When big cyberattacks hit small towns

A

From recorded future news and prx, this is click here. Hey there, it's Dena. A quick note before we start. Twice a month, we team up with our friends over 1A for something we call Cyber Monday. Host Jen White and I talk for a bit, then we play a Click Here episode, and then we take calls from listeners. Today's Cyber Monday is a look at why foreign hackers are targeting small town America and what happens now that Washington appears to be pulling back on some of its cyber defenses.

B

The first voice you'll hear is from.

A

1A'S host, Jen White. Take a listen.

C

So let's start big picture first. Deena, when we talk about cyber attacks on utilities or companies located in the US's small towns, how common are these situations?

B

It's getting more and more common, and it's definitely part of a pattern. You know, the federal government has quietly been tracking hundreds of these small municipal utilities, water, power, even 911 dispatch systems that have been probed and infiltrated by foreign actors. And both the FBI and the CIA have said that these adversaries, particularly Chinese state, state sponsored groups like something called Volt Typhoon, are mapping local systems. And they're not looking to cash out right away. They're trying to understand how things connect for a rainy day when they might need them.

C

Okay, now you said a rainy day when they might need them. So this is not about theft necessarily. It sounds like it's more about reconnaissance. What kind of rainy day are they preparing for?

B

Well, they're preparing for a geopolitical rainy day. And you're right, when you talk about reconnaissance, this is sort of map your way through something, know how, how the systems work, which routers you're using, which software you're using. So if they know all that, then possibly if there's say, an unpatched router that has an old system on it that gives them an indication, oh, we might be able to get in there, build a backdoor, we might have malware that can take care of that. So this is all in hopes of when it comes to the Chinese in particular, it's in anticipation that there might be a conflict between the US and.

A

China in the future, specifically over Taiwan.

B

And they want to be pre positioned to, say, turn off the water near a military base or turn off communications near something else that might actually have an offensive capability for the United States. So it's pretty scary.

C

Yeah. So much of the infrastructure that powers our lives is local. So who's responsible for defending it?

B

Well, that's the tricky part, that there's no single line of defense. In big cities, utilities might have actual cybersecurity teams that are dedicated to this. New York City has one, for example. But in smaller towns, the same person managing billing or maybe water quality might also be their, you know, part time IT person in charge of cybersecurity. And on the federal level, this is all supposed to be, the responsibility is supposed to fall to cisa, the cybersecurity and infrastructure security agency. And it basically helps town test their defenses, patch vulnerabilities, shares threat intelligence, and very often will provide grants so that small towns can afford to get somebody in to look at their systems to make sure they're safe.

C

But some of that funding local governments relied on, it's going away or has.

B

Gone away, has gone away. So a lot of that safety net has been fraying. Doge, the so called Department of Government Efficiency, folded CISA into a smaller unit of the Department of Homeland Security and cut a big portion of its state.

A

And local grant funding.

B

Its workforce has been drastically thinned out. Over 1,000 people have left in the 2026 budget, wants to cut 1,000 more, which is kind of amazing given what's going on. And several senior officials who have left have been reassigned were the people who.

A

Used to be helping rural utilities, and now they aren't.

C

Okay, so these threats are expanding, they're getting more granular, they're hitting closer to home. Meanwhile, federal support for fighting these intrusions is shrinking. How is the Trump administration explaining that decision?

B

I don't know that they're exactly explaining it, but I think what we can see just looking at their actions is the Trump administration isn't A fan of CISA's, the Cybersecurity and Infrastructure Security Agency. In addition to all these positions, it's cut. It sees CISA as part of the so called censorship industrial complex because it does more than just cybersecurity for infrastructure. It tracks adversaries and dis and misinformation and it does election monitoring. The former head of CISA said that the 2020 election had been the safest election ever.

D

Right.

B

He was the CISA director. So a lot of this sort of angst between Trump and CISA has been going back quite a ways and now it's coming to roost.

C

Well, Dina, your team spoke with one expert about cybercriminals threatening smaller targets. Here's John Burns. He's a threat hunter at Dragos. It's a cybersecurity firm.

E

What I always tell customers that ask me questions about, I think I'M too small for this. What do you think? They could be a small utility, but you also have to look at what they're servicing, like what's in the vicinity. Sometimes nuclear power plants or big military bases or something will be serviced by smaller rural utilities, because they put these bases and stuff out in the middle of, you know, rural locations. And so you never know. Just because it's a smaller utility, it could be servicing something that's actually kind of important.

C

Okay, we're using terms like mapping and positioning, which can make it feel like we're talking about politics more than digital warfare. But what kind of transition are we making when we talk about the kind of geopolitical power struggles that have typically happened?

B

Well, I think we're particularly vulnerable here in the United States. If you compare the USA with China, China has what they call the Great Firewall of China, which means the Chinese government in Beijing is seeing everything coming in and out of China. That's why you don't hear about ransomware attacks and all these other things in China, because they're monitoring everything. Every network is something that the government controls. That's not how it works here. We're a bunch of little tiny networks.

A

And then in addition to that, you.

B

Know, you wonder, why would a small town be a target for China? That seems sort of silly, except that there's been so much systemization in the United States when it comes to utilities or water plants. People are using the same, you know, similar routers, similar systems. So if you can map quietly, say, in a small town in Massachusetts, which is what we were looking at, Littleton, Massachusetts, and you can map that quietly understand how their system works.

A

You can take what you've learned and.

B

Lay it on something, say, like New York or Washington, D.C. because there are enough similarities. That's why we're seeing that kind of stuff.

C

Well, let's hear from Nick Lawlor. He's the head of that utility in Littleton.

F

The first thing I did is I Googled both their names and just kind of see if they were real. And the individual, Homeland Security from Sister. His name was Daniel King. So now your mind's even going more like, whoa, was this the spy Daniel King that was in here?

C

Well, as it turns out, Daniel King is the name of an American sailor accused of spying for the Russians. And it just so happens that this federal agent who reached out to Nick Lawler has the same name. That was one of the reasons Nick was confident that this was all a scam. What happened from there?

B

Well, you know, his inclination was correct. If someone calls you and say, hey, I'm here to help you, I'm from the FBI and you've been hacked, I mean, your hackles should go up. It's possible that it's somebody trying to scam you. So that wasn't crazy. But what he said is they called him while he was mowing his lawn and he had already gone to a bunch of different cybersecurity trainings. They'd done a lot to try to make Littleton more robust. And so he said, why don't you come to the office on Monday, we'll do. And then these two guys show up who look like men in black, right, with like straight ties and conservative suits. And he even thought that was part of the con. And it wasn't until they took a brochure that basically said, how you can look for Volt Typhoon, which is this Chinese backed hacking group. And they slid that across the table. And that's when he went, ugh, this might not be a scam. And he just felt his heart sink. And he right away called his cybersecurity guy and said, hey, is this thing real?

C

We'll hear more about Volt Typhoon and Nick Lawler in just a bit. But considering the fact that this was off Nick Lawlor's radar, someone who works in the utility field, these are the kinds of stories we should hear about, but we don't very often. It may be discussed, but in very tight circles. People who are working in the tech space, in the digital space, in the utility space. Why should everyday Americans know that this is happening?

B

Because it's going to affect you. I mean, clearly, if the Chinese decide that they want to sort of take down a utility, that's, that's your electricity in the small town where you never thought it was going to be affecting you. This is cybersecurity more generally. And one of the reasons why we focus so much on it is that it used to be about governments and corporations. Now it's about us. It's about our schools, our cities, our.

A

Hospitals and our utilities.

C

We're here with Dena Temple Rastin. She's the host and managing editor of the Click Here podcast from Recorded Future News and prx. She's staying with us. Coming up, we take a trip to Littleton, Massachusetts, the small town that learned about big cyber attacks the hard way. That's just ahead.

G

If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up today's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to TheRecord Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.

A

This is Click Here. You're listening to a Cyber Monday conversation with 1A WAMU and NPR's midday news magazine. We're talking about cyber attacks on America's public utilities. And when we say critical infrastructure, most of us picture things like big city power plants, oil pipelines, or the massive data centers that keep the Internet running. But more and more the attacks are hitting smaller, quieter places of that system. The water authority that keeps your tap running, the electric co op that powers your street. And we've reported on one of those attacks in Littleton, Massachusetts. Take a listen. Littleton, Massachusetts, is a town of about 10,000 people. It's the kind of place where neighbors wave from porches and where a conversation about wastewater management with the head of the local utility can happen between the Frosted Flakes and Raisin Bran at the grocery store.

F

It does happen a lot in town. I have a direct contact with the people that we serve.

A

That's Nick Lawlor. He runs Littleton's municipal utility. He provides light, water and power. It's not glamorous, but it matters. And that's what Nick loves about it.

F

He provided essential service to the residents you serve, and then to have their appreciation for that back. I don't think there's many jobs in the country that you get that direct satisfaction from.

A

One Friday afternoon in the fall of 2023, Nick was outside bowing the lawn when his phone started to buzz. The caller said Nick needed to ring the FBI. No real details, just call the FBI. So he did. And that's when Nick got the bad news. The voice on the other end said Littleton's utility had been hacked. And then almost right away, the voice said, don't worry, I'm here to help. Nick just needed to give the voice some information.

F

Need your personal email address? So if you can give us your personal email address, that'd be great. We then want you to click on a link.

A

Now. Nick wasn't born yesterday. He didn't panic and he didn't click. Instead, he hung up and went back to his mowing. Because if it was a scam, he wasn't going to fall for it. There's another reason Nick didn't buy all this. Littleton's utility wasn't flying blind when it came to cybersecurity. Far from it.

F

We've always taken it seriously. We've presented at national conferences as what do small utilities do? And how can you be prepared for these events? We had policies in place. We, you know, had cyber insurance. We very much thought that we were leading the way.

A

So they weren't just prepared, they were an example. So when the call came, it just didn't sit right.

B

And what was going through your mind.

F

That, you know, this is ridiculous. I'm getting a scam right now.

A

But still, you never really know, but.

F

You know, you play it out.

A

He decided to call the local FBI field office himself, the real one, just to be sure.

F

I called back the number that I looked up online. I asked for that gentleman, and he answered the phone. Oh, okay, I'll nick you back. It's like, what is going on here?

A

Nick Lawler still wasn't convinced this was real. And he told the guy as much.

F

Listen, I can't comprehend what you're saying right now. It seems very fishy. You know, if you're really who you say you are, you know, why don't you come to our office Monday morning? I want you to tell me to my face.

A

He hung up. And he figured that was the end of it. But then on the Monday morning, just before Thanksgiving, Nick Lawler was in his office sipping coffee, checking in with his team. His usual morning routine.

F

Until I get a call from my front office saying that there's two gentlemen here. One from Homeland Security, one from the FBI.

B

Did they look like feds?

F

Yeah, it looked like men in black. You had two guys in suit and ties, collared shirts. I'm thinking in my head, do these two guys just go to the store and buy suits? And is this the trap? Like, what is the trap you keep trying to figure out because you're just so skeptical.

A

Nick brought them back into the conference room.

F

They put a pamphlet in front of me and it's got nation state actor, Volt Typhoon.

A

Volt Typhoon, a Chinese state sponsored hacking group known for quietly targeting critical infrastructure.

B

And had you ever heard of Volt Typhoon before they gave you this literature on it?

G

No.

A

They explained the threat. They'd been seeing quiet probes into infrastructure all across the country, and it looked like Littleton was among the targets. And then they said they could help.

F

But we don't need you to make a decision today. This isn't ransomware. This isn't something that's going to happen tomorrow. Enjoy Thanksgiving and then call Us back. Yeah, that was kind of my response. I kind of laughed. Enjoy Thanksgiving. If this is real, how can I enjoy Thanksgiving?

E

Nick definitely seemed like he was frazzled, but, I mean, who wouldn't be when they got a phone call from the FBI?

A

This is John Burns. He leads threat hunting at Dragos, a cybersecurity firm that specializes in threats like this. And months before, John's team had started working with Littleton, helping them beef up their defenses against cyber attacks.

F

And then I mentioned Bull Typhoon, and I heard the sigh of panic. So I'm like, okay, well, at least that's real.

E

Our adversary hunters were already tracking it as a threat group that was doing things out in the wild, but we hadn't seen it in any customer environments yet.

A

Until now. John told Nick that Volt Typhoon doesn't leave many fingerprints. There's no ransomware screen, no ransom notes.

E

There's no, like, banner that pops up that says, hey, this is Volt Typhoon in your environment.

A

Instead, they slip in like a ghost and then just wait. It's not a smash and grab with them. It's a long con. Dragos also had something most others didn't. A list of some 35,000 IP addresses that had been tied to Volt Typhoon in the past. So John and his team went hunting for those in Littleton systems.

E

I went in and started looking, and I very quickly was able to see that there was some really weird traffic going from a couple of their servers to some malicious IPs that were geolocating to China.

F

So that's when I knew it was real.

A

Now that Nick had confirmed that the threat was real, the question became, how did it happen? And it turns out, for as ominous as the threat sounded, a nation state hacker in your network. The attack itself happened in the most pedestrian of ways. The vulnerability came from a third party IT vendor.

F

They got an alert saying, hey, we need a firmware upgrade because of a known vulnerability. And they never did that upgrade.

B

So it was basically a patch that wasn't done, Correct?

F

Yep. I would say within days of that vulnerability being known, Volt Typhoon had gained access. They probably ran some sort of algorithm that put us on a list of people they wanted to try to infiltrate.

A

Needless to say, Littleton canceled that vendor's contract. But as John and his team at Dragos looked further, they did uncover one piece of good news about the hack.

F

Now, they never did gain access to any customer information or our OT systems.

A

OT or operational technology systems. OT systems control the physical world. Like turning water on and off or Managing safety sensors. If a hacker could control that, they can shut the whole system down. But in this case, the hackers had only made it into Littleton's IT systems, the part of the network that controls more virtual things like email. And that was by Littleton's design. They had drawn the line between IT and OT systems and put a strong firewall between them. And that line held. So the hackers never had control over the physical plant. Now that they confirmed that they had an intruder, they got to work rebuilding the perimeter, patching the holes.

F

We changed IP addresses, we changed structure. We got multi factor authentication across the board, now new firewalls.

A

The whole operation took about a month. And then, just in case they ran a stress test, cisa, one of the government's cyber divisions, came back and did an exercise. SISSA tried every which way to break past Littleton security for three long weeks. As Nick held his breath, they were.

F

Unsuccessful to get in. So we. We believe that we closed any doors that Vol. Typhoon might have opened. But it's one of those things. It's a strange feeling once. Once they're in. I don't think you ever sleep to see them at night thinking that, you know, did they somehow leave something somewhere you didn't find?

A

And there was this other thing still keeping him up at night. One question he couldn't answer. Why them? Why Littleton? When Nick Lawlor was sitting in that conference room, the Volt Typhoon pamphlet in front of him, the men in suits across the table, they kept saying this one thing.

F

They made it very clear on several occasions that we were the top priority in the federal government, which I kind of chuckled.

A

Littleton, Massachusetts, population 10,001 substation. A top priority. Nick was dubious until they explained why Vault Typhoon doesn't behave like most hackers. They don't lock you out, they don't demand Bitcoin. They don't brag on social media about their hacks. They just slip in quietly and kind of hang out.

F

They blend in and then they might grab some files that look interesting to them. Then they get off. That's what makes it hard to catch them. They're not actively on your system, but they're actively making sure that their access is still there. So every couple months, I think they're coming back in. Okay, yep, good. That door's still open. Or we still have access to what we need to get access to. And that's it.

A

While Typhoon was doing this quiet hack to pre position themselves on infrastructure networks across the country, they were lying in wait for the moment when something went south. A war, a diplomatic crisis. And then they'd already be inside, ready and waiting to attack. And it turns out it wasn't just Littleton. Volt Typhoon had cracked into systems and and some 200 other U.S. utilities. In places where Volt Typhoon gained access to operational technology. It was more than just lurking inside a network. Theoretically, they could cut the power. They could stop the flow of water. They could even disable critical utilities near military installations. And this isn't hypothetical. It's already happened elsewhere. During the pandemic, Russian hackers locked up Colonial Pipeline's billing system, crippling fuel deliveries up and down the Eastern Seaboard for days. And then there was jbs, the world's largest meat processing company. In that case, a Russian ransomware group shut it down for days. And according to the suits, China's Volt Typhoon was putting the pieces in place to be able to do something like that. And there's this other thing that makes small towns targets. They often are home to big things like military bases or nuclear facilities. They're also just a good place to sort of run a dress rehearsal for larger attacks. John Burns from Dragos.

E

Again, I think it's cheaper for an adversary to test their tools on a smaller target rather than put in place their own infrastructure to test their tools. I would probably go test it on a small utility or a small water company to test to make sure that my compromise tools work. Before I went and deployed. Deployed them in a big attack.

A

It used to be that if you attacked a town like Littleton, it wouldn't teach you much about how to attack Boston or Baltimore. Systems were all different, but not anymore.

E

It used to be very heterogeneous out in the world, where it was like every control system was completely different. And you. If you compromised one, it was like, okay, no big deal. You really can't compromise another one just because you compromise this first one. It's kind of a one off. But now we're kind of getting into this homogeneous era where it's all about repeatability and scalability. So if you can use a compromise in one place, I'm potentially vulnerable to the same attack because of that, which.

A

Is how Littleton becomes a gateway to.

H

New York, to D.C. everyone is either target or transportation.

B

Tell me what you mean by that.

H

You either have something they want, or you are the path to get to the thing that they want.

A

This is Sue Gordon. She used to be the number two at the office of the Director of National Intelligence during the first Trump administration. We caught up with her to talk about Littleton at Vanderbilt's Future of War summit in Nashville back in April.

H

What we do to protect the critical infrastructure has got to be done taking into account the fact that when you make it more orderly, you make it.

A

More attackable, because being orderly makes things predictable and by extension very hackable. Sue also worries when she sees the so called Department of Government Efficiency Cut CyberSecurity grants, the U.S. government's strategy to protect vital infrastructure. A big part of that is public private partnerships funding grants to help towns like Littleton beef up security against adversaries.

H

I know if you're doge and you see some dollars for something, it's hard to identify what that's going to yield 10 years from now. So I think it's incredibly worrisome when that's the approach approach you take of a line item that you can't trace to some immediate benefit that that becomes something you take away. Because it's that long time horizon work that has saved us over and over again over the course of our history.

A

Because the federal government can see the pattern. They can spot how one compromised water system and one forgotten zip code can have ripple effects. So they invest in preventing that.

H

There are some things that government does really well. It tackles big problems that are too big for others. It has longer time horizons.

B

Do you think that there are lots.

A

Of Littletons out there that are totally vulnerable to these kinds of threats?

H

Infinite.

A

Wow. So that's why Nick Lawlor speaks up even when others don't or won't.

F

I mean, I know there's other utilities in New England that were hit and no one wants to talk about it. And if we're not willing to talk about it as victims, then how do we expect our peers to ever hear of it? And I think the first reaction from the public is how you let that happen. But you know, it's our job to explain it and it's our job to tell the public what we did right and tell the public what we didn't do right. So that way hopefully doesn't happen to you.

A

In September 2024, Nick took the stage at a cybersecurity summit for the American Public Power Association.

F

And when I asked how many had heard of old Typhoon, only half the hands went up. So this is, this is a full year after we had been compromised. These are professionals that are in this part of the industry. Nor about half of I've heard about Vol Typhoon.

B

Did that surprise you?

F

It doesn't surprise me, but it's unfortunate.

A

And that's the part that sticks that one of the most sophisticated cyber operations China has ever run could quietly reach into a tiny town with a single substation. But a year later, half the people responsible for keeping the lights on across America still hadn't even heard its name. So is it a little mind blowing.

B

When you think that a Chinese state hacker came after little, tiny Littleton?

A

What does that make you feel like?

F

Well, the whole thing's mind blowing. And really, ever since this has happened, it's really heightened my awareness of the world that we live in today and the type of warfare that we're witnessing. And that's what this is. I mean, this is cyber warfare. I think James Comey had the quote, there's two types of companies in the world, one that have been infiltrated and compromised by the Chinese and one that doesn't know it yet.

A

That's a story that aired on 1A from NPR and WaMu. Just ahead, how the federal government is preparing for this new age of digital geopolitics. And we hear from listeners. Stay with us.

D

What the hell is going on right now and why is it happening like this? At Wired, we're obsessed with getting to the bottom of those questions on a daily basis. And maybe you are too, Katie. I'm Katie Drummond, the global editorial director of Wired, and I'm hosting our new podcast series, the Big Interview. Each week I'll sit down with some of the most interesting, provocative and influential people who are shaping our right now. Big Interview conversations are fun.

E

I want a shark that, that eats.

D

The Internet, that turns it all off, unfiltered and unafraid.

F

So in a lot of ways, I try to be an antidote to the unimaginable faucet of reactionary content that you see online.

C

To the best of my ability, every.

D

Week we're going to offer you the ultimate luxury of our times, meaning and context. True or false. You, Brian Johnson, the man sitting across from me, one day, at some point as of yet undefined in the future, you will die. False.

C

Tell me more.

D

Listen to the Big Interview right now in the same place you find Wired, Uncanny Valley Podcast. Subscribe or follow wherever you get your podcasts.

B

From.

A

Recorded Future News. This is Click Here. We're back with more from our conversation on WAMU's 1A News program. Here's host Jen White.

C

Now back to local utilities, state affiliated hacker groups and the future of digital geopolitics. And we're adding a new voice to the conversation. Brandon Wells is the vice president of cybersecurity strategy at Sentinel 1, that's a cybersecurity firm. He's also a former executive director at the Cybersecurity and Infrastructure Security Agency, or cisa. Brandon, welcome to the program.

I

It's great to be here. Thank you.

C

And still with us is Click Here host and Managing editor Dina Temple Rastin. Brandon, when we talk about state affiliated hacking groups, exactly what are we talking about?

I

These are individuals associated and sponsored by a foreign nation whose job it is to fulfill various roles within the cybersecurity apparatus. They could be focused on gathering intelligence, compromising entities so that they can gather political, military, economic intelligence. They could be actors trying to compromise critical infrastructure. I'd like your discussion related to Littleton Getting Inside lying in Wait, really focusing more on how do they fulfill military objectives. And it runs the gamut. You can also see ones where it's more a permissive environment. Russian ransomware groups may not be fully sponsored by the state, but the state knows that they're there, allows them to do, to conduct their ransomware operations because they believe that it fulfills broader goals of weakening the west, undermining credibility. And in the United States and elsewhere.

C

Well, you testified before Congress in January about current cybersecurity threats. Your co panelist, Adam Myers, CrowdStrike vice president for Counter Adversary Operations, had this to say.

F

These incidents are not over. Salt Typhoon is an ongoing activity by.

E

An adversary, as is Volt Typhoon or what we call Vanguard Panda.

F

So this is something that we need to continuously engage. We need to continuously identify, root them out and put a stop to them and cut off their access.

C

How good of an idea do we have of how many of these operations are currently active?

I

It depends on the sophistication of the adversary, how good they are at covering their tracks. I think what we have seen in for some actors, particularly those associated with China, is that they have gotten very good over the past decade. Since 2015, they've really retooled and it is much harder to track them at scale. We know that, that there are a lot of groups out there conducting operations, both ones that are actually Chinese state officials as well as companies that operate on behalf of the Chinese government. But we don't know all of them. And we certainly their degree, their, their, their ability to cover their tracks where a lot of spots where a lot of places where we're blind to exactly what they're doing.

C

So when we talk about, for instance, Volt Typhoon, how many other companies would you estimate were caught up in that attack?

I

Well, I think there, you know, the report that Dina did mentioned, you know, maybe up to 200 companies potentially were compromised across, across the country. And those were obviously ones where we were able to find them. It's not guaranteed that we found all of the places that they were.

C

Well, Dean, Homeland Security Secretary Kristi Noem has promised to prioritize a, quote, comprehensive whole of government approach to cybersecurity. But as we said earlier, CISA's headcount was slashed heavily this year. The Trump administration scalped back support for both state and local government. So what do we lose when the federal government pulls back so heavily from cyber defense?

B

Well, you lose an ability to have visibility. I think one of the other things I would add to what Brandon said is that when you find out, for example, a small utility has been compromised, you start looking at other small utilities to see if they were compromised in the same way. We had discussed earlier that one of the things about the United States is a lot of stuff is systematized, right? They're all using the similar, you know, infrastructure control systems, industrial control systems. So if it worked on this one, will it work on that one? And I think one of the problems is one of the big things that the Trump administration cut was the the Multi State Information Sharing and Analysis Center, Ms. and this program provided no cost cybersecurity tools, a 247 security operations center. So you could say, hey, you know, it's a weekend, we're skeleton crew and somebody's moving around who shouldn't be in our system. Help us out. It was also threat intelligence for the state to share information. And with that gone, that sort of blinkers you a bit.

C

Brandon, why is this cyberspace such a high priority for foreign adversaries like China, Russia and Iran?

I

It is. It is a useful tool to help them achieve their goals in ways that are harder to see and where the response from the United States could be less clear. So if a foreign country had come in and deployed operatives and blown up a portion of Colonial Pipeline, it is almost guaranteed that that would result in some type of military action, because that was a terrorist attack. But when a foreign adversary went in there, ransomware group operating out of Russia shut down Colonial Pipeline for two weeks through a cyber attack. Our response is much more nebulous. And so it feels for many adversaries that it is a lower cost way of achieving their same goals.

C

Dana, your thoughts? Yeah.

B

So David Sanger wrote a book called the Perfect Weapon, which was about cyber attacks. And the reason why it's the Perfect Weapon is because there's Deniability attribution is really hard. We're getting better at it. Used to take a really long time to figure out who was behind something. Now it's taking less time. But because it's a gray attack, as Brandon was saying, the way we respond as a nation, the way they say, hey, it wasn't us, you know, search me.

A

We didn't do it.

B

We weren't behind it. And there are different systems within Russia and China in the way that they do this. You know, Russia uses basically cyber criminals. He says, as long as you don't attack us or anything that used to be in the Commonwealth of Independent States, it's fine. As long as you nothing with the Cyrillic Alphabet, you can do what you want. And in China's case, what they've done is because they're worried about instability. They've actually set up a kind of cyber hacking industrial complex. So there are all these tiny companies throughout China that the Ministry of State Security will say, hey, do us a favor, we'd like this. There's another interesting about, interesting thing about China too is they used to have hackers who would go to these hackathons. You know, you compete, capture the flag stuff to show how great you are as a hacker. China has actually asked them to stop going to these because China doesn't want them to find these vulnerabilities and share them with other people. They'd rather keep them. If companies in China find a vulnerability in their software, they have to report it to the Chinese government first so that they can exploit it.

C

Well, that takes us to this email we got from Stephen, who says you mentioned, and this is something you alluded to earlier, Dina, the difference between the fractured control of US Systems versus the total government control of Chinese systems. The US Federal government protects our physical borders without infringing on citizens. Is it even possible to comprehensively protect our digital border in the same manner? Brandon, your thoughts?

I

I mean, you know, we have such a diverse critical infrastructure base out there across the country. You could not have central control over all of it. We have tens of thousands of water utilities of power utilities across the country, and you can't protect those in the same way. It is going to require a real whole of nation effort where the government has a role, where the private sector has a significant role, both the individual companies, but also the companies that manufacture the technology that underpins them, as well as our state and local governments that increasingly play a bigger role in the cybersecurity of the entities within their jurisdictions.

C

But Dina, that sounds like it requires A lot of coordination. Where has that coordination typically come from?

B

It's typically come from cisa, where Brandon was, and that they did a lot of that coordination. Also a lot of education. So you realize, hey, if you see somebody, if your cursor is moving across your screen and you're not using it, there's somebody else who's taking control of your screen. Just simple stuff like that. And I think that, I don't know that anybody ever thought that the government would solve the problem, but there was some idea that maybe there could be regulation where when you put out software, it actually has to be tested in a particular way. They're starting to talk about that, about cars now, right? You send an update over the air. We just did a story about this and you know, there's no regulation on whether that update has been tested in a particular way here in the United States. So I think that. But that diffuseness unfortunately is working against us when it comes to trying to create a sort of bubble that will make the US safe.

C

I mean, John left this message on our app one a voxpop. The next world war has already begun and it's in cyberspace. It seems to me that it's being ignored by the breadth and scope of the United States government as well as the population. Brandon, we're talking about how hackers aren't just targeting major institutions anymore. They're going after these locals entities. If you're a municipal utility or if you're a small administrative organization, how do you protect yourself?

I

I think that there's two things. One is, as a country, we need to put more burden on the companies that provide the technology that create these vulnerabilities. In the case of Volt Typhoon, every single compromise was because of a vulnerability in a very small number of edge devices like firewalls or VPNs. So those vulnerabilities are the reason why Volt Typhoon was able to achieve the scale that they were. I think. Second is every small company needs to figure out how do they appropriately manage risk, whether they should be the ones operating and managing their network and managing the security of their network. And oftentimes it's going to be how do I outsource this to a place that can achieve both the economies of scale, but also the sophistication of scale. I much rather have 1/10 of time of a really expert threat hunter monitoring my network security than trying to have a person who's really, really good at manufacturing something also try to part time make sure that I'm putting in place the right cybersecurity. That's just it's just not going to work in today's modern threat environment.

A

That was part of my conversation with one A host, Jen White and Brandon Wales. Brandon is the vice president of CyberSecurity Strategy at Sentinel 1. He's also a former executive director at CISA. You can hear the full segment@WAMU.org Click here is a production of Recorded Future News and Priority. I'm Dina Templewaston and our producers are Megan Dietrich, Sean Powers, Erica Guida, and Zach Hirsch.

B

Special thanks this week to 1A host.

A

Jen White and producer Chris Costano. Click Here is edited by Karen Duffin, Fact Checked by Darren Ancrum and contains original music by Ben Levingston with additional music from Blue Dot Sessions.

B

Our staff writer is Lucas Riley, and.

A

Our illustrator is Megan Goth. Jesse Niswonger and Jake Cook are our sound designers and engineers. Tune in this Friday for Mic Drop, which features our favorite interview of the week. We'll see you then.

G

If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up the day's most interesting and important cyber stories from our sister publication the Recording, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to TheRecord Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.