What to do about the cyber?

If you’re at all interested in all things cyber security, then you will know this has been an interesting summer. Most notably, I think, have been the allegations (reasonably substantiated in my opinion) of Russian state backed hacking of, and subsequent leaking of material from, a number of high profile organisations. Most significantly we’ve had leaks from the Democratic National Committee, the Democratic Congressional Campaign Committee, WADA and individuals like Colin Powell and George Soros. There is some excellent technical analysis here by ThreatConnect, and nice clear narrative by Thomas Rid here (though both predate the WADA hack). Not wanting to be left out of the fun, the Times in the UK reported breathlessly on how GCHQ had thwarted Russian attempts to disrupt UK elections (paywalled, though you can read most of the article and some relevant comments here).

Now, I’m not going to rehash the analysis done elsewhere. In summary this appears to be a series of Russian state backed compromises, with subsequent releases of stolen data through a variety of channels (including the websites Guccifer2.0 and Fancy Bear which were apparently sent up just to leak this information, and Wikileaks, which clearly wasn’t but seems to be onboard with the agenda) designed to negatively impact the victims of the attacks, most significantly of course a presidential candidate. This has lead to lots of articles like this, in the Washington Post, about a new ‘cyber cold war’. I tweeted some thoughts on this and, unusually for my tweets, got a lot of responses (Ok, some responses. Hey, you’re reading this so why not follow me on Twitter?), and it’s to that topic that I want to return today.

Are we in a ‘cyber cold war’?

The Cold War was essentially a stand off between two systems of government, both armed with world destroying weapons. Whilst one of those systems of governments might more or less have gone away, authoritarianism certainly hasn’t, and neither have the nukes. We still have many of the elements of the Cold War in play, including alarming proxy conflicts such as Syria. Be honest – when Turkey, a NATO member, shot down a Russian plane did you worry about Russian hacking?

In short, no amount of hacking is equivalent to nuclear weapons, and even despite hacking and cyber getting the headlines, it remains actual weapons we worry about. The Iran deal was about nukes, and North Korea is not threatening the existence of its neighbours with its great new hacking delivery systems. Neither is there any kind of Cold War-esque stand off. We know courtesy of Snowden that the NSA & Co hack to support intelligence requirements, and we also know the USA and the UK and others are spending lots of money on the vaguely named ‘offensive cyber’. In other words, everyone does lots of hacking.

But isn’t it easy to go from spying to disruption?

I’m not that convinced – I’ve written before about the likelihood of attacks on the financial sector, and on the Ukraine power cuts. The Russian hacking that has got the headlines recently is not terribly ‘sophisticated‘. It’s been pretty much run of the mill cyber espionage consisting of phishing campaigns against organisations with relatively poor security practises. I’m not saying the groups who did this aren’t capable – they are, at precisely this sort of thing. Covertly compromising organisations and stealing information. That’s what spies do. But this is not the same as disruptive hacking.

All of the organisations targeted are legitimate espionage targets (even WADA if you run your own state sponsored doping programme, and are convinced they are a CIA front) targeted in a fairly normal way. What is different is what has been done with the stolen information. And here I think is where we get to the thorny issue; the leaking and the hacking are two different issues.

So what’s to be done?

Cyber attack is a phrase that can guarantee headlines at the moment, so the idea that Russia is launching all these ‘cyber attacks’ agains the US and other targets is a compelling narrative. However, this is not new activity. Consider this quote by the then Director General of the UKs Security Service (MI5) in the 2008 Intelligence Services Committee report:

“Since the end of the Cold War we have seen no decrease in the numbers of undeclared Russian intelligence officers in the UK… conducting covert activity in against unreconstructed attempts by Russia… and others, to spy on us… It is a matter of some disappointment to me that I still have to devote significant amounts of equipment, money and staff to countering this threat.”

And an extract from the 2009 report:

(Electronic attack is what we called cyber in the old days).

Spying in various forms has been going on for years, and hacking is not an especially new tool in the spies arsenal. The big change over this summer is what has been done with the information – it has been leaked, deliberately to cause further harm.

Responding to effort to destabilise elections in favour of one candidate or another, or for other political purposes, is a different foreign policy problem than what to do about all the hacking. There are touch points for sure, but let’s not pretend Russia couldn’t have got this information by other means if necessary. When phone calls between US diplomats about the EU response to the Ukraine crises were leaked we didn’t see newspaper articles about SIGINT-ers having gone too far. In other words we separated the means of collection from the subsequent actions.

And this is where I accept there is an asymmetry. Messing with open, liberal democracies using their own institutions and media is easy for authoritarian states. There is no equivalent response for the West in this case. Likewise, all the reporting about cyber attacks builds towards a demand for a foreign policy response, tying up resource and forcing an action that might not be appropriate. Again, with internal media pressure absent this kind of action won’t work against authoritarian states. Russia has shown it is very adept at this kind of ‘information warfare’ in other areas too, with Sputnik and RT pushing a pro-Kremlin line, and an army of Twitter trolls. This is a much bigger problem than some hacking, and I don’t know what the answer is.

Finishing back on cyber

Ensuring good cyber security is a challenge. The director of the new UK National Cyber Security Centre made a speech recently in which he talked about some innovative new ways that his organisation and UK ISPs might work together to block a variety of hacking activity. This is promising stuff, though the devil of course is in the detail. Personally I think we could do more at lower levels in government and law enforcement to complain about the state sponsored attacks emanating from other countries. More CERT to CERT, and police force to police force, engagement, complaining when attacks are detected. Of course, other countries can do the same back, but even authoritarian governments are not uniform machines – it will be someone’s job to respond to reports of cyber incidents, and someone else’s job to build external relationships and so forth. By complaining, and putting some grit in the cogs of the larger machine, it would show that hacking is not consequence free magic, and might achieve a level of deterrence.

And of course there is getting everyone out there to take security more seriously. The bar is still set far too low for security, and it is too easy to compromise organisations that should be tougher targets. We (security people) have been saying this for a long time now, and so perhaps we need to re-think our message – I don’t propose to answer that question here!

As always, if you have questions please get in touch! Find us on twitter, or use the contact form.

Thanks for reading

Rob