Toe-to-toe with the Roosskies

In the Cold War-era movie classic, Dr. Strangelove, B-52 pilot Major Kong briefs his crew: “Well, boys, I reckon this is it – nuclear combat, toe-to-toe with the Roosskies.”  We’re not quite there yet, but it’s getting interesting.  In 2018 we’ve apparently reached another red line, this time, cyber.

On 15 March, 2018, the US Government imposed sanctions against 5 entities and 19 individuals named as violators of the Countering America’s Adversaries Through Sanctions Act (CAATSA) as well as Executive Order (E.O.) 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”  Russia was identified as the bad actor responsible for cyber intrusions in our US election process and our energy grid, both components of our National Critical Infrastructure.

Once famous for its collective farms, the former USSR now has farms of another type, troll farms.  Among the organizations and individuals sanctioned is the Internet Research Agency, the propaganda shop that flooded American social media with divisive and hate-mongering posts during, and after, the 2016 presidential election.

The dezinformatsiya, or disinformation, campaign is alive and well in modern Mother Russia.  Thanks to loosened, if any, US media standards, we now get our news from the same sources that once created stories such as the AIDS virus being created at Ft. Detrick by the U.S. military. No – just to clear up any potential confusion – it wasn’t.

So today I come here not to pontificate, but to educate.  There’s a whole generation that has grown up thinking Russia is just another country and we should all throw a pinecone into the fire and sing Kumbaya. Likewise, the new crop of cyberdefenders understand the threat comes from Russia, but still wonder why.  For what reason would a country not at war with us wish to attack our national critical infrastructure?  For Russia it’s not just a job, it’s a belief system.

So, Russia got sanctioned – what does that mean to me?         

Well, if you’re the U.S. government, it means a lot of work. Treasury, State, Justice and most everybody else will be involved in freezing accounts, throwing out the requisite number of hapless diplomats, and whatever else is called for.  On the Russian side, those U.S. diplomats have got to go as well.  Why care?  Well, even in the age of cyber, a lot gets done face-to-face.  Remove the faces and you hobble the communication process, a process already complicated by bad feelings.

If you’re in the private sector, particularly Energy, sanctions affect probably not so much.  Although attribution followed by indictments and sanctions are a fairly aggressive responses as far as cyber is concerned, the only actionable private sector intelligence pertains to IOC and associated files that may be used to bolster organizational cybersecurity. If you’ve been following the alerts from US-CERT and your ISACs, you already know this.

Any specific action to be taken or benefit to be derived is largely outside of the control of the private sector.  For example, Russia’s Main Intelligence Directorate (GRU) is a named bad actor.  This not a surprise to any competent cyber defender.  Though unquestionably bad actors, putting pressure upon Russia’s military intelligence organization is simply not within private industry’s cyber-sphere of influence. 

So the private sector should just accept the fact that Russia is in our networks and reaching for our control systems and operational technology?  Pretty much the answer is yes. Even with the backing of attribution by none other than the United Stated Government, there is no legal (or questionably legal but desired) recourse for direct action by the private sector. This is a Government v. Government game.  Indeed, private retaliation of any type (hack-back), though satisfying and thought to be a good idea by some members of Congress, would simply incite the ire of well-funded, largely unconstrained, Russian government supported cyber forces. 

A good example of the current Russian mindset is its repeated disregard for international norms, laws, and international treaties (for one, the Chemical Weapons Convention, ratified by Russia and entered into force in 1997). Russia’s blatant dismissal of UK Prime Minister May’s threats of sanctions over a March 2018 attempted nerve-gas murder in England were not only a diplomatic faux pas, but Cold War-style jackassery of the worst kind.

On the information sharing front, this crisis may have had a positive effect.  The sudden, collated flood of U.S. government information being released because of the TA publication is helpful.  It also shows how much information has been tied up in analytical processing or considered too sensitive for immediate release when it was fresh and perhaps most useful to private industry.  Certainly there’s more to come on that subject in the near future.

Conclusions

What do I do?  Pretty much nothing.  Active measures sound great but set you up for a tidal wave of retaliation and liability for collateral damage. The private sector should sit this one out and let the respective governments play the “My button is bigger and more powerful” game.

Russia’s military and civilian intelligence services directly target the US private sector and its national critical infrastructure – that’s buzz speak for they’re after our energy grid; gas, oil, and electric.  Don’t be misled by Sputnik news, the beauty of the Bolshoi Ballet, or the childlike denial of the Russian government. On the good/bad cyberthreat binary scale – Russia is bad.

Russia is hardly, if at all, deterred by sanctions.  They seem to have learned from the playbook of North Korea and tend to follow punishment with a sudden flurry of more bad behavior.  Until Uncle Sam puts his kinetic foot down, Russian Intrusions and campaigns will continue and most likely increase.  Energy needs to up its game by patching, ISAC participation, and pressure on our elected officials to take care of the macro-problems while we focus on our sector.  Your tax dollars have already paid for DHS and TSA assistance, so consider using them as appropriate.