Can Russian Hackers Be Stopped?

In the spring of 2015, faced with external cyber-attacks on the US of increasing frequency and severity, President Obama made a dramatic announcement. 

The level of hacking and cyber-espionage against the US had created an "unusual and extraordinary threat to the national security, foreign policy, and economy" of the country, said the President, who declared a national emergency to deal with the threat. 

This executive order allowed the administration to pursue sanctions against those who attacked US critical infrastructure or stole secrets. Since then the national emergency has been extended three times (it must be reconfirmed every year), but the attacks against the US and its allies continue.

Indeed, the ongoing state of emergency did little to deter the most spectacular anti-US hacking campaign in recent years: Russia's meddling in the 2016 US presidential election.

Russia is not alone in pursuing cyberattacks to advance its aims: The US government and its allies have long complained about the behaviour of China, Iran, and North Korea, too. Despite years of sanctions, indictments, and other attempts to combat hackers, the attacks have continued. And experts have warned it could be 20 years before the situation is brought under control. So why can't the hackers be stopped?

How can Governments Stop Hackers?
It's not that the US hasn't tried to deter cyberattacks, rather that the techniques the country and its allies have used so far haven't been very effective at stopping the bombardment.

Certainly, cybersecurity is a tough concept for politicians to get their heads around. Foreign agents sneaking into computer systems to steal secrets is crazy enough; the idea of enemies hacking into the computers which control critical infrastructure like power stations to cause destruction can seem like something out of an airport thriller, but is scarily real. Cyber-attacks are cheap, too: No need for a huge military might when all you need is a few smart people and some PCs to start a hacking campaign that can cause headaches for some of the biggest nations on the planet. For a State with few other options, cyber-attacks can be a potent weapon.

What makes cyberattacks an even more enticing option is that it's often hard to work out who is actually responsible for a particular incident, making it a handy way to cause trouble without necessarily getting caught. 

Nations often outsource these kinds of intrusions to freelancers who are adept at covering their tracks, making it harder to point the finger of blame. For example, an intrusion that took French TV station TV5Monde off the air was first thought to be the work of the "Cyber Caliphate" linked to ISIS, but is now blamed on Russia-backed hackers who deliberately left a false trail.

How does Cyber-Deterrence Work?
This is the complicated backdrop against which Western governments are struggling to build some kind of model to deter cyber-attackers. Hardening defences should be the easy part. Many of the most basic attacks, such as the Russian attacks on routers and network infrastructure that the FBI and the UK's GCHQ warned about recently, could be deflected by basic security measures like changing default passwords. However, while governments have more control over their systems, they have less ability to insist that businesses and individuals improve their own security, which is generally pretty terrible, because there are always better things to do. That means there is always a backdoor open to the hackers, and too often the front door, too.

According to one estimate, more than two-thirds of the UK's critical infrastructure bodies suffered an IT outage in the last two years, a third of which were likely due to cyber-attacks.

Few companies can survive a sustained assault by hackers, and even fewer are prepared to defend against state-backed attacks. However, finding a set of effective deterrents remains at best a work in progress.

Some state-backed hackers are looking for trade secrets, some are looking for weaknesses that could be used in future attacks, some are looking to steal money, and others want to just stir up trouble. Some want to do all of these things at once.

Each of these motivations requires a different response.
"In order to have effective deterrence from a US standpoint it's very important that we not just think about this in terms of cybersecurity defence and offence, but the cultural aspects of various nation states and their motivation," said Trevor Rudolph, a New America cybersecurity fellow who was chief of the Cyber and National Security Division at the Office of Management and Budget during the Obama administration.

Over the last half-decade, the US and its allies have tried to deter state-backed hackers with everything from publicity to sanctions and indictments, and maybe even attempts to hack back against assailants. While governments have plenty of practice at responding to a traditional armed assault because they've been dealing with that pretty much since countries were invented, calibrating a response to a cyberattack remains tricky.

"Ultimately it's not about responding to a cyberattack with cyber means, it's about looking at the full toolkit you have as a state in terms of diplomatic, economic, military, and others, and determining the right set of incentives and penalties you're going to apply to a country that's behaving in a way that is unacceptable," says Dmitri Alperovitch, CTO at security company CrowdStrike.

Cyber-Deterrence Trial and Error
The US, in particular, has been testing a variety of different deterrent strategies over a number of years. China was the first country openly tackled for its cyber-espionage when, in May 2014, a grand jury indicted five Chinese military hackers for hacking directed at companies in the US nuclear power and solar energy industries. 

A summit between President Obama and Chinese President Xi Jinping followed a year later, at which both countries promised not to use commercial cyber-espionage. Chinese attacks slowed, at least temporarily. 

But, according to the US intelligence community, China continues to use cyber-espionage to try and break into defence contractors and communications firms in particular. China is also targeting confidential business information such as pricing strategies or mergers and acquisitions data says a spokesman for FireEye.

"What we've seen pop up is Chinese groups targeting US law firms, US investment companies, and so on, stealing information in support of economic goals."

Attempts to curb cyber intrusions by Iran have also met with similar, limited, success. In March 2016 charges were announced against seven Iranians over distributed denial of service attacks against US companies; one man was also charged with unauthorised access into control systems of a US dam. In March 2018 the US Department of Justice charged nine Iranians with stealing more that 31 terabytes of documents and data from more than 140 American universities and 30 American companies.

The US also tried using sanctions against North Korea over its hacking attack on Sony Pictures in what was the first use of sanctions by the US in response to cyber-espionage.

It's possible, although still unclear, that the US may have also responded to Pyongyang's attack on Sony Pictures by taking North Korea's Internet offline for a short period of time, but even this has done little to curb North Korea's activities.
But North Korea continues to use cyberattacks to gain intelligence and in particular to steal funds to prop up the state.

"They've really veered into the crime angle," Read notes. While attempts to curb the behaviour of China, Iran, and North Korea has been limited in its impact, the biggest challenge the US faces at the moment is from Russian interference.

Russia has been blamed for the hacking of the Democratic National Committee and the subsequent leaking of emails. Kremlin-backed groups have also been accused of using disinformation campaigns across social media to stage arguments and undermine trust in the US political system during the 2016 Presidential campaign.

For its part, Russia has denied any meddling. President Putin has denied Russian state involvement in any election meddling, although he did not rule out that Russian hackers might be involved.

"If they are feeling patriotic, they will start contributing, as they believe, to the justified fight against those speaking ill of Russia," he told journalists in 2017. But then, in March 2018 Putin again denied Russian state involvement: "Why have you decided the Russian authorities, myself included, gave anybody permission to do this?" he told NBC News.

US intelligence warns that Russian intelligence and security services continue to probe US critical infrastructures, as well as target the US, NATO, and allies for insights into US policy. Attempts to deter Russian meddling seem to have had little impact.
In December 2016 President Obama responded to revelations about Russian behaviour by expelling diplomats and closing two Russian properties. President Trump added to those moves with new sanctions in March 2018, which had been approved by Congress seven months earlier, and accused Moscow of attempting to hack the US energy grid. Critics said these sanctions did not go far enough.

Indeed, deterring Russia is further complicated by Donald Trump's own response to the hacking revelations. In the Presidential race he, jokingly, invited Russia to hack Hillary Clinton, saying: "Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing." And after winning the election he was initially reluctant to blame Russia for election meddling.

The Limits of Naming-and-Shaming
One tactic the US has used with some success is to be more public about Russian attacks; it has also coordinated with other countries to go public. In February 2018, seven nations, the US, the UK, Denmark, Lithuania, Estonia, Canada, and Australia blamed the NotPetya ransomware attacks on Russia, with support from New Zealand, Norway, Latvia, Sweden, and Finland. Similarly, it was the US along with the UK and Australia in April 2018 that complained about Russian interference with routers and internet infrastructure.

Creating a broader coalition makes its condemnation stronger and harder for a country to shrug off. But although naming-and-shaming may have worked against Chinese industrial cyber-espionage (at least in the short term), it doesn't seem to be particularly effective against the Russians. While the Chinese government doesn't like to be embarrassed in this way, Russia seems much less concerned.

While Moscow consistently denies conducting any of these attacks, it doesn't seem to mind the accusations too much, if only because it acknowledges the Russian state's capabilities.

Where does Cyber-Deterrence Go-Next?
There is always the chance that nation states will change their minds about their use of hacking and cyber intrusion.
As recently as 2009 Russia was keen for a treaty with the US covering the use of cyber-weapons. This would have banned countries from embedding code in the systems of other nations and imposed a ban on the use of deception to disguise the source of cyberattacks. The US wasn't interested, however. President Trump has also floated the idea in 2017 that the US and Russia create "an impenetrable Cyber Security unit" to prevent election hacking, but this didn't get very far.

It will likely take years, or even decades, for rules to finally emerge that govern cyber-espionage and cyberwarfare, so countries will continue to jockey for position for years to come until norms are established. 

A failure to establish boundaries accepted by all means that the risk of accidental escalation remains; if the rules of engagement aren't clear, then a relatively trivial hacking incident could rapidly turn into a full-on confrontation.
One further complication is that rival countries have very different definitions of national security and how to protect it, understanding these differences will be key to creating an agreed set of rules. This makes cyberwar a question of language, not computer code.

Other experts from RUSI argue thay the West's adversaries aren't playing by the same rules "so surely it makes sense to continue the conversation and at least start to explore where the boundaries lie." For example, Russia is, among other things, very concerned about the ability of the West to influence its population through the Internet in the way that it did in the past through radio stations, and sees its own election meddling as acceptable through that prism of suspicion.

"It's about continuing the conversation," said Lawson. "If it does take 20 years for norms to appear in part that will be our fault for making the decision not to engage."

But for now, many nations states will judge that using hackers to spy on, disrupt, distract, and steal from rival states remains a cheap, effective, and relatively risk-free option. Until something changes, expect to see plenty more of the same.

TechRepublic

Trump Backs Russia On Election Interference:

Russia Warns UK Against Cyber Retaliation:

 

« MSAB Joins CASE Initiative On Digital Forensics
Digital Shock: Part 1 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

InfoSec Institute

InfoSec Institute

InfoSec Institute provides certification-based training courses for security professionals and enterprise-grade security awareness and phishing training for businesses.

We Watch Your Website

We Watch Your Website

We Watch Your Website provide website monitoring, protection, malware removal and root cause analysis services to help you keep your website secure.

Secusmart

Secusmart

Secusmart provide highly secure and encrypted speech and data communication solutions.

HexaTrust

HexaTrust

The HEXATRUST club was founded by a group of French SMEs that are complementary players with expertise in information security systems, cybersecurity, cloud confidence and digital trust.

Bowbridge

Bowbridge

Bowbridge provides anti-virus and application security solutions for SAP systems.

GitGuardian

GitGuardian

Enable developers, ops, security and compliance professionals to enforce security policies across public and private code, and other data sources as well

Iron Bow Technologies

Iron Bow Technologies

Iron Bow Technologies is a leading IT solution provider dedicated to successfully transforming technology investments into business capabilities for government, commercial and healthcare clients.

Interos

Interos

Interos is the operational resilience company — reinventing how companies manage their supply chains and business relationships — through a breakthrough AI SaaS platform.