Scholars, infosec experts call for action on Russian hacking

In the wake of reports about Russian involvement in fake news and hacks against political targets leading up to the recent presidential election, scholars and security experts are calling for federal action.

As of Sunday, 158 scholars have signed an open letter calling for a congressional investigation.

“Our country needs a thorough, public Congressional investigation into the role that foreign powers played in the months leading up to November,” the letter said.

Democrats in Congress have also called for an investigation, and were recently joined by Republican Sen. Lindsey Graham.

[ MORE SPECULATION ON HACKING: Q&A: The myths and realities of hacking an election ]

Eric Schmidt, the executive chairman of Google’s parent company Alphabet, has said he’s most worried about Russia when it comes to cyber attacks.

“If you look at their actions over the last few months, they’ve done a number of very publicized invasions, attacks, and alterations,” he said in an interview on Bloomberg Television.

According to a survey of U.S. adults released this morning by Alertsec, the general public agrees that Russia poses the biggest threat. Of those who said that they were worried about hacker groups, the largest number (24 percent) said that they worry most about Russia. Anonymous was in second place with 21 percent, followed by petty thieves at 19 percent, and China at 18 percent. Wikileaks and “neighborhood nerds” tied for last place, at 10 percent each.

What makes Russian cybercriminals different is the high skill level of the individuals involved, and the breadth of the underground economy that they participate in.

“They have been evolving and honing their skills for the better part of 15 years,” said Ed Cabrera, chief cybersecurity officer at Trend Micro.

The Russian underground economy is most mature, he added.

“It has truly been the rising tide that lifts the skill sets of all Russian cyber criminals,” he said.

In a report about the Russian Underground that Trend Micro released last year, the security firm also identified two types of politically motivated cyberattackers. First, these are people who have a strong political belief and volunteer their time and skills on behalf of causes, groups, or governments.

Then there are the cyber mercenaries, who work for political groups or governments for money.

Knowing where the criminals are coming from does make a difference, Cabrera said.

“You can not develop a sound resilient cybersecurity strategy without having a deep understanding of the threats you face and the vulnerabilities you have,” he said. “To quote Sun Tzu, ‘If you know neither the enemy nor yourself, you will succumb in every battle.’"

Russian hackers also have one other advantage — it can be easier for them to hide from law authorities in other countries.

“Prosecuting any hacker in a country other than our own can be a process that’s legally fraught with jurisdictional and extradition issues, so not an easy undertaking,” said Joseph Opacki, vice president of threat research at PhishLabs. “For these reasons, hackers tend to hide in countries well-known within the cybercrime ecosystem.”

Some call for offensive countermeasures, not just investigations

The combined offensive power of the Russian criminal underground and the Russian government itself might be too much for individual enterprises to defend against on their own.

“We need to help fund both private and public sector efforts if we want to reduce the risk to our country of a major cyber event,” said Michael Lipinski, CISO and chief security strategist at Securonix. “Our corporate entities are not financially equipped to combat endless state sponsored actor attacks.”

For example, the United States could fund projects that improve not just defensive capabilities, but offensive ones as well.

“Counter strikes may be necessary depending on the situation but there needs to be great clarity before taking this action,” he said. “There is risk of hitting the wrong target and risk of collateral damage. That said, I also believe, just like in standard warfare, that a strong arsenal is a great deterrent.”

A formal security officer at the federal level to coordinate investment and prioritization efforts would also be helpful, he said.

“Cyber defense is a priority for both private and military entities, and the government must create a coordinated framework that includes both,” agreed Ebba Blitz, CEO at Alertsec. “This work is of great importance and the United States should appoint a chief of cyber security.”