U.S. Markets closed
  • S&P 500

    +58.48 (+1.44%)
  • Dow 30

    +415.12 (+1.26%)
  • Nasdaq

    +208.43 (+1.74%)
  • Russell 2000

    +34.10 (+1.93%)
  • Crude Oil

    +1.21 (+1.63%)
  • Gold

    -10.30 (-0.52%)
  • Silver

    +0.21 (+0.88%)

    -0.0065 (-0.5964%)
  • 10-Yr Bond

    -0.0570 (-1.61%)
  • Vix

    -0.32 (-1.68%)

    -0.0061 (-0.4944%)

    +0.0790 (+0.0595%)

    +262.49 (+0.93%)
  • CMC Crypto 200

    +7.45 (+1.21%)
  • FTSE 100

    +11.31 (+0.15%)
  • Nikkei 225

    +258.55 (+0.93%)

Fmr. U.S. Homeland Security Secretary on ransomware attacks: ‘The scale has multiplied a hundredfold’

The Chertoff Group Co-Founder & Executive Chairman and Former Secretary of the U.S. Department of Homeland Security Michael Chertoff joins Yahoo Finance Live to discuss the impact of ransomware attacks.

Video Transcript

BRIAN CHEUNG: Now, obviously, all of this is coming under a lot of scrutiny in this particular space, so let's talk about this more with Michael Chertoff. He's the Chertoff Group co-founder and a former Secretary at the US Department of Homeland Security. And Michael, on the private side of things, we've been watching what's been going on with that IT software management provider Kaseya, which was attacked less than a week ago, exposed somewhere between 800 and 1,500 companies in a ransomware attack.

And then you also have that news of the RNC perhaps getting attacked through a ransomware issue via a Russian group known as Cozy Bear. Just broadly speaking, where do we stand on these types of security issues? Are private companies and the government just behind the ball on developing defenses to these types of things?

MICHAEL CHERTOFF: Yeah, well, these problems have been intensified. And actually, we've seen the frequency and the scale dramatically increase. So let me separate out a couple of things. One is the issue of ransomware, which I'm sure your viewers understand involves putting encrypted tools on the database, thereby making it impossible to read the data any longer unless you get the decryption key. And generally, what the criminal groups do is, they say you have to ransom that decryption key. And if you pay us in Bitcoin, we'll give you the key. Without it, you may have a lot of trouble operating because your records and your data is not accessible.

This has been going on for quite some time. And in fact, we saw attacks on the healthcare system on cities, on private businesses. But what is different now is the dimension and the scale has multiplied 100 fold. And that brings us to the second point. More and more of the attacks now are on the supply chain that provides the goods and services and the software and hardware that companies rely upon to operate their networks. In this case, Kaseya, the company that was hacked, provides a server management software called VSA, which it then sells to managed service providers, who then turn around and use it to help their customers manage their networks.

The problem is when there's a vulnerability in that software. It basically creates a backdoor to literally every end user and every customer who has that software as part of their system. And particularly, management-- systems management software by definition gives the person who operates that tool broad discretion to manage the network, which means they can get into anything. So I might describe what happened in Kaseya as a kind of super spreader event in the cyber ecosystem.

AKIKO FUJITA: Yeah, Secretary Chertoff, it's good to talk to you again. I mean, that seems to suggest to me that there needs to be a shift in the way in which we approach cyber defense. I mean, it used to be that when we were talking about hacks and attacks, it was about companies really not taking it seriously. Now you've got a situation where they are installing the software that's supposed to keep them safe. And that is the inherent vulnerability.

MICHAEL CHERTOFF: That's exactly right. And I think that's one of the reasons there's an executive order that President Biden issued a few weeks ago, where he talked about the federal government. And one of the things he emphasized was the importance of verifying and having zero trust in software. In other words, you've got to know who's running the software. You've got to know the specifications.

There has to be an assurance that the software provider is keeping security in mind. And you may have to test it, and also building a plan B for resilience purposes. And I think this is going to be one of the big challenges in the private sector as well. How do you know who to trust? And the worst thing in the world is if the security firm you're trusting is actually uploading the problem.

BRIAN CHEUNG: Secretary Chertoff, I guess, can you just walk us through the basics of how a ransomware attack goes? Because I think a lot of people are taking a step back, and they're wondering what is it about this type of activity that makes them more nefarious than other types of hacking, whether it's phishing or other type-- or, you know, Trojan horse, whatnot. How do you think this specific type of hacking approach presents different types of risk than, say, more previous, more antiquated attacks?

MICHAEL CHERTOFF: So there are two separate parts to this. One is how do you get the ransomware into the target network so you can then deploy it? And that's actually no different from what we see with other cyber attacks, whether it's trying to steal money or steal information or interfere with operating systems. You can use any one of a number of tools. You can phish, trick people into downloading something. You can masquerade as somebody that you're not and thereby gain access. You can steal a password or other credentials. And that's the same, whatever it is you're going to do with the end result.

What's different about ransomware is, unlike what we typically see, which is an effort to steal money or steal information or engage in some kind of a fraud, identity fraud, what ransomware does is it locks down all of your data, and it encrypts it. And now when you try to access your network, you can't. Because there's nothing you can read because it's all in code. And the only way to get it out of code is to get the key that allows you to decrypt it. And you can't get the key unless you pay a ransom. And that is why ransomware is destructive because what it does is, it basically shuts down your operations.

To give you an example, a couple of years ago, there was a form of ransomware called NotPetya. This was actually launched by the Russians against Ukraine. And in this case, they weren't interested in getting ransom. All they wanted to do is interfere with the business activities or the government activities of Ukraine. And so they infected using an accounting software. They infected all kinds of machines and all kinds of businesses. And that cost hundreds of millions of dollars to businesses operating in the region.

AKIKO FUJITA: How do you think the federal government should respond to this? I mean, we have seen the White House raise this issue with Vladimir Putin, for example. I mean, increasingly, we've seen state sponsored attacks. And yet despite that being raised in some way, that hasn't necessarily kept the attackers at bay. What should be the federal response at a time when the threat is evolving so quickly and happening at such a quick rate?

MICHAEL CHERTOFF: Well, I think this has really become the burning question in cyber security circles. Obviously, the federal government can help by warning companies when they get intelligence that there's going to be an attack by sharing information about how to defend yourself by working cooperatively in various sectors of the economy to raise the level of defenses. But in the end, there's also a question of deterrence. How do you prevent the Russians or people the Russians are hosting from carrying out these attacks? In the past, we've used sanctions, financial sanctions, that works to some extent. We've indicted people, but the chances of getting them in a US courtroom are very small.

And so now the question becomes, should we respond using some kind of cyber attack of our own? Should we, for example, disable the server that is being used to launch the ransomware, or otherwise create a consequence in Russia or for their criminal organization that's not just indicting them or sanctioning them for money, but is actually putting them out of action? And I think that's the next really big step policy.

Now see, one positive example of this we saw very recently. Colonial Pipeline paid several million dollars in ransom using Bitcoin. The FBI was able to recover the majority of that money by penetrating and getting the Bitcoin out of the wallet of the criminal group. When you take the money back from the criminals, you've destroyed their incentive to hack. And so doing more of that, I think, is going to be very positive.

AKIKO FUJITA: It's certainly good to get your insight today, a former Homeland Security Secretary, as well as the co-founder and executive chairman of the Chertoff Group. Michael Chertoff, good to talk to you again today. Thanks so much for joining us.