Deputy national security adviser talks about the risk of Russia waging cyberwar
AILSA CHANG, HOST:
Even before Russia invaded Ukraine, we had been hearing warnings that a cyber war could be coming very soon. And then last week, President Biden released a statement regarding cyber threats to the U.S. Deputy national security adviser Anne Neuberger explained the risk in no uncertain terms in a recent press briefing. She said the warnings are based on, quote, "intelligence that the Russian government is exploring options for potential cyberattacks on critical infrastructure in the United States." Well, Anne Neuberger joins us now to talk about those threats. Welcome.
ANNE NEUBERGER: Thank you so much, Ailsa. It's great to be here with you.
CHANG: It's great to have you. I just want to first get some clarity on what level of threat we're talking about now because last week you said that there is no certainty that there will be a cyber incident on critical infrastructure. Where are we on that risk as of today?
NEUBERGER: We continue to see evolving intelligence, as we talked about last week, that the Russian government is exploring options. And we continue to, most importantly, double down in working closely with the private sector to share that sensitive threat intelligence and really try to create the urgency for action and the call to action to put in place the cybersecurity measures that would prevent that from being successful.
CHANG: OK. Well, I was wondering if you could give us maybe a concrete scenario because this idea that there could be attacks on our basic infrastructure - it sounds pretty ominous. Just so our listeners can get a sense, what types of attacks are we talking about here?
NEUBERGER: To be clear, there is no specific intelligence about a specific planned attack.
NEUBERGER: It is more that in the context of the current geopolitical environment, where there are heightened tensions, in the context where we've seen Russia conduct cyberattacks in Ukraine, we felt the need to share that information and to really encourage companies, particularly critical infrastructure owners and operators, to take the steps they can take to prevent that from being successful...
NEUBERGER: ...To lock those digital doors, as I've talked about.
CHANG: Right. I understand that you can't share intelligence that's talking about a specific attack that could be imminent now. You say that there no such intelligence that reflects that. But could you paint us a picture, a scenario, a hypothetical of what a cyberattack could look like on basic infrastructure were it to happen here in the U.S.?
NEUBERGER: Yes. So I'll use a ransomware example, a criminal example, because it's more about, as you said, the impact. So last year we saw a criminal ransomware actor disrupt fuel supplies all along the Eastern Seaboard - right? - the Colonial Pipeline incident, followed shortly thereafter by another ransomware attack against an operator of - essentially a food processing operator. And in both of those cases, what the criminal cyber actor did was leverage - use vulnerabilities to get into the network, to migrate to the operational part of the network where they could disrupt actual operations. I'll note that in 2021 alone, we're aware of over $1 billion in ransomware-associated payments. So when we talk about the kinds of cyberattacks we're most focused on working to prevent, it's disruption of critical services that Americans rely on.
CHANG: When it comes to prevention, let me ask you - the majority of the country's critical infrastructure - it's owned and operated by the private sector. Is that a problem? I mean, how much can the U.S. government tell these companies what to do in order to prevent cyberattacks?
NEUBERGER: You're asking a core question, Ailsa, because cybersecurity is a cost for a number of sectors. The U.S. government does have the authority to mandate minimum cybersecurity measures - things like cyber alarm systems, things like exercising incident response plans, backing up data, ensuring that patches are done quickly because that ensures that technology vulnerabilities are closed quickly. We've made significant progress in improving digital resilience in the last year.
CHANG: Right. And I suppose it's in these companies' self-interest to prevent cyberattacks.
NEUBERGER: It is.
CHANG: You have been saying recently that there has been an uptick in bad actors scanning for vulnerable devices, that there's been other signs of intrusion in our networks. How common is that kind of scanning? Like, does it lead you to believe that Russia is indeed preparing to launch a cyberattack against the U.S. or the U.S.' allies?
NEUBERGER: Scanning systems for vulnerabilities is fairly common, whether criminal actors, Russian actors, actors who may seek to steal research and technology, as we've talked about other countries like China doing in the past. You have countries like North Korea who often target banks to acquire hard currency as part of their sanctions evasion. So scanning systems to try to find vulnerabilities is fairly common.
That being said, at a time of heightened geopolitical tensions where we have an actor like Russia who has used cyber to coerce or destabilize or undermine, disrupt critical services not in the United States but in countries like Ukraine and Georgia, we felt it was prudent to be open and transparent with the American people, to raise awareness and to call companies to action to address it.
CHANG: I am curious how NAITO would come into play in cyber warfare because, of course, we've heard a lot about Article V, which says that if a NATO ally is the victim of an attack, every other member of NATO will consider that attack against all of them. Does Article V apply to cyberattacks?
NEUBERGER: As you've said, we've noted that one or more - NATO has noted that one or more cyberattacks of a significant nature could reach the level that an Article V physical attack would happen because we'd be looking for equivalent parity with regard to impact.
CHANG: OK. What is the threshold, I guess?
NEUBERGER: Cyber is still a new field, Ailsa. It's an area where - we are learning how the principles that have been put in place from a national security perspective in the physical arena land in the cyber arena. So the principles we've put in place are to say, yes, one or more cyber incidents could reach the threshold of an armed attack to where it would reach an Article V attack. And we've having consultations among the countries who are participants in NATO to discuss what that might look like.
CHANG: That is deputy national security adviser Anne Neuberger. Thank you very much for your time today.
NEUBERGER: Thank you, Ailsa.
(SOUNDBITE OF BEACH HOUSE SONG, "BLACK CAR") Transcript provided by NPR, Copyright NPR.