[ Pour la version française, veuillez cliquez ici ]
[ Um diesen Artikel auf Deutsch zu lesen, klicken Sie bitte hier ]
15 May 2019 (Berlin, Germany) – This past weekend I made my third trip to Ukraine, courtesy of a long-time cyber security vendor. It is part of my background research on a long piece I am writing on Russia’s “information warfare” campaigns and it affords me the opportunity to meet and speak with experts on the front lines of those campaigns. Because whatever you might think of Russia’s recent antics on the world stage, you have to concede: they have brilliantly exploited information-age tools to confuse audiences about what is truth, what isn’t, and to set their own narrative. The returns have been massive, and out of all proportion to the modest investment required. If you look at all the latest examples in real-time … the Skripal poisonings, the Kremlin propaganda & that of its allies, and even Robert Mercer and the alt-right (far, far bigger threats to America than Russia) … what you see is the dumping out of a hundred narratives, hoping that each one takes 0.5% of the attention away from the truth. As Gary Kasparov said so eloquently in his book Winter Is Coming which details Putin’s mindset and the work of the Russian intelligence services:
Propaganda today is not a wall, not a dike holding back information from reaching the people. It is a flood, overwhelming our critical thinking. It is not to promote a narrative or agenda but to create doubt and to make people believe that the truth is unknowable.
The Kremlin goal … which the President of the United States embraces daily … is to exhaust our critical thinking, to hide the truth by seeding a thousand falsehoods around it.
And recent activity offers fresh evidence that despite indictments, expulsions and recriminations, Russia remains undeterred in its campaign to widen political divisions and weaken Western institutions. Despite online policing efforts by American technology companies (often half-hearted), it remains clear that Western technology makes it far easier to spread false information than to stop it. More disturbing, while Russia remains a driving force, cyber analysts have discovered numerous copycats, particularly on the far right, that often echo Kremlin talking points, making it difficult to discern the lines between Russian propaganda, far-right disinformation and genuine political debate. Fringe political commentary sites in Italy, for instance, bear the same electronic signatures as pro-Kremlin websites, while a pair of German political groups share servers used by the Russian hackers who attacked the Democratic National Committee.
And before you say it, agreed: you can take the Russian campaign to “widen political division” seriously only if you think political divisions weren’t widening before Russia allegedly began its social medial campaign in 2013. In some cases I think the efforts by Russia’s Internet Research Agency to disseminate misinformation in the U.S. pale in comparison to the political divisions inflamed by Fox News. And, quite frankly, it will be impossible to fight this sort of cyber subversion in the U.S. as long as the President and his assorted sycophants, and the Republican Party, deny that it exists and back him 100%.
I’ll have a more detailed post in the weeks to come on the Russian bear. For this post, just a few short bullet points for the corporate world on another area in which I was updated over the weekend: how cyber tools have become more ubiquitous:
• Cyber criminals are catching up to nation-states’ hacking capabilities, and it’s making attribution more difficult. They’re not five years behind nation-states anymore, because the tools have become more ubiquitous.
• One of the things cyber analysts are seeing is that more cyber criminals are getting “corporate”: on the business-model side they are starting to use innovative processes like franchises, and affiliate groups, where a cybercriminal will develop technology and make it available to other cybercriminals. Franchising the malware means that criminals can concentrate on improving in other areas.
• What the cybercrime affiliates do is focus on identifying, for instance, phishing lists, or other ways to break into networks … and then actually launch ransomware or other malware. They do not need to build effective tools from scratch. They have that through the franchise. They can put all of their investment into executing their attack.
• That also means any improvement in cybercrime technology makes attribution harder. The tools look more like those of nation-states. And given Russia outsources lots of its cyber attack work to criminal cyber gangs, from an attribution standpoint it’s very difficult to determine if an actor is working at the behest of a foreign government or if they’re doing criminal activity on their own time.
• And the issues multiply. Criminals still behave differently in certain cases. If you’re a nation-state, you’re likely trying to achieve one very specific goal and will use whatever mechanism is required in order to do that. So in some ways it often requires less sophistication. On the flip side, cyber-criminals can come up with very sophisticated capabilities given that they have the luxury in most cases of a virtually unlimited victim pool and the luxury of time.
• Worse, easy access to data and technologies via open-source is not only leveling the intelligence playing field at the expense of the U.S. intelligence community. Non-state actors can now collect intelligence worldwide at little cost. Anyone with an Internet connection can see images on Google Maps, track events on Twitter, and mine the Web with facial recognition software, pulling all manner of personally identifying information off the Dark Web, etc.
• Moreover, commercial satellites now offer low-cost eyes in the sky for anyone who wants them. Inexpensive satellites roughly the size of a shoebox offer imagery and analysis to paying customers worldwide. Although no match for U.S. government capabilities, these satellites are getting better day by day.
• All of this means cyber criminals are taking advantage of the combination of “social listening” and physical infrastructure analysis to plan attacks. It also explains why more than one in 10 data breaches now involve “physical actions” which is leveraging physical devices to aid an attack, and break into hardware and physical infrastructure.
There is a shrinking gap between physical and cyber infrastructures. And that means businesses should be combining both cyber- and physical security efforts. When your door lock, when your burglar alarm, when your fire suppression system is computerized, networked and on the internet, you have no choice but to integrate them. Integration is happening because computers are moving into a space that was only physical. And that opens up all sorts of hacking opportunities.
But many cyber security professionals say its a bit hopeless because they are still struggling to get companies to install simply cyber security defenses. I will close with a few words from the vendor who invited me to Ukraine on “why corporates don’t take cyber security seriously enough” issue:
(1) they envision cyber security as a kind of fortification process in which strong firewalls and astute watchmen will allow them to see threats from afar
(2) they assume that complying with a security framework like NIST or FISMA is sufficient security; and
(3) they haven’t had a security breach recently, so they must be doing something right: what doesn’t seem broken doesn’t need to be fixed.
The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. And with 5G coming down the road and its terrifying potential to exponentially raise the level of cyberattacks it will make current attacks look like paper cuts. I will have more.
