3 October 2016

America Must Decide How To Act After Russian Election Hacks

By JOHN QUIGG

What are we going to do about the Russian hacks that have wrought havoc across the entire political spectrum and are rapidly shifting from being an embarrassment to, possibly, being strategically crippling? The body count of ruined careers aside, sizeable harm is being done to our political process and a likely intelligence loss as foreign actors rummage through the personal and aliased emails of our leadership.

If recent history is a guide the answer was — and remains — not much.

Defense Secretary Ash Carter recently declared that America “will not ignore attempts to interfere with our democratic processes,” while pointing straight at Vladimir Putin’s Russia, believed by almost everyone to have hacked the Democratic National Committee’s computers with an eye on influencing the presidential elections, Carter went further, calling out Vladimir Putin’s state: “The choice is Russia’s to make, and the consequences will be its responsibility.” Stirring words, but they beg the question: What are the consequences?

This is not a Teddy Roosevelt “Speak softly and carry a big stick” moment. This is a, “speak softly, talk about a big stick, not sure how the decision gets made to use it” moment. Heck, while we are at it, we can’t even figure out who’s on first when it comes to wielding said stick. This observation is not meant to deprecate Secretary Carter’s initiative. It is essential that Carter puts his weight behind coming up with a response. But he is not the sole steward of the response process. The government as a whole is organizationally sclerotic and scattershot in this area. No single entity or individual is operationally charged with America’s response in the event of a cyber-attack on the homeland.

Let’s postulate that we have a hanging chad moment in the upcoming election because some voting machines are proven to be compromised. Then narrow the scenario and say that a Russian did it (forget trying to officially pin it on their government; there will be conveniently disposable fall guy). Further imagine that we know who did it and where they are located. So what? Forget all the hoohah and legal challenges. The disruption to the government would make Bush vs. Gore look like a middle school debate, and debilitate the response by distracting national leadership.

So let’s focus on who has to do what in response. Who is in charge? Let’s look at the shards of responsibility in the event of an attack:

If the hacks take place in a state voting booth, then the State Attorney Generals have jurisdiction, don’t they?

If it’s a disruption of the federal electoral process doesn’t the Federal Election Commission have purview?

If we call it a crime and it takes place in the US then it goes to the FBI, right? Justice? Department of Homeland Security? All three at once?

If it’s a foreign relations problem it needs to be coordinated by the State Department.

If it’s is an attack on the homeland then it would be NORTHCOM’s mission.

If it originated in Europe and we decide to break down doors to bring the villains to justice, that means it will belong in the EUCOM bailiwick.

If it is a cyber strike then many say the National Security Agency has to deal with it but Cyber Command has cyber in its name so…

On and on the permutations go. There are any number of three-letter agencies, military units, federal and law enforcement actors that would have a stake in finding and fixing what happened. Let’s give thanks our government has a clear plan and knows who has lead and who provides support. OK, I’m just kidding. If the cyber ball goes up I can scarcely imagine the thrashing as the government puts together response actions.

Just about every entity on the above list thinks they should be the lead and there are few precoordinated processes to assign roles and responsibilities. Furthermore, there is no clear stick to be wielded to deter an opponent. Up until now there has been a remarkably low opportunity cost for making mischief in cyberspace. Hopefully, Secretary Carter’s statement marks a sea change in our national position. A response in kind is ineffective, as I doubt that the kinds of nations perpetrating this hack really care if we tried to influence elections with only one candidate. All of the elements of national power have to be aligned and tested before an attack like this, because it will happen at machine speed, paralyze our government, and we won’t have the luxury of time to formulate a response.

Recent news yields a pressing example. Two years ago a foreign actor pulled 500 million records from Yahoo!, which was finally noticed (or at least announced) last week. If it was the Chinese, this means that they were doing this at the same time as several other wildly public breaches they perpetrated. They already possess enormous amounts of health information from Anthem, Blue Cross, Blue Shield, etc., as well as details on everyone ever employed by the government in living memory (courtesy of the OPM hack), and even more on everyone alive who ever held a security clearance.

This means the Chinese can cross reference all of the above with the personal emails of anyone who had a compromised Yahoo! account. 500 million is a lot more than our population which means that they also reaped the fake identities used for Ashley Madison accounts, cyberstalking, etc… This enables the correlation of cyber persona (the real you online) with exploitable foibles – a spymaster’s bonanza – that can be used to recruit or impersonate a target as well as their trust relationships (think Sydney Blumenthals’s account). This compromise is much more important when we realize the harm done in the exploitation of the private accounts of our senior leaders when they think the account is going to escape the notice of a hostile actor both foreign and domestic. Two years after the fact we have yet to respond and little likelihood of doing so. I can only hope that we are doing some of the same to them.

The first step on the road to fortifying our cyber border HAS to be a no-holds-barred series of exercises (akin to the famous Louisiana maneuvers in 1941) to identify the worst gaps and limn out roles and responsibilities for these situations. These would enable the development of a series of options from the classic “do nothing” to sending kinetic forces in to “capture/blow up the flag”. Until these potential responses are fleshed out and strategically resourced it is entirely unclear whether DHS, the Defense Department, or the District Atttorney for King County would be first, second, or even third at bat in a response.

A second, parallel step must be the hardening of governmental (federal/state/local) networks as well as limiting their network use to official functions and traffic – too many vulnerabilities are exposed because of the huge variety of software, hardware, and networking security disparities (collectively referred to as the attack surface) between organizations that operate on the same networks. In this environment your vulnerability becomes mine as a network is as vulnerable as its weakest link.

The third is to put a huge effort into assuring trust and identity. Why? The Chinese plundering of our national healthcare information, combined with the OPM hack (everyone who has served in the federal government who is still alive), and the Security Clearance database (every person who ever held positons of special sensitivity) means that Chinese actors can masquerade online as a trusted individual with the answers to all the security questions (what is your mother’s maiden name, where was your father born, high school you attended, etc…). If I’m going to hack into the election system it is helpful to assume the online persona and ID of the tech or manager with the keys. The horses are already out of the out of the cyber stable on our personas so we will have to mitigate that by ensuring that the cyber “you” is the real “you.” That requires a complex combination of technology and processes reinforced by compliance and legislation.

We are living in a time when Iranian boats, Russian pilots and Chinese airplane stairs (President Obama’s treatment when he visited the G-20) are pushing the boundaries of what we will tolerate in order to understand how we will respond both tactically and strategically. Our allies are watching closely in order to gauge how much they can rely on American force of arms as a backstop against aggression. It is highly likely, given the publicly known penetrations, that hostile spy agencies are watching our leader’s reactions from cyberspace to coordinate runs right up to our red lines that break off before we “go kinetic”. It is the eleventh hour before a major event goes critical as a result of cyber-facilitated mischief and we must, at minimum, know and practice our cyber responses.

John Quigg, a retired Army lieutenant colonel, was one of America’s first cyber warriors. He now works for Spurrier Capital Partners, a New York investment bank.

No comments: