Cybersecurity expert on Russian hack, other cyber threats facing the U.S.

U.S. intelligence officials believe Russia is responsible for the hacking of more than 18,000 government and private computer networks, allowing the hackers to access government information. Bryson Bort, founder and CEO of the cybersecurity platform SCYTHE spoke with Anne-Marie Green on CBSN about how a hack this extensive could happen, what other governments are cyber threats to the U.S. and why private American businesses are likely safe from this hack.

Video Transcript

ANNE-MARIE GREEN: US intelligence agencies are still working to completely uncover the most sophisticated cyber security breach in American history. The American officials say that Russia is likely responsible for hacking 18,000 government and private organizations, including the US Department of Justice, Treasury, State, and Homeland Security, though the Russian government has denied any involvement. So I want to bring in Bryson Bort. He is the founder and CEO of the cybersecurity platform SCYTHE and a senior fellow at the R Street Institute on Emerging Threats and Cybersecurity. Bryson, thank you so much for joining us.

The "60 Minutes" piece that Bill Whitaker did was so disturbing to me. And there were three things that I found the most concerning-- A, the ease at which the hackers were able to get into all of these different systems, how long they had been there, and the fact that most of the people that Bill Whitaker interviewed weren't sure if they had left. In fact, the expectation is that this breach is sort of ongoing. How does a hack of this magnitude happen?

BRYSON BORT: Anne-Marie, thank you. So a hack of this magnitude happens because you have adversarial governments that are investing a significant amount of money in building out these capabilities. In the case of SolarWinds, what makes this so interesting, as you noted, is first the ubiquity of it. 18,000 organizations, including federal government agencies, are using this application.

The second part is when we look at hacking, it's gaining access to a network through unauthorized means. And, of course, the easiest way to do that is I'm trying to fool you to get in, so if you think about it as a burglar picking the lock to a house to come and rob it. And what's so pernicious in this case with SolarWinds is imagine if that burglar was a trusted neighbor. And that's what they looked like. SolarWinds was a trusted application used throughout these organizations. And so when the Russians co-opted that, it looked just like something they would expect to trust.

ANNE-MARIE GREEN: Mhm. Yeah, sort of I guess like if you're-- when you think of the neighborly sort of example, I think yeah, one of my neighbors has the key to my house just in case I need him to sort of run over when I'm not home. But if that neighbor turns out to be a thief, then I'm in big trouble. Chris Krebs, who was the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency was on "CBS This Morning." And he was asked about why his former agency did not detect the hack last March. Here's his response.

CHRIS KREBS: Einstein is really a fundamental security program for the federal government that is designed to detect known threats. This was not a known threat. This was a novel technique, a novel path never seen before. And so Einstein was not configured for that.

ANNE-MARIE GREEN: So I find this really interesting. Einstein was developed to discover known threats. But if you already know about the threats, then how smart is Einstein? You would think that a program that was kind of evolving with the evolving threats is really what's needed here.

BRYSON BORT: So if you're a hacker, what are you going to do? You're not going to try to break the lock that is on that door. You're going to go through an open window. So all of those defenses that we use to protect ourselves become part of what they test before they deploy the capabilities.

Einstein was started in 2003 because the US government realized that they had this sprawling and growing amount of networks through all of these different agencies. And they didn't have their hands around it. Here we are 18 years later and the program has progressed. And again, CISA, which was under the director Chris Krebs, has grown in its capabilities but still has the same challenges that we all have in computer security, which is keeping unknown threats out.

They're still working on these things. And to bring it up recently, at the Senate confirmation hearing for Alejandro Mayorkas, he brought up that the Einstein program and the internal part of that program, CDM, also known as Continuous Diagnostics and Mitigation, really need a complete look at do we need to redesign these? What do we need to do to make them better?

ANNE-MARIE GREEN: But these institutions, these departments, these companies, they're sort of constantly looking for weaknesses in their system, right, and then I presume plugging them up. But that didn't work this time. Is it that Einstein needs to be better? Or do they need kind of a more thorough way of looking for weaknesses within the system?

BRYSON BORT: Yeah, so in industry, we've seen a shift in computer security to the point that you're talking about, which is what we call prevention. How do I keep a hacker out? And the reality is that nobody has come up with a system that is foolproof in doing that.

And part of that is that it's not just a technical question. People are a part of this system. And so how do I remove the human element of users using those computers, as well as the fact that we can also do things like insider threats, or in the case of a sophisticated adversary, an intelligence organization, they can pay for that access.

And so the focus has been, and this is part of what Chris Krebs called out earlier, was that we need to hunt relentlessly. We need to be looking internally at saying, OK, we can't keep you out. But once you're in, we need to be looking to try to find you, and using that information to detect, find, and remove them.

ANNE-MARIE GREEN: Mhm. So authorities believe that the most likely culprit for this massive hack is Russia, most likely. I guess the fingerprints of Russia is all over this, but maybe it's difficult to really sort of directly point the finger at a particular country. But what is it that indicates that Russia may most like-- is most likely behind this? And who else? What other countries may be trying to do the same thing?

BRYSON BORT: Yeah, there is a growing list of cyber armies coming online around the world. Not all of them are friends. But it continues the country practice of gaining intelligence and espionage. Computers and the very nature of how they are interconnected makes them a very tempting target for access to all of that data.

The specific reason why they have attributed this to Russia is still classified. But the government has come out and said that they believe that's the case. Attribution in general is very difficult because there's that combination of, well, looking at this code. And remember, this was code that was inserted into a commercial product, SolarWinds. It's really hard to say, well, who wrote that code?

The other parts that make this difficult is it's not like the Russians went out put a server in the United States with a Russian flag on it and we're like OK, well, this is where we're operating on. This is more like a detective story, where it's a combination of putting together different insights, different facts, different motives to start to understand who we can-- figure out who did it. And on top of that, we also have had a claim that came out a week ago that the Chinese also took advantage of SolarWinds, not in the same way that the Russians did by implanting their own code to co-opt the application, but by taking advantage of a vulnerability in it, exploiting that, and then taking over the software. Two other very active adversarial nations that are out there are North Korea, who does a lot of what would be seen as a more criminal enterprise with working with cryptocurrencies, and also Iran, who has launched or attempted to launch attacks, more trying to cause devastation and chaos.

ANNE-MARIE GREEN: From what I gather, SolarWinds is pretty ubiquitous. It's pretty much everywhere. I guess the option of just removing the SolarWinds software and, I don't know, buying software of a competition isn't really there because it's, what, too much a part of the system?

BRYSON BORT: So SolarWinds is network management software. It's what we use to maintain the health of the software. But that's not the real challenge now. We plugged the hole of SolarWinds. So if you think of SolarWinds as that was a particular key to a lock, that's been fixed.

The problem is, and this is what Dmitri Alperovitch was talking about in his testimony to the House on cybersecurity last week, which is this concept of breakout time. Once an attacker gets in and gets on a computer, they don't stay there. They drop additional specialized code, also known as payloads. And those payloads are how they're actually accomplishing their mission.

SolarWinds was just the access to the house. Now the burglar is bringing these unique and stealthy tools to the game. And that's what they're doing in the networks to steal things. Those tools, we still don't have public confirmation of which ones they were using, how they were using them, or even the extent of what they've stolen.

ANNE-MARIE GREEN: Wow. So we're talking about government agencies here that have millions and millions of to spend on cybersecurity. But we also know that all kinds of businesses used software that included the SolarWinds software. I mean, if you're a business owner, I guess would you even know if you had been breached? What do you do about it, if anything?

BRYSON BORT: So the small comfort, I guess, the silver lining of these dark clouds is it is highly unlikely that 18,000 organizations, even though they may have had the SolarWinds vulnerability-- and I say even though they may have, because it required a certain patched version. And this might not be a surprise to everybody, but not everybody keeps everything up to date. And as a result in this case, that could keep you safe.

The second, 18,000 organizations is a scary number. But look at that from the attacker perspective. If I'm Russian intelligence, that's a lot of work to go through all 18,000 of those companies looking for something. So most likely, considering that this was a very coordinated and very specific injection, the Russians most likely were going in a priority list of what kinds of things do we want to get before our cookbook is inevitably discovered and stopped? So I think most of those businesses are probably safe because Russian intelligence didn't see any value to them or get to them before they were caught.

ANNE-MARIE GREEN: Well, I suppose that's good. But I imagine it's still unnerving if you're a business that feels like you could be vulnerable. Bryson Bort, thank you so much.

BRYSON BORT: Thank you for having me on.