Cyber as a Facilitating Factor: Key Takeaways from RSA 2017

Photo: The Cipher Brief/Levi Maxey

For many, cybersecurity is a technical problem and therefore requires technical solutions. But for policymakers and the national security community, a key takeaway from this year’s RSA Conference is that cybersecurity is simply a digital extension of many of the threats that have been around for a long time: organized crime engaging in theft and extortion, the old-school tradecraft of espionage, and the subversion operations of nation-states in the internal affairs of competitors on the international stage.

Last week’s annual cyber conference in San Francisco brought together expertise ranging from engineers and business executives to government officials at the top echelons from the National Security Agency (NSA) to the Department of Homeland Security and Justice Department. For the 43,000 attendees, there was a bit of everything for everyone – the newest tech, all the way to the geopolitical impacts of nation-state activity.

The most prevalent topics of discussion pertained primarily to private industry, such as the abundance of ransomware, the growth of the Internet of Things, and large-scale distributed denial of service (DDoS) attacks. Yet, the role of nation-state activity, particularly the Russian hack of the Democratic National Committee (DNC) last summer, was a focus for those in the national security space. It is this intersection of geopolitics and cybersecurity where many of The Cipher Brief’s key takeaways can be found.  

Cyber Attacks Facilitate Broader Efforts

As Oren Falkowitz, the CEO of Area 1 Security and a former member of the National Security Agency’s Tailored Access Operations (TAO) hacking unit, points out, what makes a cyber tool deployed by a nation-state significant, is not necessarily the technical sophistication of the malicious code, but rather the how the hack fits into a broader operation. For example, the DNC hack is noteworthy, not because of the malware implanted through targeted social engineering attacks, but rather how the information obtained through the breach facilitated a corrosive information campaign that furthered Russian geopolitical goals.

Similarly, Omri Illuz, the CEO of PerimeterX, suggests that very simple bots, or computers that impersonate people online, could amplify the impacts of Russian information operates simply be boosting the visibility of certain social media posts. These bots themselves are not sophisticated, but coupled with pervasive influence operations, they can have a lasting impact. Mike Rogers, the former Chairman of the House Intelligence Committee, noted during an RSA panel that these information operations could have an enormous impact on upcoming European elections.

Ultimately, national security vulnerabilities as a result of cyber insecurity only exist because of our dependence on those systems for communication, data storage, financial transactions, and managing our power grids, water, and energy.

The Distinction Between Criminal and Nation-State Activity is Difficult

RSA also helped highlight how warfare and espionage look when conducted in cyberspace. Kenneth Greers, a Senior Research Scientist at Comodo and veteran of the NSA, uses data on malware collections found around the world to show the overlay of networks breaches with geopolitical events. For example, Greers found close correlation between spikes in cyber intrusions in line with the geopolitical incidents in the Middle East, such as suicide bombings. The relationship could simply be opportunistic, but may also indicated cyber operations facilitating attacks or nation-states assessing a situation through cyber espionage.

Mark Loman, the Director of Engineering at SOPHOS, separated criminal intrusion tactics from nation-state cyber espionage efforts based on differentiating motives. Criminals are profit-motivated and therefore launch their ransomware campaigns far and wide, using exploit kits available for purchase on the dark web. Nation-states, however, are politically-motivated, using cyberspace as an avenue of espionage requiring targeted and covert tactics, such as socially engineered spear-phishing hidden as legitimate functions for longevity in networks. Dmitri Alperovitch, the Chief Technology Officer at Crowdstrike, demonstrated these tactics while contrasting the different tradecraft used by Chinese and Russian hackers.

But while the differentiation between nation-state and criminal activity in cyberspace may be useful to a degree, the water muddies when discussing countries where the line between where government ends and organized crime begins is not clear. Ed Cabrera, the Chief Cybersecurity Officer at Trend Micro and former Chief Information Security Officer for the U.S. Secret Service, uses the Russian cybercrime ecosystem as an example, noting that criminal groups often operate with impunity from safe havens within Russia and neighboring Eastern Europe. This safe haven stems from the tacit consent of Russian officials if criminals at times act on their behalf as proxies or as an alternative source of income for corrupt government officials – whereby criminals commonly fluxgate between the different categories at different points in time. Based on their motivations at any given moment – greed or politics – hackers can alter their tactics accordingly. At the same time the use of criminal proxies by government officials further complicates what is an already challenging attribution process.

Terrorists Will Increasingly Turn to Cyberspace to Facilitate Attacks

While nation-states and criminal groups are the primary malicious actors in cyberspace at the moment, soon terrorist groups will bring their efforts onto the virtual battlefield as well. Cipher Brief expert Matt Olsen, the President of Business Development at IronNet Cybersecurity and former Director of the National Counterterrorism Center, highlighted the evolution of terrorists’ efforts online. Using ISIS as an example, Olsen argues that while much of the group’s activity online currently pertains to recruitment messaging, the distribution of know-how, and encrypted command and control, there is a move toward more disruptive attacks, such as hacking and leaking the identities of U.S. government personnel so that they may be targeted with violent attacks.

While nation-states have so far viewed destructive attacks on critical infrastructure as escalatory, Eddie Habibi and Jason Haward-Grau of PAS, maintain that countries still breach critical infrastructure networks to “prepare the battlefield” by establishing a presence as a mode of espionage, but also as a deterrence policy against attacks on their own critical systems. Unlike nation-states, Olsen notes, terrorists groups have no qualms over direct escalation – it is a central tenant of their strategy – making a push toward destructive attacks on critical infrastructure with physical consequences quite appealing to terrorists. Much of what is hindering terrorist groups from engaging in such activity is their lack of technical sophistication and resources, something that could be mitigated by outsourcing destructive cyber operations to criminal entities with such expertise.

While there have been major strides made in securing the critical networks, many vulnerabilities remain. Technical solutions can only mitigate the problem so far, and international norms in cyberspace are still in the early stages of development. As RSA has come to exemplify, securing cyberspace requires cooperation between government and private industry as neither can accomplish security alone. 

Levi Maxey is the cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13. For more of his coverage of the RSA conference, check out his dispatches from Day 1Day 2Day 3, and Day 4 of the conference.