It was retired Marine Corps General James Cartwright who provided New York Times reporter David Sanger with information confirming the U.S. role in the development and deployment of the malware that targeted Iranian nuclear research facilities. Cartwright was authorized by President Obama’s administration to speak to the newspaper, but in doing so he divulged classified information. Later, when questioned by the FBI, he denied that fact. He was subsequently convicted for lying to federal investigators and was pardoned by President Obama before being sentenced.
For reasons yet to be disclosed, the former administration sanctioned the disclosure of U.S. actions in nation-state cyberwarfare activity. In doing so, the genie was let out of the bottle, and cyberattacks — including those with potential lethal effect — are currently being developed and will, undoubtedly, be deployed by nation states large and small, friendly and belligerent, targeting information and the critical infrastructure of the U.S. The entire world is currently engaged in a very heated cyberwarfare arms race, stockpiling information and data about everything and everyone in the world.
Those nations most vulnerable to cyberattack are not nations such as North Korea or Sudan, nor are they stateless nations. The most vulnerable are those nations with well-developed technological infrastructures that make their economies and societies dependent upon an uninterruptible Internet of things.
Clearly, the world must somehow find a way to apply restraints. Most people might agree that a nation state caught planting a remote administration tool (RAT) into a hospital infusion pump to commit an assassination should be charged with committing a war crime. But nation states are planting RATs into programmable logic controllers (PLCs) now. And a hospital infusion pump is nothing more than a PLC.
InfraGard members can and do advocate for the creation and adoption of globally recognized restraints in the use of cyber technology for warfighting and geopolitical purposes. It is an important undertaking. But for those who find themselves unwittingly engaged upon this new cyber battlefield, pitted no longer against some Jolt-chugging loser looking to phish ransomware into your server but against all the king’s horses and all the kings men; the question is, what do you do?
“It’s hard to tell exactly what (various nation states) are targeting,” says Kevin Mandia, CEO of FireEye, a global cybersecurity firm based in Milpitas, Calif. “Right now, is seems that China is narrowing the focus of its cyberattacks and Russia is increasing the scope of theirs.”
Most cybersecurity analysts agree that elected officials, journalists and members of think tanks will remain target priorities for nation-state cyberespionage activity. But publicizing embarrassing and compromising information obtained in hacked emails, as in the case of Russia’s cyberattack of the Democratic National Committee, is a game changer, the outcome of which is still not fully known.
“All intrusions are for a reason,” Mandia said. Typically, hackers are looking for information, money or means of blackmail. But analysts have yet to fully understand what was behind Russia’s recent play targeting the DNC. On March 20th of this year, FBI Director James Comey stated that Putin hated Secretary Clinton and “he had a clear preference for the person running against the person he hated so much.” But other analysts suggest that the U.S. was perceived by Russia to be actively interfering in the internal affairs of Russia, and the attack on the DNC server was tit-for-tat. Finally, there is the fact that the same Russian hackers who penetrated the DNC server also tried, but failed, to penetrate the servers of the RNC. That fact tends to confound the idea that the attack was solely targeting Hillary Clinton at all.
While the decision to release the information to the public may well have been a case of hate between world leaders or a deliberate attempt to influence a national election, the actual intrusion into the DNC server may have been nothing more than a typical hack, mining for whatever information that might have been of value.
Like conventional weapons, data has a shelf life. In most instances, the reams of data obtained in a successful hack put government hackers in a use-it-or-lose-it position. In the case of cyberespionage, if the value of personal stolen data doesn’t lead to the golden opportunities of blackmail or extortion, then releasing the data to the public to harm a reputation, embarrass government leaders, or foment a change in leadership might not seem too bad a consolation.
Knowing what is on a server and then hacking into that server to obtain that specific information may make for a nice plot in a book or movie, but it has little to do with real life. Hackers don’t know what is on the servers they attack. To them, each server is like a treasure chest they found and managed to open. Some may contain riches, some much less. The whole idea behind cybersecurity is not about protecting information; it’s about keeping bad people from ever opening the box.
“The Red Line has not yet been defined,” Mandia said. Right now the first line of defense that businesses have to combat any hacking — including those from nation states — is to seek an indictment. “Russia could not ignore an indictment being brought against then,” he said.
Just one week after Mandia made the above statement, federal authorities announced indictments against two former Russian F.S.B. agents who allegedly abetted a hack on Yahoo in 2014. While no extradition treaty exists between Russia and the U.S. forcing their turnover to U.S. authorities, their world has become significantly smaller.
The use of indictments, while offering some protection to U.S. firms confronting nation-state hacking, must also be recognized as a weapon currently available only within the exclusive arsenals of advanced nations. It takes advanced technology to trace hackers back from the scene of the crime to fingerprints on a keyboard thousands of miles away. But other nations are catching on fast, and soon enough, their technologies will match America’s when it comes to tracing intrusion attempts. This makes the most recent “Vault 7” disclosure by WikiLeaks disconcerting.
Released in early March, the largest CIA document dump made to date by the rogue website includes information suggesting that the agency’s Remote Devices Branch undertook a project named “UMBRAGE” that collected and catalogued cyberattack techniques stolen from malware produced by actors in foreign nations. This stolen information, which allegedly includes information covering key-loggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus, personal security products avoidance and survey techniques allows the agency to identify unique characteristics in each form of malware, thus identifying its creator.
While such ability could clearly be helpful in investigating international cybercrimes, it also could permit the CIA to mimic, in minute detail, the cyber fingerprints of foreign hackers, theoretically permitting the agency to carry out false-flag attacks.
The disclosure of UMBRAGE may introduce reasonable doubt into accusations and indictments that rely exclusively upon forensic cyber tracing evidence. If such becomes the case, the only major weapon currently relied upon to punish foreign hackers and serve as a deterrent for state sponsored cybercrime could be rendered useless, leaving all of us to fend for ourselves in a lawless world filled with cyber dangers.
Guarding against the insidiousness of cyberattack, whether state sponsored or otherwise, is one of the principal motivations for the existence of InfraGard. We encourage you, if you’re not already a member of the organization, to visit www.InfraGard.org and reach out to your local InfraGard Chapter and begin the application process.