On Feb. 16, a federal grand jury in Washington, D.C. returned an indictment against 13 Russian citizens and three Russian companies for a scheme involving information warfare against the political institutions of the United States. Does this portend a new strategy for dealing with cyberthreats or is this merely political theater?
The answer, of course, to both questions is, yes.
It’s a new strategy because the indictment focuses on more than mere “hacking” and theft of information, and on the value of information per se. It focuses on information warfare—the use of information to achieve strategic goals. And it’s political theater mostly because it is highly unlikely that any of the named individuals will ever see the inside of a U.S. courthouse, much less a federal prison. Yet, the use of the criminal justice system in this way represents a new front in the war against a very specific form of cybercrime.
This Ain’t Your Grandma’s Cybercrime
When we think of cybercrime, and defense to cybercrime, we typically think of hacking and theft. Hacking—the obtaining of unauthorized access to a computer, computer network or device and theft—the misappropriation of money or property. In fact, one of the chief goals of the Computer Fraud and Abuse Act (18 USC 1030) was to create a new offense of cybercrime which was patterned after other “real world” offenses: theft, trespass, destruction of property. Hacking is trespass, or “unauthorized access” or “exceeding the scope of authorization to access.” Fraud is, well, fraud: obtaining money or property (something of value) by false pretenses. Theft is the “taking” of “property” without right, or the “misappropriation” of that property. And finally, destruction of property is when you makes something that has value less value by tampering with it, altering it, destroying it or making it inaccessible.
At the end of the day, these “real world” analogues fall apart in the cyberworld, since the analogies are imperfect. How do we value “information?” How is it “stolen” if it is still there? How do we define the scope of “authorization” to “access” a computer—and what does it mean to “access” a computer, anyway? Is a userid and password a persona—an identity—or is it a key, making the crime burglary rather than false personation? Does a DDoS attack “destroy” property?
These are some of the “old wine in new bottles” challenges for investigating and prosecuting cybercrimes, and they have been with us for about 40 years.
But the Meuller/Russia indictment, like the Sony indictment before it, represents a different breed of cybercrime. At its core, computer crimes are NOT crimes against computers. They are not even crimes using computers. Computer crimes are aimed at information. Computer crimes are aimed at the confidentiality, integrity and availability (CIA) of information. Add to those the misuse of information, the dissemination of information and the weaponization of information and you have a broader picture of modern cybercrime. And our legal and criminal justice system does a terrible job with the idea of information-based crimes. And rightly so. We have a hard time categorizing information and determining how to protect it legally, why to protect it legally and to evaluate the legal threats to information.
Hacking vs. Information vs. Disinformation
Traditional “hacking” cases involved the breaking in to computers to “steal” information, and then to appropriate that information for the use of the bad guy. Putting aside the methods used, the goal was to get something and then use it—stolen credit card information, stolen personas, trade secrets or economic or national espionage. The indictments in Pittsburgh against the Chinese Army for stealing corporate secrets represents the use of the criminal justice system as an instrument of warfare.
Typically, if you steal a secret, you exploit it for profit. But this cybercrime has morphed. Stolen secrets are posted online (think WikiLeaks or doxing) or threatened to be exposed in return for money or other favors (cyberextortion, revenge porn, fappening). In the most recent episode of Showtime’s “Homeland,” ex-CIA agent Carrie Matheson is threatened with both a cryptolocker and public exposure of her computer by a hacker who agrees to meet her in an abandoned building—which doesn’t work out so well for the hacker. (Put aside the fact that a computer whose entire hard drive is cryptolocked would not work as a surveillance device—but maybe only the files were locked.)
Increasingly, sophisticated cybercrime involves the dissemination of information, not simply the use of that information. While the Meuller/Russia charges included theft of identity information (presumably through hacking or possibly skimming) the false identity information was the vehicle for establishing verisimilitude for a massive disinformation campaign—or what we would now call “real fake news.” Stories intended to create or amplify a narrative with a political objective.
Why Does it Matter?
For most companies, like most countries, the defense against cybercrime has been focused on locking doors. Better access control. Encryption of data. Continuous monitoring. Fraud prevention. Biometrics. You know—locks and cameras.
But these defenses don’t work when the information itself is weaponized. A firewall that prevents threat actors from getting in does not work when the threat actor is not concerned about getting in. The Sony hack, like the DNC hack, was not focused on any particularly sensitive information (although sensitive information may have been exposed), but rather focused on the use of whatever information could be found. Amy Pascal, the co-CEO of Sony, was fired because her stolen e-mails were disseminated in a way that embarrassed her, embarrassed the studio and created rifts between the studio and the talent, their agents and others. The DNC hacks revealed an institutional bias for an institutional candidate, and a flurry of e-mails about a pizzeria in northwest Washington, D.C., which were weaponized into the so-called “Pizzagate” controversy about an alleged child abduction ring in the basement of Comet Pizza—a store that has no basement at all. If you were in charge of protecting the DNC’s critical secrets, would you ever consider an e-mail from John Podesta about cheese pizza to be the kind of thing that might cause a campaign to falter? If you were the CISO of Sony, would you think that an email about President Obama’s movie preferences would cause the fall of the leadership?
What this means for CISOs and security professionals is that we are, to some extent, protecting the wrong things in the wrong way against the wrong threats. What we need to do is much more deep web threat actor engagement—to understand the motivations and desires of the threat actors much better than we are today. If you don’t know why you are being attacked, then you may not know how to protect yourself. Sure, we still need to protect personal information, supply chains, credit card numbers and the like. But new threats and new techniques require both new defenses and new strategies. The Meuller/Russia indictments allege a scheme and artifice by the Russians to defraud the United States not out of cash or property, but out of the ability to have a functioning government. And that is a new type of threat—one which we are not currently prepared to respond to.