CNN.com - Transcripts

Transcript Providers

Return to Transcripts main page

At This Hour

Sony Hackers Contact Again With More Demands; Sands Casinos Hacked Last Year; The Vulnerability of a Cyber World

Aired December 19, 2014 - 11:00 ET

THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS FINAL FORM AND MAY BE UPDATED.

JOHN BERMAN, CNN CO-ANCHOR: Hello, everyone, I'm John Berman.

MICHAELA PEREIRA, CNN CO-ANCHOR: And I'm Michaela Pereira.

BERMAN: We are going to begin with breaking news and stunning new developments in the cyber attack against Sony. This is a CNN exclusive. We have just learned that the hackers, or cyber terrorists if you want to call them that, they contacted the corporate giant overnight and, as part of this contact, they issued a new threat along with, strangely, a thank you.

PEREIRA: Yes, strangely indeed. Our senior media correspondent Brian Stelter is here, he's got that exclusive information. What did they say, Brian?

BRIAN STELTER, CNN HOST, "RELIABLE SOURCES": It's -- you know, I'm sort of bothered by it because it's a victory lap but these guys. It's exactly what people in Hollywood like George Clooney are warning should not be happening, that these hackers should not be able to win.

But what they are saying is if this film is kept offline, kept out of theaters, they will stop attacking Sony. They will stop leaking new information that they've found from the company's servers. I think we can put it up on screen and actually read it. You'll see it's in the same kind of broken English that we've seen in the prior messages from.

It says "I am the boss of GOP." GOP is Guardians of Peace. That's the group that they've been calling themselves. "It's very wise that you have made a decision to cancel the release of the interview. It will be very useful for you."

Then it goes on to say, "We believe you will never be engaged in something dangerous like that. Now we want you never let the movie released, distributed or leaked in any form of, for instance, DVD or piracy." So they're saying don't release it anyway.

"And we want everything related to the movie, including its trailers as well as its full version down from any website hosting them immediately. We still have your private and sensitive data. We ensure the security of your data unless you make additional trouble."

We can read between the lines of that. I think we know what they're saying there. They're saying we're going to hold onto all these secrets, and we're not going to share them unless you put this on DVD, unless you put it on Netflix, unless you put it on VOD.

I sort of interpret this as they got what they wanted initially, and now they're going a step further and saying you better wipe this movie away and even take down the trailers.

BERMAN: And, Brian, you broke this. This is an exclusive to CNN, this e-mail Sony received overnight.

Do they believe, do they tell you that they think this is the real deal?

STELTER: They do, and I'll tell you the reasons why, because we wanted to be careful with this before going on air with this to make sure that it is legitimate and why Sony believes it's legitimate.

It came in at 7:46 local time to Sony executives last night, and it was sent to some of the folks we've been talking about all week, Amy Pascal and Michael Linton, the folks that head the studio, as well as some of the other top executives -- some of the names I recognize; some of them I don't -- all of them to their Sony e-mail addresses.

And it's in the same format and same tone of the prior messages, so that's why Sony believes it is legitimate. And that's why they are taking it seriously.

They are also, by the way, not publicly commenting. They made a decision they're not going to say anything about this. They're going refrain from saying anything at this time.

But I think what we might see today is comment from other studios or comment from the Motion Pictures Association of America, which represents the entire industry. Because so far there's been a lot of quiet, a lot of silence from other Hollywood studios, and I don't think that's going to last much longer.

PEREIRA: I want to pick up on that point that you were just making, because you just referenced George Clooney.

For those that aren't aware, George Clooney essentially wrote this open letter, if you will, and tried to get a bunch of people a petition. He tried to get people to support Sony. He didn't get any takers, so he's hearing the crickets as well.

STELTER: Yeah, this was in between the time on Tuesday when that threat came out that invoked 9/11, that warned people not to go to movie theaters where "The Interview" was playing, and then on Wednesday when Sony decided to cancel.

He tried to get other studios, other big-name actors to go ahead and sign on this petition and say, "We stand with Sony. We are not going to allow these threats to affect our decisions and our freedom of expression in the U.S."

He says there were no takers.

BERMAN: Why? Why are people so scared? Look, Sony caved to these cyber terrorists, and George Clooney couldn't get another big-name actor at least to sign the petition or these other studios to sign the petition?

STELTER: Right.

BERMAN: What are they worried about?

STELTER: I think I'm going to put the hat now of a rival Sony -- rival studio executive. I think one of the thoughts is, we don't want to be targeted. We don't want to make ourselves vulnerable and have the hackers come after us next.

Then there's also maybe just a little by bit of competitiveness in this. After all, a lot of movies come out next week, next Christmas. A lot of other studios have big films coming out, and they were concerned if "The Interview" stayed in theaters, then folks wouldn't go and see any movies over Christmas. They might be too concerned to go to the theater at all. So there's privately a little bit of relief inside other studios that "The Interview" won't be coming out.

PEREIRA: The thought is that Sony said we wanted to release this. It was the theater companies that pressured us and said no, it's too much. Our lawyers won't stand for it. We're worried about if something were to happen, we'll be held liable.

STELTER: Yeah, there's two points of view on this. The Sony point of view is they had no choice. They say they had no choice once all the theater owners backed out.

The theater owner point of view here is Sony sort of told us it was OK to back out. They gave us the go-ahead, so we went ahead and took it.

So there's sort of a war of words, actually, behind the scenes now. Frankly, there're e-mails I would like to see, but we're not going to see because hopefully there won't be more lacking between these different sides of the industry.

Despite that, I think we will see some sense of unity because there's a growing message from George Clooney and many others that Hollywood needs to stand up from freedom of expression.

I think we'll probably hear the same thing from the president later today at his press conference.

BERMAN: We'll see. So far it's George Clooney alone and none of the other studios, but we'll see.

All right, Brian.

Obviously, there are other major implications here. Sony capitulated. What will the United States do about it? What evidence do they have about where exactly these threats are coming from and what North Korea's role is?

Our Evan Perez has been breaking news left and right on this front. He joins us right now. And, Evan, what's the latest? EVAN PEREZ, CNN JUSTICE REPORTER: Well, John, the plot, if this was a

movie, what Brian just described, we would find this hard to believe because you have Sony caving, you have -- this hack has created something of a problem for the Obama administration, a national security problem, on something that they really didn't have any control over.

They have no control over the Sony computer system, and we learned from sources that these hackers were able to steal credentials of a system administrator to get into the system.

Now, this is a very common thing because those guys have the keys to the kingdom. As a matter of fact, someone told me yesterday that with -- by getting the system administrator's credentials they were able to roam around Sony's computer system for months before anyone noticed anything, before anyone could -- before they even stole anything or touched anything. They just tried to basically get the lay of the land before they even let their presence be known.

PEREIRA: Unbelievable. That is such an interesting -- I want to turn to investigative correspondent Chris Frates. He's also joining us.

One of the things that we've known, and we've even seen it here because we've been reporting on it. There's been a stark rise in the number of cyber attacks against government systems. That's skyrocketing and in addition to some of these corporate breaches that we're seeing in the public sector.

CHRIS FRATES, CNN INVESTIGATIONS: That's exactly right, Michaela. I looked at cyber attacks against federal agencies and found that that number is just skyrocketing.

There were 34,000 cyber incidents involving government agencies back in 2010. By last year that number had jumped 35 percent to 46,000.

And I'm told by experts that cyber spying is happening just at a clip we've never seen before. Hackers are trying to get inside the government 24/7, guys.

BERMAN: And, Evan, I want to bring you back in here and Brian also. What you guys aren't seeing is that Brian and Evan are both here on our set with their phones, trying to break more news on this. They've been breaking news on dueling fronts here for the last 24 hours.

Evan, Brian just broke that Sony says they got a new e-mail overnight from this cyber terrorist groups, these hackers. What is the government role now? The NSA is watching this, tracing it back.

Do they -- have they responded yet to Brian's reporting, and what do you expect they will do with this information?

PEREZ: I've reached out to the folks in law enforcement who are doing this investigation, and they haven't gotten back to me. I'm checking my phone because any minute now, frankly, we're expecting a statement from the FBI that will lay out the attribution of this hack. This is the official statement that the government is going to issue saying that they believe this hack was carried out on orders of North Korea, and so that's what we expect to come from them.

Like you said, the NSA, the FBI have been working around the clock on the. The Justice Department's national security division is on this. The NSA has a very good visibility on Internet traffic that comes out of North Korea.

And so the way this hack was done, the hackers tried to mask the servers that they were using. They tried to use servers in Asia, in China, in European countries, in Latin America even, but there was some fingerprints that they left behind that the FBI and the NSA were able to find and track right back to North Korea.

PEREIRA: A bread crumb trail essentially.

PEREZ: Right. Right. They left bread crumbs. Exactly.

And one of the interesting things about this also is that they were able to find instances or signals that showed -- that matched other hacks that had been attributed to North Korea.

There were some hacks that were done against some South Korean companies in the last few months, and that's one reason why they have this certainty that north Korea was the one that carried this out.

PEREIRA: Sony Studios' parent company, Sony, based in Japan, anything from Japan? Any word? Any response? Any --

PEREZ: We haven't heard any. That's actually part of the geopolitical part of this is North Korea and Japan don't get along.

PEREIRA: They've been having their issues. Yeah.

PEREZ: Right. Exactly. And the Japanese have some very -- some sensitivities about -- they have some of their citizens that were kidnapped by North Korea some time ago, so there's a lot of things going on behind the scenes/

The White House wants to make clear that they believe this is a North Korean hack?

BERMAN: Yeah. My understanding is Japan never planned to show the movie to begin with. That this was so controversial there, they had no plans to show it at all.

PEREZ: Most Asian markets, that's right. Now Sony pictures has a decision to make. Because these hackers are saying we want even the trailers to be deleted off the Internet, we'll see what Sony does.

BERMAN: Brian Stelter, Evan Perez, Chris Frates, thank you all so much for being with us.

PEREIRA: Ahead here, North Korea hacking into Sony, shocking Washington, pardon me, but it has happened before, hasn't it? Did Iran bust into a Vegas casino? We've got details ahead.

BERMAN: Then he bought a trip around the world with his girlfriend but then they broke up. So what do you do about that? You go find someone with the same name as your ex-girlfriend.

We'll talk with this man who had this ingenious idea ahead.

PEREIRA: That would be hard if your name was Michaela Pereira.

(COMMERCIAL BREAK)

BERMAN: Major questions this morning about how hackers, or you could call them cyber terrorists, cracked into a company on U.S. soil.

Now, as we all know, Sony caved to their demands, but this is not the first company that has been targeted.

Less than a year ago another major American company was hacked, and our Brian Todd has that story.

(BEGIN VIDEOTAPE)

BRIAN TODD, CNN CORRESPONDENT: A cascading attack, servers shut down, screens go blank, a rush to unplug computers.

This wasn't the hack on Sony. This attack hit the world's largest casino operation, including the Venetian Hotel in Las Vegas, ten months ago. And this also may have been the work of a rogue nation.

CNN has learned on February 10th of this year thousands of employees at Sands Casinos in Las Vegas and Bethlehem, Pennsylvania, had their computers hit. One former employee says, quote, "Hundreds of people were calling IT."

Iran is suspected to be behind the attack according to reports in "Bloomberg Businessweek" and "Slate." Sands won't comment

One expert believes Iran has the capability to do this.

JASON HEALEY, CYBERSECURITY EXPERT, THE ATLANTIC COUNCIL: What the Iranians and now apparently the North Koreans are doing are taking these tactics that anonymous has used and these other non-state groups and really bringing this now nation state level to the attacks.

TODD: The FBI tells CNN the investigation is ongoing. A SANS official says gambling operations weren't affected. But the company was rattled. A former SANS employee says customers couldn't book rooms online for a couple of weeks. If Iran is the perpetrator, why would they launch a cyber attack on the casinos? Just months before the hack, Sheldon Adelson, the billionaire CEO of SANS suggested hitting Iran with a nuclear missile in an uninhabited desert to force the country to abandon its nuclear program.

SHELDON ADELSON, CEO, SANS: You want to be wiped out? Go ahead, take a tough position and continue with your nuclear development. TODD: Iranian officials did not respond to CNN's repeated requests for

comments. As chilling as these alleged attacks by Iran and North Korea are, did the U.S. and Israel start the trend with the Stuxnet attack that crippled Iran's nuclear centrifuges? One expert says Stuxnet was different.

HEALEY: This was traditional national security taking down, inline with U.N. Security Council sanctions, some of -- one of the worst regimes on the planet trying to develop some of the world's worst weapons .

TODD: But the SANS and Sony hacks, experts say, could embolden those regimes to take it one very dangerous step further.

FRANK CILLUFFO, SDI CYBER RISK PRACTICE: Other sectors, such as our finance and banking community and our critical infrastructure sectors like power plants and the like that provide life and safety functions for our economy and for our country could be the potential next target.

(END VIDEO CLIP)

PEREIRA: Brian Todd joins us now from Washington. Good to have you with us, Brian. I guess one of the concerns is for officials, and maybe even for citizens, is what about other critical systems? Banking, power grids, et cetera. Are they concerned about those being targeted?

TODD: Michaela, U.S. officials have been saying for several months now repeatedly that they are increasingly concerned that U.S. antagonists -- hackers in places like China, North Korea, Iran, elsewhere -- are exhibiting the capability to hack into the U.S. infrastructure, to hit the power grid, the water supply, other infrastructure. It's a growing concern.

U.S. officials have spoken out repeatedly on this. They think that the hacking capability to do this is getting better and better as we go along, and it is a real worry. Now, there is a deterrent. A lot of these countries realize that if Americans start getting actually physically hurt or even killed by a disruption to the power supply or the water supply, then there will be retribution, so that may be what's keeping them from doing it. But there is that capability.

BERMAN: Now of course, Brian, the United States and Israel reportedly hacked into Iran's nuclear program several years ago quite successfully. The question now is what kind of cyber capabilities does Iran have? Is it at the same level as North Korea apparently has right now?

TODD: Well John, we're told it's very similar. If it's not at the same level, it's very close. And it may even be a little bit better. We're told that Iran has been developing its cyber attack capability ever since that Stuxnet virus hit them in 2010. And that, similar to North Korea, experts are telling us that they've got a team of hackers assigned to the government that's working for the government, but also that there's a likelihood that the Revolutionary Guard in Iran also kind of outsources, hires freelancers, to do some of its hacking work, not just to launch attacks, but also to help them cover their tracks once an attack is launched.

BERMAN: Brian Todd for us in Washington. Thank you so much. So if this attack on Sony was launched by North Korea and if North Korea, as Brian Stelter is reporting, continues to issue threats to Sony, how will the United States government respond? What are the options on the table? That's next.

(COMMERCIAL BREAK)

(BEGIN VIDEO CLIP)

MICHAEL HAYDEN, FORMER CIA DIRECTOR: This cyber thing is pretty important. I think it's here to stay and we kind of messed it up.

BARACK OBAMA, PRESIDENT OF THE UNITED STATES: Cyberspace is real. So are the risks that come with it. It's the great irony of our information age.

SEN. HARRY REID (D), MAJORITY LEADER: Cybersecurity one of the most important -- it's the most important issues, I've already said.

SEN. JOE LIEBERMAN (R ), HOMELAND SECURITY CHAIR: The most serious threat to America's security that we're not adequately defended against cyberattack.

JAY CARNEY, WHITE HOUSE PRESS SECRETARY: The United States has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber intrusions.

(END VIDEO CLIP)

PEREIRA: U.S. leaders and officials there sounding off on the vulnerability of this cyber world we live in. We also are following this breaking news that Sony executives last night were reached out to by the hackers that had actually held them hostage, if you will, saying in part that they appreciated and were thankful that they had followed their directions, but wait, that there would be more if they didn't destroy the trailers, if they didn't prevent the movie from being shown or leaked online. So while it was interesting to hear from, it's also very chilling to hear.

BERMAN: It's a new threat.

PEREIRA: It's absolutely a new threat.

BERMAN: It's a new threat saying don't you dare release this on DVD or the Internet or anywhere else. We're going to leak more, more damaging information.

We're joined now by Richard Marshall, who is with the cybersecurity division of the Homeland Security Department. He's on their advisory board of Certain Safe, which is a cloud security system developer.

Richard, you know, it's interesting, we played this sound montage leading into this segment with people who have largely left the jobs that they had when they made those statements. Which is a way to say, those are old statements with people over the last five, ten years saying how important cyber security is, yet we have this massive breach on Sony. So was this preventable?

RICHARD MARSHALL, FORMER DEPT. OF HOMELAND SECURITY CYBERSECURITY OFFICIAL: A couple points to be made. No. 1, I am no longer with the federal government, I retired three years ago, otherwise I couldn't be in this situation where I'm on ten different advisory boards as a cyber advisor. So I wanted to set that correct. Back in 1997, there was an exercise called eligible receiver. That was in 1997. That demonstrated the capability of a country like Iran and like Korea to attack our critical infrastructures. We learned a lot of lessons from that, but yet, as we have seen with the various cyber attacks that have taken place earlier this year and, once again with Sony, it's another wakeup call.

And what we do with a wakeup call is just reset the alarm button and snooze a little bit more. There are proactive measures that can be taken, and let me make it in a very simple explanation. You have a house, you protect it physically, you are anticipating that no one will get in your house. But on the likelihood that someone will break into your house and steal your jewels, you put the jewels either in a safety deposit box at a bank or in a safe in your home. And that's what we should do with our digital data. That is critical information that needs to be protected and there is technology available today that breaks down the information into bits, encrypts it, micro- encrypts it, and puts it in various safety deposit boxes, so to speak, various servers in the cloud. So it minimizes the opportunity, and almost neutralizes the opportunity, for an adversary to get in at your valuable data. Things like -- it will protect privacy, protect all of your intellectual property, would protect movies. So there are a number of things that could be done.

PEREIRA: So the question then, Richard, is if you've been talking about it, we've had other people on air who have talked about the fact that this threat has existed since the mid-'90s, why haven't we taken the steps? Why haven't companies and businesses taken the steps to do that, if you say this micro-encryption exists and we have the technology?

MARSHALL: Well, it 's relatively simple. And it's not just the United States that has this difficulty. I've spoken in China, spoken in Thailand, Switzerland, Germany, England, they all face the same issue and the issue, basically, is economics. You use the word security, they think of guns, gates, and guards, and it's like owning a yacht, you just sink money in it and you get nothing in return. Management needs to focus on protecting their digital assets, not view it as security, but protecting their digital assets and be willing to spend the money to do that. I bet you money Sony would pay a lot of money to reverse this situation today, but when you go to boards, and I'm on 10 different boards and I speak a lot at senior management circles, the focus seems to be economics. It's cheaper to absorb the loss economically than it is to pay to protect the system. And as long as you have that economic dynamic, you're going to have this issue.

BERMAN: Richard Marshall, thanks so much for being with us. Appreciate your expertise on this matter. Thanks for coming in.

PEREIRA: Interesting what you said is economics --

MARSHALL: Thank you for letting me have the opportunity.

PEREIRA: -- arguably, they're going to lose a whole lot of money, Sony studios is, with this film not airing and not making ticket price - making money from the box office and theaters.

BERMAN: Ahead for us @THISHOUR, the lame duck is on the loose. President Obama flexing political muscles with huge power plays. Significant action. All this after his political party lost a big election. So is there more on the way? We'll answer it next.

(COMMERCIAL BREAK)