Sunday, January 1, 2017

Russian election hacking sanctions

I'm not touching on all the indicators released by the government in their report (yet).  I have lots of opinions on that, stay tuned.  What I really want to talk about are the sanctions and how ridiculously short sighted they are.  In my opinion, the sanctions were a publicity stunt designed to make people who don't know any better think that the administration was doing something significant.

Now I'll admit declaring 35 Russian operatives in the US persona non grata (PNG) IS significant.  It takes time to find and train new embassy operatives (if you believe what you see on The Americans) and this will impact Russian intelligence for some time to come.  But expect that Russia will also declare some of our "diplomats" PNG in retaliation.  To not do so would nearly be an admission that the Obama administration was right about the hacking.  So expect that this is a zero sum game.

But what about the sanctions for people and companies involved in the hacking?  This is where things get ridiculous.  Few of these diplomats named own property in US, and honestly, if they do I'm fine with it being seized under the sanctions.  But the idea that this will impact the three Russian companies named in the announcement is ridiculous.

First, they don't do business in the US.  Second, one of the companies listed (Zor Security) has reportedly been closed - sanctioning a closed business is lunacy.  Several people have noted that the company still shows active on the Russian business registry. But the owner of the business claims to have shuttered the business some time ago.  In any case, she wasn't doing business in the US.  Unless Zor Security has assets in the US, the sanction is a publicity stunt.

The Department of Treasury uses powers from the newly expanded Executive Order 16394.  If you haven't read the original order, you should start there before reading the amendment just issued.  The real problem here is that the language is so broad that if Russia was to adopt the same language, they could sanction huge numbers of NSA and DoD contractors and gov personnel.

Whole sections of DoD contractors are probably researching zero days, writing malware, and planning and executing cyber operations as I write this. What makes them different from the people and organizations sanctioned by the US Government?  Maybe the types of cyber operations they engage in.  I think the intent was to limit the scope of the Executive Order to only certain types of hacking.  But read below and you'll see it's pretty clear they missed the mark.

The definitions in (A) and (B) are pretty broad.  Any takers that US contractors haven't performed or materially contributed to one of these operations against a foreign government?

The problem with (C) is that there are often unintended consequences to cyber operations.  Intent and impact don't always align.  An investigation I was involved in with Rendition Infosec involved an apparent denial of service attack on a database server.  After examining logs, the attacker had been there for months executing queries against the database sporadically (to gain intelligence and/or trade secrets).  The attacker executed a query that used an inner join operation to create a sub-table and select from there.  The tables involved were huge and exhausted available memory.  While the query was syntactically correct, it caused the server to stop responding to requests.  We can all agree the DBMS should have been more resilient to memory issues, but that's opinion. I'm talking about reality. The database was serving an ERP application so this had significant financial impact for the organization.

The intent was not to cause "significant disruption" but the impact definitely was.  The powers granted in the Executive Order make no differentiation between intent and impact and this could be an issue.  Even if you don't care about this because "F%$k Russia" remember that they (and others) may choose to judge US citizens by these same standards.

Regarding (D) it's the official US policy to not use hacking to steal trade secrets which are given to US companies for financial benefit.  But given the number of classified Executive Orders released by the Snowden leaks, is it really unrealistic to believe this might be happening?  Whether or not you think it's happening, isn't it realistic that another government might think so and start sanctioning US contractors providing material support to cyber operations?

Finally, lets not be myopic about (E).  There are plenty of reports about the CIA tampering with elections.  I'll let you form an opinion here, but I'm pretty sure that if CIA (or whoever) is still tampering with foreign elections, they are using intelligence gained from cyber to do it.  That squarely fits the definition for (E).

I'm all for responsible sanctions, but the language used here does not consider potential blowback to US citizens.  Since it's largely accepted that China was responsible for the OPM hack, maybe I should be more concerned with China than Russia.  And speaking of which, where are the sanctions for Chinese companies providing "material support" to hacking operations?

Make no mistake about it, this Executive Order sends a powerful message.  Unfortunately, that message is "here's a road map for how to hurt us more than we can hurt you."  Think I'm wrong?  If you sell NSA an 0-day (or just give it away because you're a patriot), you would almost certainly fall squarely in the definitions of this EO.  Think this publicity stunt makes the US stronger?  Think again...

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.