The risk of election meddling has been plaguing other nations as well. Cipher Brief CEO & Publisher Suzanne Kelly recently sat down with Cipher Brief expert David Omand, the former head of the UK’s Government Communication Headquarters (GCHQ), to talk about how the UK is working with industry to protect itself against cyber threats and about how traditional Russian subversion techniques have easily migrated to the digital domain.
Omand: The Russians adopted a fairly aggressive international stance after the Soviet revolution, in order to promote their ideas, but also to protect them. It was largely a defensive mechanism, but to us, it comes across as extremely aggressive, because we're the target.
In 1968, Alexander Dubcek started a reform movement, almost a democratic movement, in then-Warsaw Pact Czechoslovakia. This really disturbed Moscow. Eventually, Yuri Andropov, who later became a Soviet leader but in those days was running the KGB, had the task of removing Dubcek from any position of political influence, and he used a classic set of subversive techniques to accomplish that task.
Basically, you have to intimidate your opponents so they take notice, you have to use propaganda, and then the third component, is dirty tricks. And that was done by KGB officers dressed up as businessmen, tourists, students making friends with, and infiltrating Dubcek's reform movement and then producing discrediting evidence against him.
The U.S., like everyone else, was very surprised that Czechoslovakia was suddenly moving into a much more benign era. But the combination of these techniques foiled Dubcek. Now, if you fast forward, here we are in 2018, and exactly the same things are happening to Ukraine, where you have intimidation. In 1968, it was the threat of Soviet tanks invading Czechoslovakia. Today, the intimidation is to turn the lights out in Kiev with a cyber attack. In 1968, it was traditional media propaganda. Today, it's all the media stuff pumped out on the Internet by RT and Sputnik and social media. And the dirty tricks are now digital as well, so you hack into somebody’s e-mail account, you find some compromising e-mails - or you make it up – and you have fake news.
The Cipher Brief: And is that the evolution of what we’re seeing today? The next emails will be complete or partial forgeries meant to alter a certain perception?
Omand: Yes. So the traditional components of subversion are still there, except they're digital. They're easier to do. And as far as anyone can tell, the authorities in Moscow never paused, they're just translating their traditional approach - they would say - to safeguard their state, ensuring that there are countries around Russia that are aligned with Russia that are not going to join the West. But it's the same kind of technique. It's just that it's now so easy to do it digitally. And this is a big problem for us.
Sir David Omand, Former Director, GCHQ
Former Director of GCHQ (the UK Sigint Agency)
"How do you manage that kind of threat, when you can't even trust your own elections to be fair because somebody is messing around with the data, with the social media feeds and setting up fake websites? Part of the American population would have been looking at those websites thinking it was a genuine U.S. political movement, but it wasn't. It was a fake."
The Cipher Brief: How should the U.S., the U.K. and other countries be thinking about retaliating against these kinds of activities?
Omand: This is a classic moment where you need a strategy that has components designed to reduce the likelihood of bad things happening, reduce their impact, reduce your vulnerability, and you need a combination of all of those things in order to persuade countries like Russia that this is not a sensible approach. Whether retaliation is right, or whether it's more a question of deterrence, you leave the threat unspoken but with a clear sense that there will be repercussions. Simply retaliating may well just lead to them writing it off and saying ‘Right, we'll do it again’, so you need to reduce the likelihood with some form of deterrent messaging. Then you need to reduce vulnerability. And the key vulnerability is the gullibility of people. So you need a major effort in education, probably starting with children in school, to be more cyber aware, to be aware that not everything you see on social media is going to be true. To be more discriminating, teaching critical thinking and having websites that are reliable.
You can reduce vulnerability by getting the tech companies to remove stuff which is obviously fake. You can get the domain name authorities to start removing some of the fake web sites as soon as they're identified so the public is protected from those.
People see a lot of the mystique around this, but once you've explained what was going on, say during the U.S. presidential 2016 election, it loses a lot of its power. Part of that, I think, lies with the media. They say sunlight is the best disinfectant.
The Cipher Brief: So a greater premium needs to be placed on educating the public?
Omand: Yes. I get slightly worried when the U.S. President decries expertise and calls some of the media ‘fake news’, because we need the media. One of the most powerful forces is the investigative media, provided it's responsible and doesn't do irresponsible things. You need all of these things in order to produce a strategic defense against what Russia is today. We talk a lot about Russia, but other countries are capable of doing this, too. China will be doing this in its region of interest, I'm quite sure. And other countries will get into this game.
The Cipher Brief: What role does GCHQ play in this and what are the best lessons learned?
Omand: In the UK, we've taken a very brave step by setting up a National Cyber Security Centre. We opened an office in the center of London. Businesses can walk in with their problems, they can discuss them, but the NCSC also says it's proudly part of GCHQ, which is the British equivalent of the National Security Agency. So the NCSC has access to the technical expertise and the intelligence that a digital intelligence agency has. But the National Cyber Security Centre's remit, is to make the UK a safe place to do business and to protect the public from the evils of cyber space.
Sir David Omand, Former Director, GCHQ
Former Director of GCHQ (the UK Sigint Agency)
"The setting up of this agency was a recognition that the previous business model of cyber security had failed.It was not delivering as everyone thought it might."
It was essentially a market-based model, where cyber security companies, eminent companies, would be able to develop products and services which would deal with the major problems in cyber security, but it wasn’t working. Partly because the solutions were too expensive for the small and medium sized companies and the bad guys were beginning to attack supply chains. And even when the major corporations made themselves very secure, they weren't really secure because their suppliers and services had vulnerabilities. The public was still very vulnerable to even quite a low technological level of malware and government was very vulnerable to attempts to attack it for fraud and purely criminal activity. Then the Internet of Things was another big push where the commercial incentive to make these devices- internet enabled toasters or kettles or children's toys or garage doors or whatever it might be, the incentive to make these things secure didn't exist because they still work even though they could also be used as a giant botnet that could deny service to say, a bank.
So, put all of this together and the UK decided we needed a different approach that you can manage in a country the size of the UK. If you're dealing with the United States, it's orders of magnitude more difficult and complicated. There are more actors and the political climate is rather different.
Sir David Omand, Former Director, GCHQ
Former Director of GCHQ (the UK Sigint Agency)
"Over here, businesses are used to getting advice from government, for example on counter-terrorism and on security, all the way back to the Irish terrorism days, and businesses regard government as a reliable source of information on security."
The Cipher Brief: Trust is a big factor?
Omand: Yes. There is that level of trust. For example, in the finance sector, which is probably the most developed area over here, there are high levels of sharing of information about breaches and malware and all the rest of it confidentially, but with government then able to support critical infrastructure, including finance, with information. So having that as background, is one of the reasons why it's easier to do it here. But the key step here was to adopt active cyber defence like they've started, for example, with the .gov domains. So British government departments and agencies all use .gov, not UK. And what has been achieved is the cleaning up, through the DNS system, of a great deal of the harm which is lurking, the fake websites where people are enticed into thinking they're connecting with government. And by cleaning up a lot of the malware, the citizen’s transactions with government are now much more secure.
They've taken the fact-based approach and they have demonstrated that this active defence, rather than sitting passively and saying to the users, ‘You've got to get yourself secure’, simply giving out instant advice and helpful tips has not delivered yet. You still need the advice, but it hasn't delivered, so an active approach is necessary. And if this can be shown to work, then you have to ask, ‘Can you then extend this to other parts of the economy’? This is not going to stop the advance persistent threat actor, but it means that the cyber security, the information officers and cyber security officers, can spend their time on serious threats rather than having to deal with a lot of very low-level criminal activity.
