Threat Intelligence
10/12/2016
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Russia, Russia, Russia: What Clinton Or Trump Can Do About Nation-State Hacking Gone Wild

US mulls 'proportional' response to Democratic Party hacks in midst of an unprecedented presidential campaign clouded by cybersecurity concerns (among other things).

Whether the next President of the United States likes it or not, she or he will be faced with a whole new era of nation-state cyberattacks that now have crossed a fine line from accepted cyber espionage to a form of cyberattacks aimed at sabotaging the election season.

In the wake of a rare declaration by the Office of the Director of National Intelligence and US Department of Homeland Security last week that named Russia as the actor behind recent hacks of the Democratic National Committee (DNC) and personal emails of US political officials and organizations, the White House this week said the US will respond in a "proportional" manner to the breaches, which have gone glaringly public with online data dumps via WikiLeaks.

Russia may be the first nation to move from cyber espionage to cyber sabotage in an apparent quest to influence or wreak chaos on the US election, but it wasn't the first nation the US has called out for damaging cyberattacks. First there were the US Department of Justice's indictments of five Chinese military officials in 2014, followed by the Obama administration's naming and shaming of North Korea for the epic and massive data breach, data-wiping and doxing of Sony Pictures Entertainment later that year. Earlier this year, the DOJ indicted an Iranian hacker working on behalf of the Iranian government for allegedly infiltrating a server at a dam in New York.

Even so, Russia's propaganda-driven campaign in the breach and doxing of the DNC and other Democratic Party operatives, takes this destructive cyber espionage activity to a whole new level. While most experts say it's unlikely Russia can or will be able to go as far as hack US voting systems to alter the vote-count, there are plenty of ways for the nation-state to sow seeds of distrust, doubt, and fear, in the election.

This threat won't end after Nov. 8, either.

"We have never been here before. No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber," says security expert Cris Thomas, aka Space Rogue, who says the administration needs to provide some evidence of Russia's involvement in the breach.

Thomas says the US should be careful with attribution "and set the stage now as to what is and is not acceptable as we move into the future, when these sort of actions will become more and more commonplace," he says.

Lisa Monaco, assistant to the President for Homeland Security and Counterterrorism, at a security conference hosted by The Washington Post last week, said the administration would consider tools including "economic, diplomatic, criminal law enforcement, military, and some of those responses may be public, some of them may not be." 

An Executive Order issued in April 2015 by President Barack Obama gives the president authorization to impose some sort of retribution or response to cyberattacks. The EO, which the administration has not used in any case as of yet, allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. That includes freezing the assets of attackers.

"Our primary focus will be on cyber threats from overseas. In many cases, diplomatic and law enforcement tools will still be our most effective response," Obama said when announcing the Executive Order. "But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst."

In response to the US allegations of Russia's election-hacking activities, Russian President Vladamir Putin this week said the attacks "have nothing to do with Russia's interests."

"They started this hysteria, saying that this (hacking) is in Russia's interests. But this has nothing to do with Russia's interests," Putin said at a Moscow business forum, according to Reuters.

Putin appeared to shift the discussion to the contents of the information breached and dumped publicly via WikiLeaks. "Everyone is talking about 'who did it' [the hacking]," said Putin. "But is it that important? The most important thing is what is inside this information."

45th President In The Hacker Hot Seat

While the Obama administration wrestles with how to implement its retribution policy for the first time, Russia's alleged hacking activity isn't likely to subside after the new President is elected, nor is the problem of nation-state hacking at this new level. So either new President Hillary Clinton or new President Donald Trump will be forced to tackle this new chapter in nation-state cyber espionage.

John Bambenek, threat systems manager at Fidelis Cybersecurity, says the next President of the US will have some big challenges here. "Ultimately, nations have to behave like economic actors," he says.

Retribution, like attribution, to a cyberattack, can be a slippery slope.

Unlike the diplomatic agreement between Obama and China's Xi Jinping, where both nations promised not to conduct cyber espionage for economic gain in the wake of China's infamous intellectual property theft-related hacks, a deal with Russia would be much trickier and less likely. "You're going to have to do it adversarily with Russia," Bambenek says. There's definitely danger of escalation and "tit-for-tat" responses, he says.

"History tends to favor sanctions in these matters," he says. Take the US's economic sanctions against Russia in response to Putin's aggression in Crimea, he says. "That remains a pain point for Russia."

But Russian doctrine supports escalation as a way to de-escalate tensions or conflict, notes Christopher Porter, manager of the Horizons team at FireEye. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous."

Even if the US were to out the tools or infrastructure used by the Russian attack groups, it likely wouldn't pressure Russia to dial back the hacks. Porter points to a previous year-long study by FireEye of Russian threat groups that concluded that even after being outed more than 20 times in one year, the groups continued their operations.

"It had no demonstrative effect on their ability to compromise" their targets, he says. "They are well-resourced" and FireEye has seen them just shift their operations with infrastructure from outside Russia or with other resources, he says.

FireEye's Porter says there are two things the next US administration could do differently to handle these attackers. "They need to have better delegation for decision-making on the US side," he says. "Don't wait until a lot of incidents pile up before formulating a response. The White House has to weigh in on every decision now."

Second, don't treat state-sponsored hacks like a legal case. "We still talk about state-sponsored attacks as though they are a case for a lawyer, and we treat them like we have to prove them beyond a reasonable doubt … with forensic evidence," he says.

That approach doesn't work because savvy nation-states can easily sow reasonable doubt in their attacks, he says.

New Normal Norms Needed

Ultimately, without any global cyber-norms from which to operate, the US is limited in its response.

"I would love to see the next president somehow reach consensus with other nations as to what is and what is not acceptable in the world of cyber and what responses are acceptable to nations who violate those norms," Thomas, aka Space Rogue, says.

That would entail defining just what cybersecurity violations would entail when it comes to nation-states. "We should have very defined sanctions regarding hacking and cyberwarfare," says Miller Newton, president and CEO of data encryption company PKWARE.

But neither Presidential candidate has been eager to embrace the cybersecurity policy issues, despite both of their campaigns directly being drawn into the Russian hacks: Clinton via the DNC email breach as well as that of her campaign manager John Podesta, and Trump, who went so far as to say in the most recent debate that "maybe there is no hacking" in reference to the US government calling out Russia over the alleged data breaches.

Newton says the candidates aren't emphasizing cybersecurity because it's just not a hot topic for voters. "It's not a vote-getting issue," he says. "They [the candidates] don't want to hit the privacy versus national security issue head-on [either]. It's a quagmire: there is no easy solution, but it needs to be front and center."

But apparently, millennials do care about cybersecurity policy: more than half of US adults ages 18-26 surveyed by Raytheon and the National Cyber Security Alliance (NCSA) say that a candidate's position on cybersecurity weighs into their decision to support that candidate. Half don't think cybersecurity has been sufficiently discussed in this election season.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/17/2016 | 4:11:45 PM
Re: Leading survey?
I know some security-savvy millennials, but they have been well-coached by their mom. =)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/17/2016 | 4:04:21 PM
Re: Leading survey?
@Kelly: Judging by the Millennials I have come to know, I think it's more a matter of wanting to appear as if they fit in and are doing the right thing.

If Millennials as a whole truly cared -- genuinely cared -- about information security and data privacy to the level being discussed here, they sure as shootin' wouldn't use so many apps or live on their mobile devices.

Now get off my lawn.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/17/2016 | 9:22:55 AM
Re: Leading survey?
Good point about "leading" questions in surveys. But I think it's also not surprising that millennials, who unlike their parents grew up with technology/Internet, are more concerned about cybersecurity. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/16/2016 | 8:14:28 PM
Leading survey?
I question the survey results reported in that last graf.  It is an automatically leading question merely by virtue of asking it.  It makes people feel like they *should* be concerned about cybersecurity when it comes to politics, even if they're not -- or it triggers in people the feeling that they, as rational human beings, OF COURSE factor cybersecurity into their voting decision-making, even when they do not.

I seriously doubt that cybersecurity is a significant factor for the vast majority of US voters. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.