John Demers And Michael Orlando On Cybersecurity Risks

Published on

The following is the unofficial transcript of a CNBC interview with John Demers, Assistant Attorney General of the Department of Justice’s National Security Division, and Michael Orlando, Acting Director of the National Counterintelligence and Security Center, from the CNBC Evolve livestream, which took place today, Wednesday, May 26th. Video from the interview will be available at cnbc.com/evolve.

Get The Full Henry Singleton Series in PDF

Get the entire 4-part series on Henry Singleton in PDF. Save it to your desktop, read it on your tablet, or email to your colleagues

Q1 2021 hedge fund letters, conferences and more

Interview with John Demers and Michael Orlando

EAMON JAVERS: We start today with a dive into the public sector outlook and then we're going to discuss how the private sector is approaching this whole new era of cybersecurity risk. so I want to welcome Michael Orlando he is the Acting Director of the National Counterintelligence and Security Center, and also from the Department of Justice, John Demers. He is the Assistant Attorney General at the National Security Division at the Department of Justice. Welcome to both of you gentlemen. And if I could, I'd love to start with a mystery, which we saw in the wake of the Colonial Pipeline hack and see if either of you can help us solve that mystery. The mystery is this. We saw the Colonial Pipeline hack, and then we saw the group behind it, DarkSide, go dark about a week later. They vanished from the scene, we didn't see any of their websites publicly attributable to them operational anymore, and nobody seems to know what happened to DarkSide. So John, if I could start with you, can you shed any insight on what happened to DarkSide after the Colonial Pipeline hack when they vanish from the scene?

JOHN DEMERS: Well I don't think I'm going to be able to solve that mystery here today, Eamon, but thanks very much for having me. Thanks Michael for being on, too. I do think, though, you know, it highlights one of the issues that we have right now with nation states serving as safe havens, basically, for criminal cyber actors and this increased blending of the threat from sophisticated criminal hackers and nation state hackers. When nation states aren't doing their part to investigate and root out hacking activity happening within their borders, then any number of things could have been the answer to, you know, what happened to the DarkSide infrastructure including that, you know, they're just off renaming themselves, so we'll see.

JAVERS: Right, so TBD on that one. Michael, same question to you. Maybe expecting the same answer, but if you could, do you have any sense of whether U.S. intelligence had anything to do with that disappearance and you have any sense of who these DarkSide hackers actually were?

MICHAEL ORLANDO: Thanks for having me on the show and good to be with my colleague from DOJ. We don't have any sense of that, but, you know, I concur with John's comments that these ransomware attacks on critical infrastructure are definitely a national security threat. As we take down pipelines and hospitals, it certainly creates a risk of life. We do know that countries like Russia and China, Iran and others certainly create safe havens for criminal hackers as long as they don't conduct attacks against them. But that's a challenge for us that we're going to have to work through as we figure out how to counter ransomware attacks.

JAVERS: John, as Michael talks about these safe havens that are out there, the big question is what are American companies doing about this? Because if anything they're fueling the safe havens by paying these ransoms and giving the bad guys more resources to work with. How do you sort through the FBIs recommendation on the one hand that companies should not be paying ransoms to get their data back, and the reality on the other hand, which is that companies are paying those ransoms and it’s millions and millions of dollars. And that's fueling the fire in some ways, but you can understand why individual companies feel like they have to do it.

DEMERS: Yeah, I do understand that that can be a difficult choice, especially at that moment. And so the question is, you know, what things can you be doing ahead of time so that you're not faced with that impossible choice when your system is actually encrypted and shut down. But the problem with the ransomware payments – In addition to the fact that you're just funding illegal activity, right? You’re not just funding the amazing lifestyle of some ransomware hacker. That would be fine, I guess, at the end of the day you buy his yacht, you buy his houses, his vacations – but you're actually funding the criminal activity itself. The second piece is at the end of the day, you're making a deal with someone who is a thief. And the question for any business is going to be, can I really trust this person to deliver back to me the decrypt key that just does its job, does the implant any other malware into my system, and effectively allows me to unlock my system in a short amount of time. So it's a real question whether you're going to get what you pay for, and you certainly don't have any recourse if you don't.

JAVERS: Right. And Michael, you know, your background in your role now is counterintelligence, which for people who don't know that term, that means basically fighting spies. And we're used to this world where you have spy versus spy, but so often now what we're seeing in these situations is spy versus CEO. And CEOs don't have a counter intelligence background, a counter intelligence capability. How do you talk to companies about how they need to deal with this nation threat espionage activity that we're seeing, especially considering the fact that companies just aren't bankrolled nearly to the scale that these nation states are. It's an unfair fight.

ORLANDO: Great question, and I'm glad you asked it. You know, 20 years ago, foreign intelligence services were just looking to steal government secrets, government technology. Now we have nation state actors, looking to take intellectual property from the private sector and using all the tools to do that. And the private sector and government organizations have to look at security with a counterintelligence mindset, understanding that they're up against paid and well trained intelligence services that have key technologies and trade craft to steal from you, both illegally and using illegal means to do it. We need them to partner with the government so we can help them build the right programs. But also, when you talk about paying ransom where the real conversation that we should be having is getting left of this threat, how do we better protect ourselves and build the resiliency to do that. Backing up your data, having the right cyber hygiene. We also, you know, cyber is just one area of concern. You have the insider threat employees who oftentimes are recruited by these foreign intelligence services. Then you also have the supply chain issues. And so, organizations need a kind of enterprise-wide security program that goes beyond just locks and doors, and focuses on the cyber threat’s supply chain and the insider.

JAVERS: John, how do companies do that? I mean, the cliché in this conversation has always been we need a public-private partnership, we need more information sharing, work together better. What does that look like in real terms? You know, we talked about left of the threat, right of the threat. How about right in the middle of the threat? Right when the attack happens, what's the company supposed to do in terms of picking up the phone and calling the FBI? What kind of information do they need to share? What kind of information do they need to protect for themselves? What are the next steps in working with the government?

DEMERS: Yeah. So I think, right when the threat manifests itself, you have to have already prepared for that moment. So when it comes to, for example your question Eamon, on calling the FBI, you need to know exactly who you're going to call and what their phone number is and it’s already in your phone. So you have to establish those relationships ahead of time.

JAVERS: Or on a piece of paper or somewhere in case you can’t get into your phone.

DEMERS: Exactly. The second part is, I mean, think about your systems. Do everything you can to protect your systems, but assume that someone is going to get in. And then plan from there ahead of time again. So someone has gotten in, how easy is it for them to move from one part of the IT network to another part of the IT network? Where is your data on the IT network? Where is really the most critical aspect – depending on your business – where is the most critical aspect of your data? How is that housed? Is that something you can access if you just access the main computer system? So the answers will depend very much by company, but segregation and segmentation of the data to make it harder for folks to move around. And then how do you restore the systems when they're encrypted or they go down? What kind of backup data do you have that's up to date, but offline so that you can recreate your own files and you're not counting on the criminal to help you recreate your files by giving a decryption key after you give them millions of dollars. So all of that thinking has to happen ahead of time in a very, you know, realistically working now scenario. And then I agree with Michael, one of the things we've seen, not in some of these recent cases, but that we see in many cases this sort of hybrid insider threat cyber threat. So the insider who plants malware on his company's computer and then, you know, from afar nation state – that computer system could exfiltrate a whole bunch of data, making sure that all parts of your security apparatus, your resources, your plans that they are all integrated in planning for events like this.

JAVERS: Michael, that insider threat that John's just talking about – that's something that makes companies uncomfortable, right? Because then you're policing your own employee base and trying to figure out who is inside your company and trying to cause you harm. You know, from an HR standpoint or just from a legal and moral standpoint that's kind of a nightmare, isn't it, for companies?

ORLANDO: No, I don't think so. You know, a good insider threat program goes well beyond having measures that monitor employees. It's about good HR practices that assesses employees for suitability before you bring them on not just looking at the talents. And a good insider threat program also goes to educating your workforce so they understand that they can be targeted and what to do if they are targeted by the intelligence service.

JAVERS: So, John, one of the things we talked about, we talked about corrupting your data, this idea of a possible threat of disinformation, right? You can not only have your data stolen, but you can have your data changed in such a way that you don't recognize it or make mistakes. That's a huge problem as well. We just had a study out today from Facebook talking about the disinformation problem globally and they ranked Russia as the highest threat in terms of disinformation. I wonder if you agree with that, A , and B, what do you think people need to understand about the disinformation threat in America right now?

DEMERS: So, I mean, that Russia is the biggest disinformation actor globally is not a surprise to me. I do agree with that. I mean, it's always tough to come up with an estimate for some of these things, but that makes sense. But there are other actors who are catching up. If you look just in the U.S., you know, the Iranians are reading from the Russian playbook. You see the Chinese increasingly engage in disinformation practices on social media around COVID and other narratives. But the Russians have been doing this for many, many years in many theaters around the world and have done so to an extent that most other countries have not.

JAVERS: Michael, same question to you on disinformation. How should companies in particular be thinking about this disinformation threat and what should they be doing about it?

ORLANDO: I agree with John, it's not just Russia but it's Iran and China as well. And I think for private companies and organizations and individuals, you really have to vet the source of your information and then you also from your own information, put the proper protections in place. Always saying kind of left of threat and having those measures there and thinking about how that impacts your organization.

JAVERS: Right. But how can you tell, right? If you're dealing with a subtle actor who has gotten into your data and manipulated some things to change your analysis of the world around you, you know, we're all – I'm sitting here looking at a laptop as we're doing this, we're also dependent on the devices and the data that's on them to make all of our business decisions throughout the day. If you can't trust that data that you're seeing on your laptop or on your hard drive at work, how do you operate a business?

ORLANDO: So I think this all goes back to good cyber hygiene, as John talked about. But there was a number of things in regards to cyber that we have been saying for years and outside experts saying that for an organization to get onto your computer, phone, they have to send some sort of malware and most of that's done either through patches that have not been updated, or email phishing. So if you are able to patch your system and screen out those bad emails, you're going to protect yourselves from a variety of the attacks. And then if you do get hit with some exotic attack, if you're doing the continuous monitoring – monitoring your logs, segmenting your networks – you're really going to minimize what's there. And also catch it, if it's there as well. And also, having those partnerships with the FBI and CISA and your sector specific partner so you're getting threat information before you have that attack I think is critical so you can share information and they can share information with you.

JAVERS: John, we've got a couple of minutes left here and I wonder if we can end maybe on a prediction, which is, do you think the DarkSide and groups like it are going to come back? When do you think that's going to be, and what format are the next attacks going to take? If you had to reach out six months and make a prediction.

DEMERS: Sure. So, yes, certainly groups like that will come back. They are already out there. Probably Darkside itself, those actors that comprise that group, will be back if they're not already out there in other forms operating as we're talking about. I think, you know, what the Colonial Pipeline showed was that things like infrastructure attacks that we often associated with nation state actors are actually being conducted by criminal actors and they are the ones who are providing us with the wakeup call in that area because they don't have the same governor that a nation state actor will have in those kinds of attacks. And then, finally, that we have to figure out how to deal with this problem of criminal safe havens where actors are allowed to, you know, act with impunity, as well as they all do work for a foreign government.

JAVERS: And Michael, last thoughts from you on foreign governments. This is such a scary thing that's happening right now in terms of ransomware and these attacks, but we're also seeing this idea out there, that these ransomware attacks associated with the criminal underworld between Russia and around Russia are not just criminal in nature they might be preview or testing of nation state capabilities. Now I wonder if you can leave us with a thought on whether you think the ransomware attacks portend anything particularly ominous or scary when it comes to nation states testing their capabilities through this criminal low level activity?

ORLANDO: I think it's important for your audience to know from those involved in critical infrastructure the nation state actors are most certainly interested, inserting malware into those systems so that in time of conflict, they can cause disruption to create issues for our decision makers. But I can't necessarily say that the ransomware is a part of that, but regardless of that, this is a real issue that nation state actors are trying to do that to disrupt our networks. And then they are also conducting cyber operations to steal your information. We're losing about anywhere between $200 to $600 billion in intellectual property, just from the Chinese and so we shouldn't just be focused on ransomware.

JAVERS: Yeah, that's a great place to leave it. There's so many other threats out there and so much scary stuff to talk about, but thank you both to Michael Orlando and John Demers.


About CNBC:

CNBC is the recognized world leader in business news, providing real-time financial market coverage, business content and general news consumed by more than 547 million people per month across all platforms. The network's 15 live hours a day of news programming in North America (weekdays from 5:00 a.m. - 8:00 p.m. ET) is produced at CNBC's global headquarters in Englewood Cliffs, N.J., and includes reports from CNBC News bureaus worldwide. CNBC at night features a mix of new reality programming, CNBC's highly successful series produced exclusively for CNBC and a number of distinctive in-house documentaries.

CNBC also offers content through its vast portfolio of digital products such as: CNBC.com, which provides financial market news and information to CNBC’s investor audience; CNBC Make It, a digital destination focused on making you smarter about how you earn, save and spend your money; CNBC Select, a financial site providing content to help users make informed decisions around choosing the right financial products for their lives; CNBC PRO, a premium service that provides in-depth access to Wall Street; a suite of CNBC mobile apps for iOS and Android devices; Amazon Alexa, Google Assistant and Apple Siri voice interfaces; and streaming services including Apple TV, Roku, Amazon Fire TV, Android TV and Samsung Smart TVs. To learn more, visit https://www.cnbc.com/digital-products/.

Members of the media can receive more information about CNBC and its programming on the NBCUniversal Media Village Web site at http://www.nbcumv.com/programming/cnbc. For more information about NBCUniversal, please visit http://www.NBCUniversal.com.