Wednesday, January 4, 2017

Targeting Cyber Whales and Catching Cyber Minnows

President Obama has been criticized for being too weak in his response to Russia’s interference in the US presidential election. But I would argue the opposite. They actually set a risky precedent which has been unexplored in the policy space.

What I want to point out here is that the White House miscalculated when it leveled sanctions against Russian private contractors, in addition to the GRU members responsible for the operation. Singling out Russia’s intelligence officials and state operatives for punishment of this nature is fine; it’s a limited move, and relatively ineffective, but it’s well within our rights and at least it sends a message. But private individuals should be off limits even when their technology and know-how is used in operations we do not like. If Trump’s administration plans to roll back any part of Obama’s sanctions, it should be those.

"Technical Research and Development"? "Specialized Training"?

The question no one in the policy sect seems to be asking is: Do we really want our own private contractors singled out and targeted by foreign powers? Is that a ‘norm of behavior’ that is in our best interests? How are cyber operation responses, which share a lot of similarities to criminal prosecutions, different? Nearly the entirety of the US Information Security industry has taught a class at /Training/Etc in Columbia MD at one point or another. Our current sanctions action puts them all on the plate for Russian retribution. Not to mention our Anti-Virus industry is heavily populated with technical experts directly from APT1, now working to defend our systems. Strategic disruption of our adversaries means getting closer to, not further from, their teams of hackers. In many cases these contractors may have been working for the Russian government under duress. Can we judge their motivations along with their efforts?

Cyber Security Strategy is all about the Lemmas and Dilemmas

Regrettably, the US response to Russia’s cyber operation faced serious dilemmas from the start. For instance, how do we achieve a deterrent effect on future efforts by Russia and other nations, while at the same time prevent the confrontation from escalating into an actual “cyber war” or threatening our partnerships abroad, particularly in Syria? Additionally, how do we avoid exposing our sources and methods within the highest levels of Russia’s government? We have attempted to solve these issues by relying on sanctions, which are an easy PR win - a NY Times headline series waiting to happen. But targeting sanctions or criminal prosecutions at small contractors, no matter what their involvement, is a long-term strategic mistake without appreciable benefit.  

This is an issue that needs to be considered very carefully, not only in terms of how it affects current operations, but also how it could limit our capabilities in the future. For instance, this precedent will make it extremely difficult to involve America’s private security community in “active defense” missions in the future, which is a key area of reform the next President should be reviewing.

Another question worth asking is, if private contractors are now fair game, could forensics firms such as CrowdStrike or Mandiant or other AV firms also be targeted for making “false allegations” about a specific country’s involvement? Also, is it possible the research community could be targeted for vulnerability discoveries which are later used by state-sponsored or criminal groups to carry out attacks?

These questions may seem far-fetched now, but we can’t underestimate the potential for an adversarial nation like Russia to use whatever means are available to make its point or redress grievances. Using US policy and precedent against us is a likely action by Russia. There's a reason you use nation-state policy efforts against nation-states instead of criminal law - otherwise you make all former TAO members responsible for TAO's mission, which is not well loved outside of the US.

The small companies and individuals running those companies may well be deeply involved with the DNC hack and related operations, but deterrence efforts around sanctions may require that we are able to make a public and convincing case regarding their guilt. Without that ability, they can easily deny their involvement, and our efforts look misguided at best. Of course, targeting individuals has the other side effect of pissing them off personally, and small groups of individuals with grudges and high levels of capability are very hard to deter by a nation state.

The Obama administration should be credited for its strong focus on cybersecurity issues during the last eight years. However, it has relied too heavily on the threat of broad-based sanctions for deterrence. This strategy worked well with China, but Russia is a different story and the Obama administration knows it - hence, the current sanctions are mostly about PR, not achieving a real strategic win. Going forward, the US needs to develop stronger and more diverse capabilities for response which will allow us to create real deterrence among all of our enemies, without resorting to counterproductive policies that are more PR than substance.

More Resources:

  • Jake talks a lot about this as well.
  • Alisa's postings in the community are well known, but here are some: Slideshare, Phrack
  • From an effectiveness and image perspective, releasing “indicators of compromise” is a fairly amateur thing to do. While it works for Crowdstrike and Mandiant and other commercial entities, the USG has better things it could do. In particular, these signatures were of rather low quality (See Robert Lee’s report as well), which makes us look bad, not scary, the opposite of what we are trying to do.
  • Sanctions from a historical standpoint

No comments:

Post a Comment