AS OUTRAGE SWELLS over Russian hacks against Democratic targets throughout the presidential election, panic over Kremlin meddling has led to a form of short-term amnesia: To paraphrase Orwell’s 1984, “America is at cyberwar with Russia. America had always been at cyberwar with Russia.” It’s easy to forget, meanwhile, that as recently as last year China, not Russia, was America’s ultimate digital nemesis, and seemed like it always would be.
In fact, the last year has seen a little-discussed but dramatic drop in Chinese state-sponsored hacking, particularly for intrusions targeting private companies. As the US government searches for a response to Russia’s election-focused hacking both here and elsewhere, the cybersecurity consultants and government officials who have battled both countries’ state-sponsored hackers say that the recent China success story offers lessons about how to deter Russia’s attacks—and also that applying the same deterrence against Moscow won’t be easy.
Obama appears to be thinking the same. While Vice-President Biden’s recent promise to retaliate with “maximum impact” implies a digital counterstrike in the making, White House Homeland Security Advisor Lisa Monaco recently pointed to diplomatic success in stopping Chinese cyberattacks as a model for a response to Russia. “We will take action at a time and place of our choosing,” she told NPR in an interview. “We’ve done it with China,” Monaco added. “You’ll see us apply the same consistent framework with regard to Russia.”
In a press conference Friday, Obama himself alluded to that Chinese hacking response as a model as well. “The Chinese have, in the past, engaged in cyberattacks directed at our companies to steal trade secrets and proprietary technology,” Obama said. “I had to have the same conversation with President Xi. And what we’ve seen is some evidence that they have reduced, but not completely eliminated, these activities.”
Chinese Lessons
The US strategy in China was in many ways the polar opposite of a knee-jerk, hack-back approach. It was a years-long series of diplomatic and legal efforts, all aimed at curbing Beijing’s economic espionage. And according to security firms like FireEye and Crowdstrike, which have closely tracked state-sponsored intrusions and often served as remediation consultants called in after the hacks, those efforts worked. At the very least, they stemmed China’s hundreds of attacks on American private sector targets, if not its more traditional espionage against US government agencies.
In a report FireEye released last June, researchers documented the decline in monthly attacks by 72 Chinese hacker groups from more than 60 attacks per month for most of 2013 to five or fewer attacks in most months of 2016. (Shown in the graph below.) The company even blamed the disappearing Chinese attacks for a serious drop in its own revenue and stock price. Many of its customers were no longer being victimized.
Click to Open Overlay GalleryChinese hacker attacks over time. Credit: FireEye
Crowdstrike chief technology officer Dmitri Alperovitch says his company, which was the first to attribute the Democratic National Committee attacks to Russian government hackers, has seen a similar falloff in Chinese hacking incidents. Around 90 percent of the hundreds of China-sponsored attacks Crowdstrike monitored in earlier years disappeared 2016, he says. It’s unlikely, too, that the attacks have only become more sophisticated, and harder to detect. Alperovitch says the same methods seen previously are still used against some high-value government targets. He calls those Chinese hacking statistics “the biggest accomplishment we’ve had in the cyber domain in the last 30 years.”
That decline was achieved through two major moves by the US government since 2014. First, the US Department of Justice identified five Chinese men by name—all members of China’s People’s Liberation Army—and accused them of taking part in a series of intrusions of American companies, going so far as to issue criminal charges against them in absentia. Additionally, after the US threatened new trade sanctions against China for its hacking activities in 2015, Chinese President Xi Jinping and President Obama signed an agreement in that September in which both countries agreed not to hack the other’s private sector targets. With a few exceptions, China has since abided by that agreement, Alperovitch says.
We need to stop thinking of solving cyber problems purely through cyber means.DMITRI ALPEROVITCH, CROWDSTRIKE CTO
That happy outcome offers at least one lesson for America’s current quandary with Russian government hacking: “We need to stop thinking of solving cyber problems purely through cyber means,” Alperovitch says.”We need to think about the underlying problems that’s causing them. An appropriate response to economic attacks is economic: financial and trade sanctions.”
The US relationship with China, then, offers a template of how to curb some state-sponsored attacks. But Russia is not China, and the playbook may not tidily translate.
A Russian Puzzle
More than two months have passed since the Department of Homeland Security and the Office of the Director of National Intelligence stated unequivocally that the Russian government hacked US targets including the Democratic National Committee and the Democratic Congressional Campaign Committee. While Russian president Vladimir Putin has denied the allegations, and president-elect Trump has made repeated, evidence-free statements doubting the intelligence community’s conclusions, the FBI and ODNI have also reportedly agreed with the CIA’s assessment that the Kremlin’s explicit goal was to help elect Trump.
With Russia, sanctions don’t align with the actual activity taking place now.LAURA GALANTE - FIREEYE DIRECTOR OF GLOBAL INTELLIGENCE
Despite that intelligence community concurrence, no course of action has been publicly set. While the White House is rumored to have considered economic sanctions, that measure may not work as well in Russia’s case, says FireEye’s Director of Global Intelligence Laura Galante. The US recently sanctioned Russia following its invasion of Ukraine’s Crimea, and needs to preserve what relationship it has left to work toward peace in Syria, limitings its ability to play the sanctions card again. And unlike the case of China’s economic espionage, financial sanctions would be seen as an “asymmetric” financial response to a fundamentally political crime, Galante says. “For China, it made sense to say,’you’re stealing our IP so you can’t sell in our market,'” she says. “With Russia, sanctions don’t align with the actual activity taking place now.”
Obama himself told reporters Friday that additional sanctions may not be the answer. “We already have enormous numbers of sanctions against Russia,” he said. “How we approach an appropriate response that increases costs for them for behavior like this in the future but doesn’t create problems for us is worth taking the time to think through and figure out.”
Naming and indicting individual culprits, as the US Justice Department did with Chinese hackers in 2014, may not be the right approach to Russia either, Galante says. “The Russians are less affected by shame,” she says. “The Chinese felt incredibly demeaned by what happened with the indictment and that made it powerful. The Russians will just see it as continued Russophobia.”
A Way Forward
Applying the China model to Russia can still work, says Georgetown professor and ex-CIA counsel Catherine Lotrionte, in the sense that the US needs to find the legal and diplomatic buttons it can push to reach Russia’s leadership. “You have to make their lives unpleasant in some way,” she says. “You have to do something to show them this is not worth it.”
Lotrionte suggests highly targeted sanctions designed to hurt not the Russian economy but Putin himself, or his direct associates. And targeted trade sanctions could be combined with freezing Russian assets in American banks and denying travel to Putin’s inner circle. “Targeted sanctions can have positive results,” she says. “You’re not targeting companies. You’re targeting individuals. It could be people in government, it could be CEOs of companies…We have the legal authority to freeze assets and prohibit travel.”
The final option is what Lotrionte calls “covert action,” the more aggressive and immediate digital retaliation aimed at disruption that Biden hinted at in October. That could mean calling on American intelligence or military hackers to take down a Russian target’s computer systems, or even attack physical infrastructure, she says.
The danger of that approach is that it could lead to an uncontrolled tit-for-tat, warns Robert Knake, a fellow at the Council on Foreign Relations and a co-author of the book Cyberwar. “How do you gain escalation dominance over a weak Russia that doesn’t have that much to lose?” he asks. “They need to look down the path of escalating conflict and call ‘uncle.’ In my mind, that’s hard to play out.”
Whatever the answer, time is not on Obama’s side. The diplomatic response that worked in China took years to negotiate, Knake notes. Obama has 34 days left in office. And Trump’s soft stance on Russia—including comments that contradict his own intelligence briefings and attempt to cast doubt on the attacks’ Russian origin—mean whatever response the White House enacts likely won’t carry over into the next adminstration. If the US wants to replicate its Chinese win in Russia, it’ll have to do it quickly.
No comments:
Post a Comment