I’ve noticed a trend. Namely, that individual political inclinations – and the reservations that we have talking about politics for fear of treading on those inclinations – are having a “chilling effect” on accurate and thorough discussions in the community about adversaries and their tradecraft. At least this seems to be true as it pertains to election interference discussions specifically.
Now, I can’t go into specifics, but I’ve been a party to at least a few conversations now where organizations or individuals have said that they can’t or won’t publicly discuss anything about election interference because of the political sensitivity of such as discussion and the blowback that it would create. I think this is bad for the security research community overall — and really bad when it comes to preparedness for future cyberwarfare attacks.
As an example of what I mean, check out this recent article over at the Register entitled “Just so we’re all clear on this: Russia hacked the French elections, US Republicans and Dems“. Now, if you read the “TheReg”, you’re probably not surprised by the tongue-in-cheek, purposefully provocative title. The article itself is about connections between election interference (in the US and France) and Russia. Is it going to rock your world? Probably not. But take a look at the comments area. Vitriol ramps up quickly, but what really struck me was the number of people citing lack of evidence for the conclusion that some nation-state threat actor (e.g. Russia) was involved in electoral interference. And that’s bad because it’s going to happen again. We need to be ready – no matter what party, politician, country, or creed is impacted. The literal definition of cyberwar is, “the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes.” Ergo, election interference is, by definition, cyberwarfare. Why are we not preparing for that? Because we’re scared of people getting upset? Screw that.
Here’s what I mean. Would blowback like this happen if for example the Register published an article entitled, “Just so we’re clear, Russian criminal created and ran a massive botnet” (in reference to the Kelihos botnet that we now know was orchestrated by a Russian criminal)? Would there be even a tenth of the comments? Any denial that it happened in the first place? No, right? In fact, in the case of electoral interference, it seems to me that we have relatively more confidence about this than we do in the botnet example. For the botnet, we have law enforcement telling us that it happened. Over the course of analyzing security attacks and tradecraft for two decades, I’ve seen law enforcement make it’s share of mistakes. But in the case of electoral interference, the intelligence community (via the NSA) has confirmed Russian interference in the French election — the DNI has confirmed it for the US. So as far as the US Intelligence community is concerned, it happened. I’ve seen the intelligence community make fewer mistakes over the course of the years – at least in re: analyzing tradecraft – relative to law enforcement. I won’t say it doesn’t happen, but usually by the time they’re done measuring twice and cutting once, what they conclude about this stuff tends to be pretty accurate. Note that for the purposes of this discussion, I’m discounting the speculation that the entire US intelligence community has been compromised and are thereby untrustworthy themselves (i.e. the “They Live” scenario).
So this is a problem. Because we need to be ready when it happens again. We need to be ready for when it gets even more subtle, more automated, more sophisticated, and much harder to detect. What we’ve seen recently so far is basically the DDoS of election interference – the most blunt, hardest-hitting, least subtle type of attack. What’s happens when someone develops the APT of election interference? Something more subtle that acts well below the radar.
Everybody gets all fired up about critical infrastructure – and why shouldn’t they because of the seriousness that an attack against critical infrastructure can have – but election or other political interference is every bit as much a viable cyberwarfare tactic as attacks against critical infrastructure are. We need to be able to openly discuss it when it happens without being scared off because of the political implications. We need to use those discussions to fuel policy, to educate politicians and citizens, and to prepare. Regardless of what your political party is – we need to address this head on. Because it will happen again. And it will be worse when it does.