Dear DNC, Here are 7 Ways to Protect Yourself from the Russians
State-led cyber-attacks are a reality. Be prepared or be startled.
Last week’s DNC leaks have proved a relatively small data theft incident + excellent timing is all it takes to strike a decisive blow to an American political campaign.
We live in an unstable American political context coupled with a Russia, desperate for redemption and for a return to economic prosperity (an end to American sanctions). It shouldn’t be a surprise if emboldened Russian actors deliberately try to influence U.S. elections, as they have, constantly, in Europe and Central Asia.
The real surprise is why the U.S. government, and affiliated organisations, remain unprepared for this inevitability.
Lacking a clear communications strategy, using outdated security measures, and failing to understand the dynamics of Russian Information Warfare, the DNC’s carelessness magnified the strategic effects of the leak.
Here are seven ways the DNC, and other Western public organisations, can defend themselves from state-associated disinformation attacks:
Encrypt Your Messages
The knee-jerk reaction to getting over 20,000 of your e-mails leaked is to find better encryption for your future communications.
Traditional e-mail services fail to provide the level of encryption required to protect organisations from leaks.
Encrypted Webmail services have often been forced to create cryptographic backdoors and/or closedown their business due to government surveillance requests (think Lavabit in 2013). It sure is tempting to spy on everything.
The DNC Hack and OPM Hacks have shown the strategic consequences of weak encryption are worth supporting e-mail encryption services.
Given the variety of attack sources (hacktivists, insiders, foreign governments), network security is not sufficient to protect content after data is stolen. End-to-end encryption and other crypto-techniques could prevent the contents of messages being read by an unintended audience. ProtonMail, is a Swiss end-to-end mail app that encrypts messages across all major e-mail providers (Gmail, Yahoo, Aol, Outlook, Apple Mail). Mailvelope, is a German mail OpenPGP encryption tool that now provides Chrome and Firefox add-ons for free.
Limit Admin Rights
While Russia remains in the headlines, it is important to focus on the most damaging threat, the insider attack. What do the 2016 French Police record leaks, 2013 Snowden leaks and 2008 San Francisco FiberWAN hacks have in common? Weak administrative barriers.
Oftentimes the leaks are executed by employees or contractors with administrative rights. These rights grant access to almost all operations on an organisation’s network, including username/password changes, activating/shutting down core processes, and modifying user privileges (a common indicator of compromise).
‘Tools to manage identities, access and data can enable an organisation to find the right balance between enablement and sharing of sensitive data — with the controls needed to reduce the risks of insider security breaches.’ — CA Technologies Whitepaper 2015 [1]
Implementing “Least Privilege Access” and regular controls on sensitive data management, would make real inroads. Even admins would be given only the tools they need to undertake their jobs at the time they need those tools. New tools would be made available after passing the strict cryptographic barriers like multi-factor authentication (enabled by Elliptic Curve Cryptography).
Beware of Outsourcing
Edward Snowden was an NSA contractor originally working for Booz Allen Hamilton. Despite being an outsourced employee, he had the same degree of access into NSA files as those under direct employ (while benefitting from a lesser degree of oversight). Public bodies are often under-budgeted and eager to recruit from diverse fields across the private sector.
The 2013 Target hack started with the breach of Fazio Mechanical, a small heating and air-conditioning company affiliated to Target. After having compromised the outsourced company, Target’s intra-network protections were significantly weaker. When Verizon pen-tested the company, it concluded that a major factor behind the effectiveness of the attack was Target’s “sprawling network” and “weak administrative passwords”.
Weak passwords and sprawling networks are often a consequence of outsourcing and lack of communication between security professionals within an organisation; the organisation choosing to adopt default passwords and give away admin privileges more arbitrarily, for the sake of practicality.
While it is reasonable to contract and outsource employment, this should not be an excuse to relax security and auditing policies, particularly with regards to intra-network security and admin rights.
Don’t Always Trust Certificates
Digital Certificates are ways of identifying the veracity of identities on the internet. The Public-Key Infrastructure (PKI) and its Certificate Authorities (CA) (Registration Authorities, Certificate Authorities and Validation Authorities), generate digital certificates to servers based on the public-private key pairings of whoever wishes to access a given server. The problem is that the entire security of this system relies on the integrity of the PKI and the CA’s ability to correctly assess the validity of keys.
The 2011 DigiNotar Breach and “ComodoGate” proved how devastating a CA & PKI compromise could be for conducting man-in-the-middle attacks. The DigiNotar attack took down the entire Dutch PKI and led to attacks to some 300,000 Iranian Gmail users.
Thankfully there are practical alternatives to PKI on the market.
Web of Trust (WoT) is known for mitigating single points of compromise, while being less adept at measuring trustworthiness.
The Distributed Trust model discards certificates and CAs completely, by letting the customer choose two or more partial key-holders to guarantee he/she/its’ identity when accessing a server. This prevents MitM attacks and unwanted spyware from penetrating at this level, as the points of compromise are distributed across multiple geographic and legal environments (great for public sector security!).
Beware of Using Passwords
Let’s face it. The best password security is no password security.
A recent Telesign study involving over 600 info-sec pros showed that 69% of those interviewed believed username/password combinations did not provide enough security. 79% experienced account takeovers, 90% of those taking place last year. Account-related breaches are growing and weak passwords are the most important cause.
While some CSOs and/or CIOs may believe that two-factor authentication (2FA) (the practice of looping another security layer over the traditional username/password combination) is enough to allay concerns over password security, consensus is building towards new account security procedures. Sony is adding 2FA to the PlayStation Network, but its already too late for them. The National Institute for Standards and Technology (NIST) just removed SMS-based 2FA from its list of secure authentication methods.
Google ATAP’s Project Abacus made inroads towards behavioural authentication technologies, and aimed to replace password-based logins with these “at the year’s end”. The technology authenticates based on a cumulative trust score it calculates based on your online behaviour, facial recognition, geo-location, etc. The higher your trust score, the less you will need to fill in your log-in details (via 2FA). This alternative can be useful in reducing the number of password-based intrusions from outside-sources, and spotting unusual habits within a governmental organisation.
Another alternative is M-PIN, a zero-password two-factor authentication system. Using a combination of secure pin-codes and other desired authentication methods (behavioural, biometric, location, etc.). This system is simple, customisable for various governmental needs and eliminates password-related vulnerabilities.
Prepare a Communications Contingency
It is essential for any organisation dealing with potentially controversial documents to accept the possibility of a leak.
From today’s #DNCHack e-mails to Mitt Romney’s infamous 47% comments, politics have been radically altered by technology. Bruce Schneier explains that organisational doxxing has become a common attack method utilised by hacktivists, foreign governments and insiders alike. The U.S. Government needs to proactively update its cyber defences, but also prepare for the inevitable possibility that its most controversial files will, at some point, be revealed to the public.
As a best practice is it therefore important for civil servants to assume that all online communication is on-the-record, vetted and publicly accountable. Should sensitive issues such as America’s role in the future of Ukraine be discussed, it is probably a bad idea to be caught saying “Fuck the EU!” on the phone.
Beyond professionalism, civil servants should be tasked with preparing contingent communications. These would justify and explain the context and rationale behind controversial decisions and comments, so as to have something to fall back on when leaks happen. Business calls this a “prepared spin”.
For an effective spin, it is important to strategically watch on the state of cybersecurity, keeping tabs on your organisations’ friends and foes in cyberspace. The DNC’s connections to the Democratic Party nominee and its importance in the maintenance of political stability in the US should be enough to consider taking the Russian threat seriously. Russia has long seen cyberspace as an asymmetric conflict-theatre, from which it can challenge the U.S.’s influence in international (particularly European) politics.
Immediate threat assessment is also crucial. Russia, politically humiliated by the recent International Olympic Committee ruling and Panama Papers reveal, evoked American conspiracy theories in both instances.
For Russia, Hillary Clinton, infamous in Russia for having broken promises on NATO non-expansion in 1999 and for fomenting opposition rallies during the 2011–2 elections, is a real threat to Russian attempts at regaining control over its near-abroad.
That being said, it would be unwise to assume that Russia (on the whole) wants a Trump presidency. As a former intelligence officer said, ‘She’s incredibly predictable and not willing to do confrontation. Trump is both unpredictable and confrontational…. I’d much rather play poker against Hillary. I’d win every hand.’
This pungent threat environment calls for a vigilance that warrants systematic communications contingencies.
Attribute Wisely
Strongly linked with strategic communication, the process of attributing cyber-attacks is ‘an art as much as it is a science’ (Rid & Buchanan, 2015).
While there is an emerging consensus among security scholars that the attacks were indeed of Russian state-sponsored origin (related to Cozy Bear and Fancy Bear intrusions in April), the political world is divided on how to respond.
CNN seems to stay the course that ‘publicly releas(ing) vast troves of stolen data to try to influence a U.S. election is beyond the scale… counterintelligence officials have seen.’ While the Council on Foreign Relations maintains that the computer networks of a political party remain legitimate intelligence targets, similar to China’s attacks on the 2008 Obama and McCain campaigns.
In terms of cyber-crisis management, attribution is key to controlling the narrative. Celebrated Jeffrey Carr eloquently decries the inaccuracy of current attribution (If the code is in Cyrillic, it must be Russian), calling this “Faith Based Attribution” rather than attribution focused on technical/forensic investigation.
In a political crisis however, Faith Based Attribution, or qualitative attribution, is as important as forensic attribution.
The #DNCHack struck a political Achilles heel, the disunity and distrust within the Democratic Party. Attribution to Russia accompanied with escalating rhetoric could serve as a rallying call for the American political establishment to move fast the effects of the hack.
As War On the Rocks suggests, for the DNC, associating the attacks to Donald Trump’s campaign (#Trumputin) could serve to alienate a large population of American-Polish origin voters in key swing states. The use of the keyword “cyber-war” is useful for escalating the register of the attacks to the national security level.
‘Over the weekend, Dave Aitel argued that the “DNC hack and dump is what cyberwar looks like.” There is a decent case that information systems surrounding our elections should qualify as “critical infrastructure” and that malicious nation states should recognise that interfering with these systems risks serious consequences.’ — Lawfare Blog
Of course, the cyber-war label is a “ludicrous exaggeration”. But hey, it works! By escalating the stakes in such a way that the attacks are securitised, this increases the likelihood that U.S. intelligence releases anti-Russian documents in retaliation.
For a full breakdown of an effective attribution communication strategy, read Thomas Rid and Ben Buchanan’s “Attributing Cyber Attacks”.
For more information on the challenges behind cyber-attribution, read my article: “The Attribution Game”.
[1] Miller, Russel & Maxim, Merritt, ‘I Have to Trust Someone. … Don’t I? Dealing with Insider Threats to Cyber-Security’ (White Paper: CA Technologies, January 2015)
