To Understand Today's Cyber War Study Cold War Spycraft
High tech attacks on our democracy are based on strategy and tactics straight out of a spy thriller.
Have state-sponsored hackers been spending nights reading Cold War spy novelists like John Le Carré? It sure seems that way. Because those classic espionage techniques are being reinvented as the latest strategies to compromise Western democracies.
Take the recent reports on Russia’s attack on a U.S. company that provides voting support and systems to local election offices. According to these reports, Russian-sponsored hackers made their way into the company system by sending phishing emails to local officials. They hoped they were naïve enough to open the emails, which would have introduced malware into the voting infrastructure.
This “weakest link” approach is similar to how the KGB during the Cold War attempted to penetrate “target installations” to compromise vulnerable Americans. (There was reportedly a KGB playbook on recruiting Americans that explains their strategy.)
So if we want to look forward and secure ourselves from hacking, we should look backward at how old-school spy-craft is being applied to new-school cyber-craft. The principles have not changed. In fact, we are at greater risk now that sophisticated algorithms, artificial intelligence and other cutting-edge technologies are moving spy-craft to a new, almost super-human level.
Here are some striking parallels between the Cold War and the Cyber Wars -- and some tools and tactics you can adopt to defend yourself.
1. Handlers haven’t gone away.
Old-School Spy-craft: In the good old days, the CIA and KGB’s operatives -- spies, moles, and other agents -- penetrated key organizations and stole crucial information. Shrewd handlers trained those spies, or “assets” to go undercover, penetrate their targets surreptitiously and assess the most essential information to pursue.
New-School Cyber-craft: There are still asset-controlling handlers -- we call these handlers “state sponsors” and their assets “threat actors” -- whose missions include penetrating strategic targets like governmental institutions, enterprise databases and even critical infrastructure. Cyber-oriented military units as well as state-sponsored groups of hackers hired by governments are controlled by these malicious puppeteers.
2. HUMINT-- Modelling our modern spies.
Old-School Spy-craft: Espionage 101 teaches spies to identify the sources of information that their government needs, and scoop them up faster than you can say “undercover agent wearing trench coat.”
Once successfully immersed in the right community, the spies often remain silent (sleeper agents), biding their time until receiving the order from their handlers to strike. These embedded agents avoid communication with their handlers for long periods of time so as not to arouse suspicion. This requires significant training and “Bourne”-like self-sufficiency -- both physical and emotional.
New-School Cyber-craft: Like human spies, self-sufficient malware can be trained to enter surreptitiously into protected systems and search for specific information that fits the spy’s Modus Operandi, while blending into the scenery -- or, on the contrary, “hiding in plain sight.”
Self-sufficient malware, like the spies of old, must also be able to overcome well-engineered sequences of security traps deployed to block their outbound communication. The more self-sufficient the malware, the more successful. While their old-school human counterparts had their own booze-and-caffeine fueled limits, unlike real people, bots never get burned out. And real spies didn’t have Artificial Intelligence to sift through a vast tonnage of communications and unstructured data, including phone conversations, emails and key data banks, automatically understanding context like humans do and identifying the relevant data they need.
The recent DNC hacks are a textbook example -- the sensitive emails were exposed to the outside world by self-sufficient malware that patiently lingered on the inside of DNC servers for almost a year, silently collecting information… until the right moment.
Related: The Worst Hacks of 2017 -- So Far
3. Double agents: Trust is a slippery thing.
Old-School Spy-craft: Handlers sent their most skilled agents into target-rich networks, such as an intelligence agency, to zero in on whoever on the inside had access to the most classified information and was vulnerable to being flipped into a double agent. Often it was someone with a weakness that made them susceptible to compromise -- affairs, a drinking problem, gambling debts, etc. This was a classic tactic employed by the KGB and other intelligence agencies during the Cold War.
New-School Cyber-craft: In today’s world, insiders can turn against their employers, becoming the cyber equivalent of double agents. When you wreak havoc from within, you eliminate the need to penetrate well-protected, or even “air gapped” systems (those disconnected from the internet). Edward Snowden is the perfect example of an insider threat who became a very real one. Many companies fixated on outside threats overlook the hazards within.
Defending against new-school cybercraft.
It’s much more affordable to mount a cyberattack than invest in building a spy operation. That makes it easier for nations and organizations least expected to join in this newfangled cyber battle. With the barrier to entry so low, it is essential that we re-engineer our thinking to defend against new-school cyber-craft. Here are five ways to think differently:
1. Revert to methods of previous eras.
There are methods that seem antiquated but are un-hackable. The Dutch government, for example, has announced that it is returning to hand counting its ballots amidst fears of cyberattacks during elections. And super-sensitive conversations are best handled in-person.
2. Increase utilization of data encryption.
These methods have existed for years, but typically have not been used on personal computers and phones because they slow them down and can require additional integration. The risk of cyber threats counters those objections. Institutions must widen their definition of “critical infrastructure” to include data encryption both in data centers and on PCs of key political and business figures.
3. Smarter anti-malware.
Much as sophisticated counterintelligence units ferret out moles in intelligence organizations, we need smarter anti-malware software -- such as tools that can sniff out concealed AI capabilities in software –- that can be “trained” to hunt self-sufficient bots.
4. Behavior analytics.
Intelligence agencies have internal measures used to identify double agents. It's time to acccelerate deployment of network and identity behavior analytics able to identify insiders (i.e. employees and contractors) acting in strange and anomalous fashions. Someone who suddenly shows up on a Sunday night to download files is the equivalent of a mid-level intelligence agent who is suddenly driving a BMW and buying a vacation home.
Organizations should collaborate by exchanging threat information (TTPs) and knowledge about the threat actors behind them, so they can proactively implement more targeted security measures.
To protect ourselves from clear and present dangers, we must go back to the future. Today’s security strategists would be well-advised to look to the ways of the past and adapt their lessons to cyber-security of today to create a safer tomorrow.