Can Russian Hackers Be Stopped?

In the spring of 2015, faced with external cyber-attacks on the US of increasing frequency and severity, President Obama made a dramatic announcement. 

The level of hacking and cyber-espionage against the US had created an "unusual and extraordinary threat to the national security, foreign policy, and economy" of the country, said the President, who declared a national emergency to deal with the threat. 

This executive order allowed the administration to pursue sanctions against those who attacked US critical infrastructure or stole secrets. Since then the national emergency has been extended three times (it must be reconfirmed every year), but the attacks against the US and its allies continue.

Indeed, the ongoing state of emergency did little to deter the most spectacular anti-US hacking campaign in recent years: Russia's meddling in the 2016 US presidential election.

Russia is not alone in pursuing cyberattacks to advance its aims: The US government and its allies have long complained about the behaviour of China, Iran, and North Korea, too. Despite years of sanctions, indictments, and other attempts to combat hackers, the attacks have continued. And experts have warned it could be 20 years before the situation is brought under control. So why can't the hackers be stopped?

How can Governments Stop Hackers?
It's not that the US hasn't tried to deter cyberattacks, rather that the techniques the country and its allies have used so far haven't been very effective at stopping the bombardment.

Certainly, cybersecurity is a tough concept for politicians to get their heads around. Foreign agents sneaking into computer systems to steal secrets is crazy enough; the idea of enemies hacking into the computers which control critical infrastructure like power stations to cause destruction can seem like something out of an airport thriller, but is scarily real. Cyber-attacks are cheap, too: No need for a huge military might when all you need is a few smart people and some PCs to start a hacking campaign that can cause headaches for some of the biggest nations on the planet. For a State with few other options, cyber-attacks can be a potent weapon.

What makes cyberattacks an even more enticing option is that it's often hard to work out who is actually responsible for a particular incident, making it a handy way to cause trouble without necessarily getting caught. 

Nations often outsource these kinds of intrusions to freelancers who are adept at covering their tracks, making it harder to point the finger of blame. For example, an intrusion that took French TV station TV5Monde off the air was first thought to be the work of the "Cyber Caliphate" linked to ISIS, but is now blamed on Russia-backed hackers who deliberately left a false trail.

How does Cyber-Deterrence Work?
This is the complicated backdrop against which Western governments are struggling to build some kind of model to deter cyber-attackers. Hardening defences should be the easy part. Many of the most basic attacks, such as the Russian attacks on routers and network infrastructure that the FBI and the UK's GCHQ warned about recently, could be deflected by basic security measures like changing default passwords. However, while governments have more control over their systems, they have less ability to insist that businesses and individuals improve their own security, which is generally pretty terrible, because there are always better things to do. That means there is always a backdoor open to the hackers, and too often the front door, too.

According to one estimate, more than two-thirds of the UK's critical infrastructure bodies suffered an IT outage in the last two years, a third of which were likely due to cyber-attacks.

Few companies can survive a sustained assault by hackers, and even fewer are prepared to defend against state-backed attacks. However, finding a set of effective deterrents remains at best a work in progress.

Some state-backed hackers are looking for trade secrets, some are looking for weaknesses that could be used in future attacks, some are looking to steal money, and others want to just stir up trouble. Some want to do all of these things at once.

Each of these motivations requires a different response.
"In order to have effective deterrence from a US standpoint it's very important that we not just think about this in terms of cybersecurity defence and offence, but the cultural aspects of various nation states and their motivation," said Trevor Rudolph, a New America cybersecurity fellow who was chief of the Cyber and National Security Division at the Office of Management and Budget during the Obama administration.

Over the last half-decade, the US and its allies have tried to deter state-backed hackers with everything from publicity to sanctions and indictments, and maybe even attempts to hack back against assailants. While governments have plenty of practice at responding to a traditional armed assault because they've been dealing with that pretty much since countries were invented, calibrating a response to a cyberattack remains tricky.

"Ultimately it's not about responding to a cyberattack with cyber means, it's about looking at the full toolkit you have as a state in terms of diplomatic, economic, military, and others, and determining the right set of incentives and penalties you're going to apply to a country that's behaving in a way that is unacceptable," says Dmitri Alperovitch, CTO at security company CrowdStrike.

Cyber-Deterrence Trial and Error
The US, in particular, has been testing a variety of different deterrent strategies over a number of years. China was the first country openly tackled for its cyber-espionage when, in May 2014, a grand jury indicted five Chinese military hackers for hacking directed at companies in the US nuclear power and solar energy industries. 

A summit between President Obama and Chinese President Xi Jinping followed a year later, at which both countries promised not to use commercial cyber-espionage. Chinese attacks slowed, at least temporarily. 

But, according to the US intelligence community, China continues to use cyber-espionage to try and break into defence contractors and communications firms in particular. China is also targeting confidential business information such as pricing strategies or mergers and acquisitions data says a spokesman for FireEye.

"What we've seen pop up is Chinese groups targeting US law firms, US investment companies, and so on, stealing information in support of economic goals."

Attempts to curb cyber intrusions by Iran have also met with similar, limited, success. In March 2016 charges were announced against seven Iranians over distributed denial of service attacks against US companies; one man was also charged with unauthorised access into control systems of a US dam. In March 2018 the US Department of Justice charged nine Iranians with stealing more that 31 terabytes of documents and data from more than 140 American universities and 30 American companies.

The US also tried using sanctions against North Korea over its hacking attack on Sony Pictures in what was the first use of sanctions by the US in response to cyber-espionage.

It's possible, although still unclear, that the US may have also responded to Pyongyang's attack on Sony Pictures by taking North Korea's Internet offline for a short period of time, but even this has done little to curb North Korea's activities.
But North Korea continues to use cyberattacks to gain intelligence and in particular to steal funds to prop up the state.

"They've really veered into the crime angle," Read notes. While attempts to curb the behaviour of China, Iran, and North Korea has been limited in its impact, the biggest challenge the US faces at the moment is from Russian interference.

Russia has been blamed for the hacking of the Democratic National Committee and the subsequent leaking of emails. Kremlin-backed groups have also been accused of using disinformation campaigns across social media to stage arguments and undermine trust in the US political system during the 2016 Presidential campaign.

For its part, Russia has denied any meddling. President Putin has denied Russian state involvement in any election meddling, although he did not rule out that Russian hackers might be involved.

"If they are feeling patriotic, they will start contributing, as they believe, to the justified fight against those speaking ill of Russia," he told journalists in 2017. But then, in March 2018 Putin again denied Russian state involvement: "Why have you decided the Russian authorities, myself included, gave anybody permission to do this?" he told NBC News.

US intelligence warns that Russian intelligence and security services continue to probe US critical infrastructures, as well as target the US, NATO, and allies for insights into US policy. Attempts to deter Russian meddling seem to have had little impact.
In December 2016 President Obama responded to revelations about Russian behaviour by expelling diplomats and closing two Russian properties. President Trump added to those moves with new sanctions in March 2018, which had been approved by Congress seven months earlier, and accused Moscow of attempting to hack the US energy grid. Critics said these sanctions did not go far enough.

Indeed, deterring Russia is further complicated by Donald Trump's own response to the hacking revelations. In the Presidential race he, jokingly, invited Russia to hack Hillary Clinton, saying: "Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing." And after winning the election he was initially reluctant to blame Russia for election meddling.

The Limits of Naming-and-Shaming
One tactic the US has used with some success is to be more public about Russian attacks; it has also coordinated with other countries to go public. In February 2018, seven nations, the US, the UK, Denmark, Lithuania, Estonia, Canada, and Australia blamed the NotPetya ransomware attacks on Russia, with support from New Zealand, Norway, Latvia, Sweden, and Finland. Similarly, it was the US along with the UK and Australia in April 2018 that complained about Russian interference with routers and internet infrastructure.

Creating a broader coalition makes its condemnation stronger and harder for a country to shrug off. But although naming-and-shaming may have worked against Chinese industrial cyber-espionage (at least in the short term), it doesn't seem to be particularly effective against the Russians. While the Chinese government doesn't like to be embarrassed in this way, Russia seems much less concerned.

While Moscow consistently denies conducting any of these attacks, it doesn't seem to mind the accusations too much, if only because it acknowledges the Russian state's capabilities.

Where does Cyber-Deterrence Go-Next?
There is always the chance that nation states will change their minds about their use of hacking and cyber intrusion.
As recently as 2009 Russia was keen for a treaty with the US covering the use of cyber-weapons. This would have banned countries from embedding code in the systems of other nations and imposed a ban on the use of deception to disguise the source of cyberattacks. The US wasn't interested, however. President Trump has also floated the idea in 2017 that the US and Russia create "an impenetrable Cyber Security unit" to prevent election hacking, but this didn't get very far.

It will likely take years, or even decades, for rules to finally emerge that govern cyber-espionage and cyberwarfare, so countries will continue to jockey for position for years to come until norms are established. 

A failure to establish boundaries accepted by all means that the risk of accidental escalation remains; if the rules of engagement aren't clear, then a relatively trivial hacking incident could rapidly turn into a full-on confrontation.
One further complication is that rival countries have very different definitions of national security and how to protect it, understanding these differences will be key to creating an agreed set of rules. This makes cyberwar a question of language, not computer code.

Other experts from RUSI argue thay the West's adversaries aren't playing by the same rules "so surely it makes sense to continue the conversation and at least start to explore where the boundaries lie." For example, Russia is, among other things, very concerned about the ability of the West to influence its population through the Internet in the way that it did in the past through radio stations, and sees its own election meddling as acceptable through that prism of suspicion.

"It's about continuing the conversation," said Lawson. "If it does take 20 years for norms to appear in part that will be our fault for making the decision not to engage."

But for now, many nations states will judge that using hackers to spy on, disrupt, distract, and steal from rival states remains a cheap, effective, and relatively risk-free option. Until something changes, expect to see plenty more of the same.

TechRepublic

Trump Backs Russia On Election Interference:

Russia Warns UK Against Cyber Retaliation:

 

« MSAB Joins CASE Initiative On Digital Forensics
Digital Shock: Part 1 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Perimeter 81 / Black Hat On-Demand Webinar

Perimeter 81 / Black Hat On-Demand Webinar

Black Hat On-Demand Webinar - Identity is the New Perimeter: This webinar will provide you with vital insights to help understand the need for Zero Trust and how it can transform your network.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CERT-IS

CERT-IS

CERT-IS is the national Computer Emergency Response Team for Iceland.

BioCatch

BioCatch

BioCatch uses behavioral biometrics for fraud prevention and detection. Continuous authentication for web and mobile applications to prevent new account fraud.

Cyber Threat Alliance

Cyber Threat Alliance

CTA is working to improve cybersecurity of our digital ecosystem by enabling near real-time cyber threat information sharing among companies and organizations in the cybersecurity field.

Gallarus Industry Solutions

Gallarus Industry Solutions

Gallarus leads innovation within industrial Manufacturing, Production and Management Systems, including Cyber Security solutions specifically developed to protect against the latest cyber criminality.

jobsDB.com

jobsDB.com

jobsDB Singapore is a search engine for jobs throughout Singapore.

HITRUST Alliance

HITRUST Alliance

HITRUST provides widely-adopted common risk and compliance management frameworks, related assessment and assurance methodologies.

Security On Demand (SOD)

Security On Demand (SOD)

Security On-Demand is the world’s first Full Spectrum Cyber-Threat Monitoring service, designed to bridge the gap between data and action.

Exceed Cybersecurity & I.T. Services

Exceed Cybersecurity & I.T. Services

Exceed Cybersecurity & I.T. Services is a premier Managed Internet Technology (I.T.) company with a focus in cybersecurity risk management and CMMC compliance management.