The new-found “Red Scare” arising from the revelation of Russian-government directed cyber attacks against the U.S., reminds me of a wonderful line from the movie “Casablanca.” Captain Renault, a reluctant Vichy-police official with rather flexible views on the vice of gambling, is pressured by the Nazi’s to find any pretext to close down “Rick’s American Café.” Summoning all the false outrage he can muster, Renault struts into the Café amid a police raid and declares “I am shocked – shocked! – to find that gambling is going on in here!”
Just to set the record straight, the Russians have been hacking into cyber networks, engaging in the dark art of disinformation and influence operations, not to mention good old fashioned espionage, for a very long time. It is what they do, and we should not be shocked by their cyber “gambling.” Beginning in the early 1920’s with what was known as the “Trust”, the Soviet “Cheka” (forerunner of the KGB) set a pattern of active measures and influence operations to discredit their adversaries and sow dissension within the ranks of political opposition. In 1983, the KGB launched Operation “INFEKTION,” a disinformation campaign designed to attribute the AIDS/HIV Virus to the U.S. Biowarfare program at Ft. Detrick, Maryland. Following the Cold War, the Russians developed and have perfected the tactic of unleashing crippling cyber-attacks against adversaries before they attack. This included Denial of Service (DdoS) attacks against Georgia in 2008, against Crimea in 2014, and an ongoing cyber war against Ukraine. There have been aggressive probes against Estonia, Poland and other “Near Abroad” (former Soviet States) countries in recent years and, yes, ongoing disinformation and manipulation campaigns against them during times of political change.
At the risk of sounding like Sun Tzu’s, “The Art of War,” a poor or non-existent defense of one’s assets is sure to attract the enemy. In the vernacular of risk, this principle is known as “vulnerability to threat actor” (or VTA). This vulnerability can actually be quantified, in the calculation of risk. The assumption behind this axiom is simply that the greater the exposure of a valued asset to bad acts such as cyber hacking, theft, or injury, the more attractive the asset becomes to a bad actor. It is common sense, really, and most of us with a reasonable degree of intelligence understand it. We lock the doors of our homes at night, or our automobiles in the parking lot of a shopping center. We purchase and use virus and malware software to protect our data.
With this principle in mind, the recent “surge” in Russian cyber attacks needs to be put into its proper perspective. First, there is no surge in Russian cyber attacks. There is a surge in media attention and a spotlight on Russian-originated cyber hacking exploits. Big difference. The breathless media minions are telling us the “Russians are coming” once again, absent any serious research into the issue. Of course the Russians are going to probe and hack our cyber defenses…paltry and dated as they are. So are the Chinese, the Iranians, North Koreans, ISIS and any number of transnational hackers out there who want to get at our national security plans and intentions on the cheap. Truth be told, we do the same thing. Live by the cyber-sword…die by the sword. If we are to engage in cyber warfare, we damn sure better have good cyber defenses. And from all indications, we don’t. So enough already with the hand-wringing.
The issue is more about us than it is about them. For every successful cyber attack on us, there had to be an abysmal fail in defenses. Some notable examples that come to mind are, oh, an extremely high-profile, extremely well-connected and powerful individual making his e-mail password…”password.” Or an even higher high-profile, uber well-connected and super powerful individual locating her email server in the bathroom of her home; mixing and routing both personal and very classified correspondence through it…not to mention receiving emails with forgotten passwords in them, unencrypted. Or an individual, soon to be in the highest office in the land, initially dismissing or minimizing the consensus of the entire U.S. Intelligence Community’s assessment that Russia was purposely conducting a cyber-influence operation against us. There is plenty of blame all around.
This pattern of abject cyber failure extends into elements of our own government that really ought to know better. The U.S. Government’s Office of Personnel Management (OPM) was hacked by the Chinese in April of 2015 and sensitive personnel records of over 18 million past and current U.S. Government employees (including yours truly) were stolen. The U.S. Postal Service was breached by Chinese hackers in 2014, with the compromise of over 800,000 Postal Service employees and over 2.9 million USPS customers. Then there is the National Security Agency (NSA), that lost a significant amount of highly classified information through leaks by former employee Edward Snowden, and the over 50 Terabytes of sensitive data to former employee Harold Martin. These are just a few examples from the past three years. The Public Sector shares the sin of ignoring good cyber defense with the Private Sector. Without naming names, I have personally seen some real doozies. One particularly “smart” CIO at a regional utility company simply put red tape around a bank of servers and declared them “secure” because he was in compliance with regulations to ensure they were within a secure space. I’m sure that red tape really deterred pesky would-be intruders. SCADA systems hastily assembled in a spare room with nothing more than a lock and key on the door. The list could go on.
The important point is this: we live in a world that is increasingly foreshortened in terms of time and distance by ever-more sophisticated networks, rapidly growing bandwidth, and more streamlined software with access to greater amounts of data. Compounding the problem is the portability of media and ease with which it can be connected to networks. Case in point is the recent discovery of “Grizzly Steppe” (codename for the Russian cyber operation) code on a Burlington Electric utility laptop. When we misidentify the threat as government regulators and regulations, auditors, opposition party members, we do ourselves a tremendous disservice. Buckling to the demands of clients too lazy to observe even the most basic cyber security measures in the name of “convenience” ultimately has severe consequences. To misplace trust in committee-crafted compliance regimes as a substitute for real security is hubris that we can ill-afford. Just as it is not advisable to ignore good defense measures, it is not okay to ignore good intelligence advice, even if one is skeptical of motives and intentions. Better to be skeptical, and simultaneously take the advice of the professionals, than dismiss them and the advice altogether. To quote the late John Wayne, “Life is hard. It’s even harder when you’re stupid.”
Unless we operate in life like my dear old Dad, who continues to write paper checks (refuses to use a debit card), writes letters by hand, keeps contacts in a leather-bound address book, memorizes telephone numbers, avoids the internet and still knows all the bank tellers at his bank by their first name…the blessings of the information age we all take for granted can very quickly become a curse. Make a New Year’s resolution to button down access to and security of your data, and ensure that it is done throughout the organization, starting with yourself.
Don’t be stupid.