On the Limits of Collaboration

Musings on a hypothetical Russia-US Cyber Unit

Disclaimer: Hivint supports collaboration on cyber security and free and open discussion; the opinions expressed in this article, political or otherwise, are representative of those of the author alone.

“[A bilateral cyber working group] tacitly adopts the fiction that the Russians are a constructive partner on the subject instead of the worst actor on the world stage.” — Adam Schiff

President Trump may have already shot down his own idea by saying it “can’t happen”, but Schiffesque hyperbole aside, the concept of Russia-US collaboration on cyber security really got me thinking. My inner monologues typically play out like some sort of Platonic play, with the idealist on the left and the cynic on the right, duking it out for supremacy of my inner theatre. Unfortunately, from the outset, this one felt it was going the way of the Apology and not just because of the inevitable glass of hemlock. Being a glass-half-full person, let me begin with the idealist.

Firstly, having first-hand experience of the G20 in 2014, I am frankly surprised that something so contentious and unconventional eventuated from Hamburg in the first place (not that the Brisbane summit’s target of an additional 2 per cent GDP growth over four years wasn’t Earth shattering, mind you). Unpredictable is probably the most reliable adjective for Trump’s presidency, but to see cyber security collaboration in any form stealing the spotlight from an otherwise dry and staged economic forum was actually quite satisfying. 2017 has been a big year for elevating an industry that has historically fought the stigma of a nuisance or tick-box exercise, and the announcement of a Russia-US cyber working group felt like the epitome of that trend.

We recently passed the 1-year mark for Australia’s Cyber Security Strategy and its greatest shortfalls, in my humble opinion, has been its inability to: clarify the vague goals that were initially set, address the skills shortage, and nurture meaningful information sharing. Even if the bilateral working group was, as Chris Finan put it, “strategic idiocy”, it was not lacking in these three areas. Its goal was to put aside differences and collaborate for the common good; tap into a previously out-of-bounds talent pool with a unique and different perspective of the issues; and engage in a form of information sharing that is as innovative as any you’ll come across, short of a treason charge.

The sharing of potentially sensitive information with an adversary also has the capacity to make each paradoxically more secure: the closer you are to your adversary, the better you understand them, and the better equipped you can be for if and when things turn sour (insert hackneyed Sun Tzu quote here). While the actual capacity for technical collaboration and the value of understanding one another’s TTPs is up for debate, there is a time-tested benefit to having your primary aggressor in the seat next to you. It is easier to soothe anxiety, avoid miscommunication and bridge cultural and diplomatic rifts when you can look someone in the eye.

Essentially, if you can trust the fox there’s no better guard for the henhouse. Of course, there is a chance that the fox could turn, but it might still be worth losing a chicken or two to try — we have tried the no dialogue, behind-the-veil approach, so what harm is there in giving collaboration a chance? Let’s be straight: both parties would come to the table very cautiously and on full-alert so this probably wouldn’t be the lowest risk environment for espionage.

Besides, a lack of cooperation never stopped both parties collecting intelligence on each other before, so what’s new? Manage the risk and move on. But most significantly, let’s just imagine it worked. The capacity for capability development and meaningful action against online criminal behaviour would be incredible — two sides of the world with a jaw-dropping collective cyber arsenal, holding hands in commitment of protecting their citizens from the mutual threat of online criminals, terrorists and extortionists. Singing Goodmorning Starshine and strumming soothing summer rhythms on their Rickenbackers. And this is where my inner cynic pipes up.

It sounds all very idealistic, doesn’t it? Assuming the enormous logistical beasts that are government bureaucracy and multilateral cooperation gracefully stepped aside, what on earth would the analysts in this unit look at? Anything with any conceivable nation state backing is almost immediately out of the picture; anything potentially jeopardising diplomatic relations, write that off. Information which, if shared, might harm the profitability of a US or Russian company? No way. It reminds me of the final lines of my favourite Yes Minister episode:

James Hacker: How am I going to explain the missing documents to “The Mail”?

Sir Humphrey Appleby: Well, this is what we normally do in circumstances like these.

James Hacker: [reads memo] This file contains the complete set of papers, except for a number of secret documents, a few others which are part of still active files, some correspondence lost in the floods of 1967, some records which went astray in the move to London and others when the War Office was incorporated in the Ministry of Defence, and the normal withdrawal of papers whose publication could give grounds for an action for libel or breach of confidence or cause embarrassment to friendly governments.

James Hacker: That’s pretty comprehensive. How many does that normally leave for them to look at? How many does it actually leave? About a hundred?… Fifty?… Ten?… Five?… Four?… Three?… Two?… One?… Zero?

Sir Humphrey Appleby: Yes, Minister.

That’s not to say that the unit couldn’t be established and each staff member given a full workload — working groups are a dime a dozen, after all — but it seems highly likely that each party would feel they have more to lose from meaningful collaboration than they would gain. Having transitioned from government to private industry myself, I find how the concept of collaboration is applied in both spheres one-part intriguing and one-part maddening.

Eric Swalwell, a member of the US House Intelligence Committee, likened the working group to “giving the alarm code to the guys who just burglarized your home”, and this is exactly the sort of attitude I find confounding — firstly, if they just burgled your home, they really don’t need your alarm code. Secondly, why not have some respect for the people you have already vetted and entrusted with protecting your nation’s information?

Guaranteed anyone posted to this unit would be very technically capable (international reputation is on the line, after all), and would no doubt undergo extensive training on how to detect and avoid foreign interference. Does Rep. Swalwell really imagine the analysts would wittingly or inadvertently share information likely to endanger their own nation’s security in this forum? Unfortunately, this line of reasoning leads to a rather dim outlook on what exactly these analysts could share, as I can’t see it being anything that is likely to significantly bolster the cyber security of either participant. Any conversation that looks likely to disrupt a really significant threat seems to me like it would invariably denigrate thusly:

Russian Analyst: “Hey James, this APT appears to have a command and control server located in-“

US Analyst: “Err, let’s look at something else. Mikhail, did you notice this malware exploits the same zero day we saw in-“

Russian Analyst: “Uh, not that. How about this phishing email? It’s from Nigeria!”

US Analyst: “…sure.”

Instead, this fantasy unit seems doomed from the outset to endless discussions about policies, frameworks and memoranda of understanding written in such a way as to be semantically meaningless and functionally unenforceable. For the record, I’m a Governance, Risk and Compliance consultant and I’m all for frameworks and policies — but the terms of reference must be mutually intelligible, and that’s no easy feat.

Should nations be permitted to develop their own offensive cyber capabilities? In what contexts should they legally be permitted to deploy them? What are permissible targets — military installations? Critical infrastructure? Commercial entities supportive of the regime? These are questions that are difficult to articulate and address at the national level or with allies. With an adversary? Potentially insurmountable. Nonetheless, I think there is some intrinsic value in (and I feel ashamed to be using this dreadfully overused but apt phrase) just starting a dialogue.

The value of working together is one that I earnestly believe is frequently overlooked: sometimes another perspective can elucidate an issue or uncover solutions in a way that working in isolation would never achieve, regardless of skill-set. I am lucky enough to work for a company where collaboration is not only supported, it’s part of our business model. Of course, protecting our client-specific information is critical to our business, but we have no incentive to hold back on our analysis of the threat environment or our methods and we endeavour to ensure the collective effort of us and our clients is available for the broader community to share and contribute.

My concern is that between government and industry the equation is too different and that there is always something at stake that will make such collaboration untenable. After all, every piece of information shared can reveal a chink in the armour or provide a piece of the puzzle about your operational procedures and capabilities. Working on reverse engineering together? Co-contributing to a signature database? Now your adversary knows what you can and can’t detect, and can adjust their tactics accordingly.

The distinction between collaborating commercially and with a foreign power segues rather nicely into my final point, one about Trump’s presidency more generally: we are seeing the Trump administration behave less and less like a nation state and more like a company. Language typically not seen in diplomacy about “making deals”, whether on immigration or climate change, is becoming more and more common.

Tweets and White House statements are reading more like reality TV show transcripts than carefully considered government press releases every day, and the quashing of the proposed joint cyber unit almost as fast as it was proposed is testament to this… but my inner idealist hasn’t downed the hemlock yet. With Trump treating the US Government like his latest portfolio acquisition, with all the blustering and rhetoric that comes along with it, perhaps some of the fantastic innovation found in the private sector can be harnessed by dedicated military personnel and public servants too.

While unconventional collaboration is just one of the many avenues this approach could lead us down, be sure to keep your fingers crossed that the glass your former adversary passed you is really only a funky new vegetable juice.