager is Herminio Ochoa
Our Production Coordinator is Henry Koch
And our Delivery Coordinator is Ana Paula Martinez
Head of Production at Audible Studios: Mike Charzuk
Head of US Content: Rachel Ghiazza
Head of Audible Studios: Zola Mashariki
Head of Content Acquisition & Development and Partnerships: Pat Shah
Special thanks to Marlon Calbi, Allison Weber, and Vanessa Harris
Copyright 2023 by Audible Originals, LLC
Sound recording copyright 2023 by Audible Originals, LLC
