Back in August, The Cipher Brief sat down with Leo Taddeo, Chief Security Officer for Cryptzone, to discuss the cyber threats posed by Russia and China. While China primarily uses its cyber collection capabilities “to compete on an economic level,” Russia places a greater “emphasis on collecting military and diplomatic information,” says Taddeo. As we move into 2017, Russia and China will continue to use their cyber capabilities to influence U.S. policy–both at home and abroad.
The Cipher Brief: How would you characterize Russian and Chinese cyber capabilities?
Leo Taddeo: Starting with the Chinese, the hallmark of Chinese cyber collection capability is to enable their State Owned Enterprises (SOEs) to compete on an economic level. We see a lot of network intrusions and extrications of intellectual property (IP). That’s a hallmark of Chinese hacking groups, particularly 61398, which, as you know, was the subject of an indictment in the western district of Pennsylvania, where there was hacking into U.S. Steel, Westinghouse, and others.
So that is emblematic of the Chinese hacking effort. If you take a look at their economic plan, many of their hacking groups are aligned to collect the kind of IP and business technology that will enhance the key activities that they need to grow their economy.
The Russians have a slightly different emphasis. They are also interested in business information that will assist their competitive standing in the world, but the Russians have a great emphasis on collecting military and diplomatic information as well. They have put significant talent and resources into targeting U.S. government networks to collect the kind of diplomatic information that would give them an advantage in negotiations or strategic decisions that they make in trying to predict U.S. strategic positions and decisions.
While both of them are engaged in both types of activity, I think the emphasis on the Russians is on diplomatic and military information and the emphasis for the Chinese is on business information.
TCB: A recent FireEye report indicates the Chinese are abiding by the agreement between U.S. President Barack Obama and Chinese President Xi Jinping last September. What do you make of the findings of that report? Do you think this is indicative of a long-term trend?
LT: It’s interesting on its face. If you can point to reliable evidence that the Chinese are reducing their activity, then that’s a good thing. But remember that the Chinese have been known to use infrastructure from other countries in their attacks. It’s hard to know whether they have just modified their tactics so that they’re harder to detect. It’s good that the visible part of what they’re doing has decreased, but it’s hard to know what we don’t know, which remains an open question.
Second, this may be a temporary pause, because there has been significant attention paid to the issue and because of Obama’s emphasis of this to President Xi. The Chinese have a long view of their economy and their relationship with the United States, and it would not be rational to jeopardize ongoing trade talks or sensitive discussions about the South China Sea at the same time that they’re being accused of continuing to hack into sensitive US networks. The Chinese are making a very smart play in terms of changing tactics to make them less visible or pausing so that cyber is not a topic of discussion during these other sensitive discussions.
The bottom line is that cyber has been an effective tool for the Chinese in terms of being able to gain access to IP and business information to grow their economy, and I don’t think they’re going to easily give that up. I also don’t think they can easily repurpose all of the cyber talent that they are developing so that it is used for another reason. All of that investment,and all that benefit will be reactivated at some point.
TCB: Jumping to the Russians, there was the Democratic National Convention (DNC) hack and subsequent release of a lot of that information on WikiLeaks. How do you see Russian cyber activities continuing to influence the rest of this electoral cycle?
LT: The great unknown is what other information may have been exfiltrated, not only from the DNC but also from Hillary Clinton’s campaign – which we know was hacked – and potentially from Hillary Clinton’s private email server, which the head of the FBI said could have been hacked. We –being the U.S. government and the FBI—weren’t able to confirm that Clinton’s private email server was not hacked. That said, there may be some other information in the hands of Russian intelligence services that could potentially sway public opinion about Hillary Clinton’s viability as President and her electability.
How this all plays into Russia’s geopolitical strategy is the most interesting question. We’ve heard some pundits, and even the Clinton campaign, claim that this is an effort to help Donald Trump get elected. I really don’t see it that way. I see it slightly differently in that the Russians are very keen on influencing U.S. policy in Eastern Europe, meaning NATO bases and advanced anti-missile radar.
I believe the Russian motive is to influence Hillary Clinton, knowing that she is the most likely candidate for President. What they were doing is something similar to what they did to President Obama in 2012. If you remember, in 2012, Obama was caught in an open microphone gaff in a conversation with then Russian President Dmitry Medvedev. And what he said to Medvedev, and what was caught on open mike, was in reference to the missile issue in eastern Europe. He said to Medvedev, “if you give me some space, I will show some flexibility.” It was the run up to the election and he was signaling to the Russians that, during an election cycle, the candidate had some flexibility based on Russia’s position.
It’s not new that Russia has a hand in influencing a U.S. election. We saw that in a candid moment that Obama had with Medvedev. The Russians know this, they’ve known it, and are prepared to use that tactic again by signaling to Hillary Clinton that if she shows some flexibility as president, or at least signals that she will, then perhaps whatever the Russians might have won’t be used in the run-up to her election. In other words, her campaign will run without any further releases of information if she signals that she is flexible.
Now I’m not saying Hillary Clinton will be flexible. Her integrity is her own, and whether she decides to negotiate with the Russians or not, either through open channels or through covert channels, is a great unknown. What I’m saying is that I believe the Russians are tactfully signaling to Hillary Clinton that they can make her life very difficult and they would like her to come to the negotiating table, or at least signal that she understands what cards they have to play.
TCB: The issue of attribution is considerably murkier when it comes to cyber versus traditional kinetic operations, and this makes deterrence harder. How would you characterize our ability to properly attribute attacks to their sponsors and the effect that has on our ability to deter this kind of activity.
LT: We are certainly much better than we were five years ago. Today, we have better coordination between different agencies so that different pieces of the puzzle – between NSA, CIA, FBI, for example – can be put together. The picture is now more complete and more confidence can be placed on the attribution that we make. But more work needs to be done. We need to work closer with foreign allies, do better monitoring, develop better forensics capability, and grow our cyber workforce so that we can create a more robust system to collect and analyze.
You put your finger right on the problem, and that is one of the key components to deterrence: that they won’t go unpunished, that they will be detected and called out on a cyber attack.
That is something that we have effectively done with the indictment in the western district of Pennsylvania against the Chinese and against the Iranians for the attempted hack of the Bowman dam in New York.
We do that effectively, not only with public U.S. disclosures and indictments from the administration, but also with private enterprise here in the United States. Companies like FireEye and Crowdstrike are very effective and can act as a channel for what the U.S. government can’t officially say. These things together are keeping the adversary guessing.
The problem is that this is a cyber arms race, and as good as we are at keeping them guessing, our adversaries are continuing to get in front of us. It’s a cat and mouse game, and as such, is creating a super market for cyber tools and cyber defenses.
TCB: Where do you see state-level interactions between the United States and its key adversaries headed in the next few years?
LT: Things are going to get worse before they get better. Cyber is an asymmetric weapon that our adversaries are keen to develop and deploy. On a state-to-state level, we are not going to convince our adversaries to stop using cyber as a tool and a weapon, especially not the Russians. They seem to be the break out Advanced Persistent Threat (APT) of 2016, and as tensions rise, that is going to continue. Again, I’m going to point back to what I think is the main concern for the Russians and that is the expansion of NATO. Not only NATO’s physical bases, but most important for the Russians are the U.S. anti-missile defenses that are being put up in places like Poland and Romania. And they have specifically stated that they see this as a threat that will not go unanswered.
Now the Russians, being statesmen, don’t want to have a physical shooting war with the United States in Europe, so they will continue to create pain points to influence policy here and in Europe. One of the ways to do that without physical destruction and without a cost in human lives is to use cyber. Therefore, it’s natural that the Russians are going to escalate the use of cyber in their efforts to convince us that we should not continue the expansion toward their borders.
In terms of the Chinese, I think that the contest over the South China Seas is going to continue. This is not a problem that’s going to go away. Cyber is another tool that we will see China use against adversaries like Vietnam, Japan, and the Philippines. In order to predict the Chinese doctrine and how they use cyber as a tool, the U.S. just has to read the front pages, because we’ll see Chinese proxies – patriotic or directly sponsored – acting against countries that don’t have the kind of cyber defenses that the United States does.
The purpose of attacking the Philippines with a cyber tool is to signal to the U.S. that China has this capability and will use it, and will also signal to the Philippines that this is the price they will have to pay and that the U.S. cannot protect them effectively from this kind of attack. Imagine the Philippines feeling secure because the U.S. seventh fleet is protecting its shoreline but it is ineffective in defending the country’s IT infrastructure. This is a way for the Chinese to send a message to the Philippines, to raise the cost for the Philippines to pursue this strategy, and at the same time avoid the costs of a direct retaliation from the U.S.