Understanding the cyber threat: defence, response, democracy
6 Feb 2017|

As Russia’s campaign to influence the US election falls out of the news cycle, it’s important to maintain a focus on the key lessons from the Democratic National Committee hack in order to understand what could’ve prevented it. The main takeaway is that any actor with enough resources and determination can compromise almost any system using an extraordinary range of tools (see here, here and here). The other is a fundamental change of thinking: total security is currently impossible to obtain and that there’s always a risk of your system being penetrated. With operations and data breaches increasingly being used to embarrass, extort and influence, there are several ways to better understand and manage the risk.

Nefarious actors waging information operations come from diverse backgrounds and have different agendas, from foreign governments and private enterprise to NGOs and lone actors. And sometimes they’ll “work” together, like when Russian military and domestic intelligence allegedly used a fake lone actor (Guccifer 2.0) to leak stolen government information to a real NGO (WikiLeaks). Hacker Andres Sepulveda and his team sold their services through private enterprises to political parties across Latin America seeking to infiltrate rivals and manipulate elections. Such examples highlight the complexity of information operations. To establish credibility or plausible deniability, the real mastermind may hide under many layers of intermediaries.

For those engaged in information warfare, the theft of data is one thing, but it’s getting the information out that’s key. For such operations to work effectively an adversary needs broad dissemination, acceptance of legitimacy and internalisation by the target audience. This was two-fold in the case of Russia’s influence campaign. First the perpetrators had to gain enough credibility to be picked up by mainstream US media, which was why WikiLeaks was used to get the word out. (A previous dissemination point, a website called DC Leaks, was set up in April but failed to gain traction.) WikiLeaks had the profile and produced the veneer of legitimacy needed for mainstream media sites to disseminate to the second audience, the US electorate. Internalisation—when your message or content is voluntarily used by actors within your target audience—occurred when Donald Trump used the leaked material during the second presidential debate to threaten Hillary Clinton with jail. The execution of this information loop helped Russia’s preferred candidate get elected. The operation was a success.

If the majority of media resources and effort go to covering the breach and the scoops found in the leaked data, then the adversary has “won” because they’ve reshaped the narrative. Government responses are then formed in reaction to the adversary’s information, allowing them to set the parameters of the game. Instead of investigating the source, the FBI chose to investigate the leaked information. It was only a month after the election that the White House ordered a separate investigation, which revealed the source as Russian intelligence.

When faced with information warfare on the scale of the DNC hack, focusing on the cause of the breach rather than the dissemination and exploitation of the stolen data is self-defeating. Inviting the foreign intelligence service to hack your country again is also counterproductive because it further legitimises the opponent and their narrative.

So, what to do? In terms of passive defence, network compartmentalisation and resiliency-building can reduce the amount and quality of data available, so decreasing the value of penetration. Building in network redundancy can also assist by keeping vital parts of the network away from attackers and reducing the time a network is down. Low-tech offset strategies, like using typewriters for sensitive communications, can also reduce exposure.

The other side is active defence. Having well-trained and well-resourced computer emergency response teams is crucial. The quicker they can detect, mitigate and neutralise the hack the less damage it can do in both the cyber and public relations realms. Forensic analysis of intrusions is also crucial in tracing the culprit, who can then be named and shamed to discredit their narrative.

These efforts are symbiotically attached to the need for much stronger strategic communications. Establishing a coherent, unified platform is crucial to reveal and defeat that narrative. Cyber units and the affected organisation must coordinate and deliver a unified message. The confusion around the Australian Census DDoS attack is an example of where this could have been applied. Attempts should also be made to create nuanced policies to deal with fake news, with several approaches being tried by countries and companies alike.

Discrediting or denying the adversary legitimacy is crucial to minimising the significance of an attack. Part of that relies on seeing the bigger picture and calling out intrusions for what they are. A breach represents a cyber-attack, but if the end goal of that attack is to destabilise an election or compromise an individual, it’s imperative that the scope of the attack be acknowledged transparently. This helps orientate discourse around the true intent of the malevolent actor. If their information can’t build traction, it’ll quickly be left behind as the news cycle moves on.

Focusing strategic efforts at the dissemination-end of information operations reduces the overall appeal of mounting an attack. A concerted response can form an implied deterrent which doesn’t risk escalation or miscalculation. If actors can’t produce the range or scale of effects they seek, their attacks are rendered impotent. With elections in France and Germany imminent it’s crucial we learn from attacks like this to tighten cyber security and protect democratic processes.