At the end of 2016, the outgoing Obama administration issued several decisions and executive orders as part of countermeasures designed to punish Russia for its interference in the US Presidential election.[1] Following up on its experience with similar measures against Chinese and Iranian cyber experts, the US government published a list of “specially designated persons" (SDNs) who were placed under direct sanctions. Of the six individuals whose names were published, four were very senior Russian intelligence officials. The other two were not officials, but private citizens – known cybercriminals, whose aliases included "Slavik" and "Magg". "Magg" was at the time of indictment 30 years old, and already had the dubious honor of being named side-by-side to the Chief the Russian military intelligence organization (GRU).[2]
This public declaration officialized what had long been apparent in practice: that states can and do consider some cybercriminals as extensions of state power. This should hardly come as a surprise: one of the very first serious cyber-espionage attacks on the United States was carried out in 1986 by a German cybercriminal working on behalf of the KGB.[3] Even back then, the interest of the governments in using a cybercrime proxy was clearly three-fold: firstly it was thought to provide a certain level of plausible deniability if discovered, secondly it provided instant access to a high-grade skills set and assets that could prove difficult and expensive to build up internally, and thirdly it complicated matters in general for the defenders by raising the "noise to signal" ratio – encouraging lots of low-grade cyber-attacks to distract from the more serious state-executed operations.
Twenty-two years later, these advantages remain, with some differences. After experiencing a high in 2007/2008, the "plausible deniability" advantage of cybercrime has shifted. Russian cybercrime was acknowledged to have played a decisive role in the 2007 and 2008 cyberattacks on Estonia and Georgia, respectively, sometimes in conjunction with other proxies, such as the Putin-affiliated Nashi youth group. However, the Western response to these attacks (and the likes), has been from the start to point fingers at the Russian government directly, negating any direct benefit over time. Furthermore, the actions of the US government against China first (the 2014 indictment of the so-called "PLA Five"[4] for intellectual property theft) and Iran then (in 2016), clearly showed that non-state proxies would still be considered to fall under a state’s effective control, and therefore under the state’s responsibility. Indeed the March 2018 amendment of the Iranian cyber-related sanctions lists a number of individuals and their organizations, and their purported role in supporting attacks against the United States.[5] The ability to hide behind the plausible-deniability of proxy groups is therefore decreasing, and will further do so.
However, the other two advantages certainly remain. The capacity of some cybercriminal groups easily matches or exceeds that of some states. Not only do cybercriminals produce and maintain botnets – what I have called the Swiss Army knife of cyber-conflict – but they also provide a host of other services; from secure hosting facilities to money laundering and even "weapons development". The latter category mostly relies on the discovery of zeroday exploits and putting them into malware code, a process that can be fairly labor intensive. In 2015, a researcher at the company FireEye stated that there were "entire villages dedicated to malware in Russia and China" - very sophisticated, very organized, very well-funded.[6] As I have pointed out in my book The Darkening Web[7], there are numerous other examples of possible collusion between governments and cybercrime gangs – and often enough the rationale is simply practicality: while some malware might not be good enough for the hardest of cyber-targets, it is good enough for most other types of targets. Besides, even supposedly "hard" targets – like the US government Office of Personal Management, which in 2015 was breached with over 5 million applications for government clearances lost[8] – are not always really hard targets to begin with. For governments, therefore, cybercrime can be a really cheap way to exert substantial cyber power – or, as the Estonian researcher Rain Otis put in 2012, "If you want cheap cyber power, you need to tolerate a level of cybercrime." This is especially pertinent if all the downsides of cybercrime accrue with your adversaries abroad, and not with you.
This leads us to the third advantage for governments in cooperating with cybercriminals: raising the noise-to-signal ratio by facilitating lots of little cyber-attacks, and therefore distracting from the bigger picture or more serious attacks. An outside observer may think that cybercrime might actually pose a disadvantage to serious cyber spooks: by "spooking" their targets they might after all encourage them to take a higher level defensive posture, and therefore make it more difficult for the heavy-hitting state cyber teams to infiltrate. However, as many cyberattacks all the way back to a legendary 1998-2000 Russian campaign known as Moonlight Maze has shown us, this just is not the case. On the operational level, cyber defence does not scale well - even if there are various "defensive levels" that can be activated and resource levels that can be mobilized, the best time to launch a cyberattack is still when another cyberattack is already ongoing, for other defenses will simply be lacking. For cyber defenders everywhere there is a limit to how many hours there are in the day, and in that case you go for the quick and easier wins, rather then trying to untangle some of the much more complicated (and very possibly not-malicious) indicators that you have. Simply put, cyberdefense is always a bit like the Dutch boy putting his finger in the dikes: there is always going to be a prioritization going on. Serious and highly capable cyber intrusions are therefore often executed in the "noise" of more visible cybercrime attacks.
It is however not too late to turn this equation around. In fact, the very visibility of cybercrime and the ease with which it can penetrate most targets should be able to encourage some of the most sorely-needed basic protective measures that are still not common across the private sector, and sometimes even government. This includes enforcing "cyber hygiene" across all organizations to take care of the basics, while at the same time enforcing product standards and service level agreements within the private sector to make sure that monster holes in products and services do not remain that easy to exploit for an attacker. And finally, it means that both the insurance industry, but also legislation, should make it much more painful to fail in basic cyber defense.
There is some hope in this happening. In part, this is because some governments which previously enjoyed "cheap cyberpower" are now experiencing a substantial rise in cybercrime – China is only one such example. Data protection – previously seen as only something of concern to some fanatics – is now rapidly becoming an issue for the average citizen as well. Furthermore, there are also clear signs that standards could become a substantial trade issue – enforcing basic standards of protection (for instance in the Internet of Things galaxy) could have a dramatic effect on the manufacturing and trading of these devices, with significant economic impact. Indeed, cybercrime could actually finally help accomplish what has sometimes been seen as a lost cause: getting basic cyberdefense right. If that happens, then indeed we could finally say that cybercrime does work – for everyone.
Notes
[1]For an unclassified first assessment of this, see the DNI report: Office of the Director of National Intelligence. Background to "Assessing Russian Activities and Intentions in Recent US Elections": The Analytic Process and Cyber Incident Attribution. 06.01.2017. Available at: https://www.dni.gov/files/documents/ICA_2017_01.pdf (Last visited: 14.06.2018).
[2]U.S. Department of the Treasury. Issuance of Amended Executive Order 13694; Cyber-Related Sanctions Designations. 29.12.2016. Available at: https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20161229.aspx(Last visited: 14.06.2018).
[3]See the story on the Cuckoo’s Egg episode in The Darkening Web: Klimburg, Alexander. The Darkening Web (New York: The Penguin Press, 2017), p: 161.
[4]Department of Justice. U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage. 19.05.2014. Available at: https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor (Last visited: 14.06.2018).
[5] See for instance: U.S. Department of the Treasury. Treasury Sanctions Iranian Cyber Actors for Malicious Cyber-Enabled Activities Targeting Hundreds of Universities. 23.03.2018. Available at: https://home.treasury.gov/news/press-releases/sm0332 (Last visited: 14.06.2018).
[6] Miller, Roger LeRoy. Cengage Advantage Books: Business Law: Text & Cases – an Accelerated Course. (Cengage Learning, 2015).
[7] Klimburg, Alexander. The Darkening Web (New York: The Penguin Press, 2017).
[8] Larter, David, and Tilghman, Andrew. "Military clearance OPM data breach 'absolute calamity". Navy Times, June 17, 2015. Available at: https://www.navytimes.com/news/your-navy/2015/06/17/military-clearance-opm-data-breach-absolute-calamity/ (Last visited: 14.06.2018).
Contenuti correlati:
