A suspicious death related to a British spy. Accusations of treason. Arrests — including one, during a meeting, where the suspect was marched out with a bag over his head. Election interference and ‘Kompromat.’
These are some of the things that, while hanging in the air, weren’t mentioned in the Trump administration’s first cautious steps into managing the cyberworld this week.
Like almost everything in the cyber-spook world, the Trump Administration’s first step into computer security is now shrouded in mystery, intrigue and speculation.
Trump’s team trotted out a series of experts and officials on Tuesday — including former New York City Mayor Rudy Giuliani — at an event marking an executive order Trump planned to sign. It was to be a sign that Trump wanted to get tough on computer security.
Then, without explanation, the order signing was canceled, leaving cyber-folks to do what they often do best: Guess at what it all means.
On the surface, Trump’s executive order and the spy-novel-like intrigue happening in Russia’s cyberworld have nothing to do with each other. It’s hard not to connect them, however.
Here’s a quick scorecard to catch you up on what’s going on. Three, or possibly four, Russians with ties to law enforcement have been arrested and charged with treason. One suspect was grabbed at a meeting and had a bag thrown over his head in a clear show of force.
Another suspect, Ruslan Stoyanov, was a researcher at respected antivirus firm Kaspersky, and previously worked in Moscow’s cybercrime unit. He had stopped crime rings that were targeting Russian banks. I have been told he is accused of snooping on and sharing data with outside entities — perhaps the U.S., though that isn’t clear. My source requested anonymity, but others have confirmed that basic story.
Brian Krebs has painstaking amounts of additional detail on that here.
It’s easy to connect these arrests with the accusations of Russian meddling into U.S. elections, but there are other explanations. For one, Russian officials are upset that secret information keeps making its way to a blog called Shaltay Boltay (Humpty Dumpty) in Russia that’s a bit like Wikileaks.
Meanwhile, a former KGB official was found dead a few weeks ago in his car under mysterious circumstances. The man, Oleg Erovinkin, was reportedly a source for Christopher Steele, the former British spy who authored the notorious dossier of allegedly embarrassing information about President Trump.
When Trump assembled the folks who will be in charge of making U.S. computer systems safer, none of this came up.
On the surface, a draft version of the order that was widely shared showed it would primarily call for a 60-day review of the most critical U.S. networks, including military command and control systems. It also asked for a review of America’s cyber enemies; a review of computer security education; and asked for proposals to create incentives for private firms to improve their security.
It is unclear why the president didn’t sign the order as planned.
The draft order got, expectedly, mixed reviews from industry.
“What I like about it is that it creates a sense of urgency and seriousness that we really have to double down on security,” said Eric Geisa, vice president of products at Tempered Networks, discussing the draft order.
Morey Haber, vice president of technology at BeyondTrust, was far more critical.
“We already do all this (vulnerability assessment). The only difference is that it’s (to be) reported to the president,” he said. Prior to BeyondTrust, Haber spent 10 years as a contractor providing vulnerability assessment to the Department of Defense. “It ignores attack vectors that have actually been exploited before. It’s almost a knee-jerk reaction, similar to ban of certain countries for immigration.”
Haber pointed out that most hacks involve the human element, like an employee responding to a phishing email.
“We should be making sure the front doors are locked before we change the combination on the safe,” he said. “We are targeting the wrong things here. We do need to look at these things, but this is not typically how attacks have occurred. We should be targeting the lowest hanging fruit, like phishing emails, USB sticks left in parking lots.”
Perhaps because of this kind of feedback, the order was delayed. Or something entirely unrelated is the cause.
Geisa said this moment in time gives the administration an opportunity to succeed where others have failed.
“This isn’t something new. After the (Office of Personnel and Management) hack Obama signed an executive order…but what I’ve seen from the government in the past is you get high-level guidelines, but there isn’t a lot of of prescriptions. They might say you need to encryption, or example. Well, no kidding,” he said. “The time is now to get very specific.”
The Internet has suffered from a “fundamental flaw” since its earliest days, he said — the use of IP addresses to authenticate computers, which makes it easy for machines, and criminals, to lie about who they are. Changing that will require a very heavy-handed implementation of new protocols that define how computers talk to each other. Perhaps Trump’s administration could lead that charge, Geisa said.
On the other hand, it’s important to understand how different Internet security is from other kinds of security. The “weapons” of cyberspace are mainly controlled by civilians. Instead of bombs stored in silos that the government can secure, ‘cyber-bombs’ can be hacked servers, private computers, even webcams — as we all learned last year when an army of zombie webcams knocked a large portion of the Internet offline. They cannot be secured without massive efforts and cooperation by private industry.
And that brings us back to the Russian hacks. I’ve spent years attending international security conferences where the real work of rescuing the Internet happens. Naturally, private firms are reluctant to share information with government officials and with each other — many see this very expensive and difficult research as competitive advantage. Still, informal exchanges happen all the time. Secret cyberheros rescue us from digital doomsdays on a regular basis, in conversations we’ll never hear about or see in a press release. Often, these involve “hackers” with a past, who have spent time in the murky world between white and black hat. That’s precisely why they know what’s going on. But that can also make them very “shy” when speaking to law enforcement.
You can bet Russian cyber-experts are getting more shy by the minute. That hurts everyone except the criminals.
But it’s a good reminder of how hard U.S. officials must work to keep the information flowing between private industry and government workers fighting to keep our water dams and power grid safe. That’s going to take a lot more than an executive order.