Experts typically condemn civilian hackers, but some make exception for Ukrainians
Experts are closely divided on whether Ukrainian civilians are justified in launching offensive hacks against Russian invaders.
About 47 percent of experts polled by The Cybersecurity 202 say such hacks are justified under the extraordinary circumstances of the invasion. About 53 percent say they’re not.
The poll of our Network experts group comes as thousands of Ukrainians and non-Ukrainians have banded together in an “IT Army” claiming to conduct cyber operations that blocked access to Russian government and media websites — operations known as “denial of service attacks,” which are illegal nearly everywhere.
- The IT Army has also conducted operations to break through Russian censorship about the invasion, such as by texting photos of dead Russian soldiers to phone numbers inside the country. Ukrainian government officials have stressed that, while they’re aware of the offensive hacks, they’re not directing them.
Government and industry cyber officials typically take a hard line against anyone other than governments launching offensive hacks that could disrupt or destroy computer systems, warning they could make mistakes that cause more harm than good or ramp up cyber conflict between nations.
But many were willing to make an exception in Ukraine, where civilians have also been taking up physical arms against the invading Russian armies.
- “When a country faces an existential threat like what Russia poses to Ukraine, cyber volunteers are justified in launching offensive cyber operations against the attacking government, just like volunteers are justified in taking up physical arms to resist attackers,” said Michael Daniel, former White House cyber czar during the Obama administration who’s now president of the Cyber Threat Alliance.
- Those civilians should still be bound by international laws of armed conflict as established by the United Nations and elsewhere, Daniel added.
This question divided cyber experts along stranger lines than I’ve seen in three years conducting these surveys.
- Those willing to allow offensive hacks included former government officials with deep Washington ties like Daniel, as well as Silicon Valley cyber pros who are often at odds with Washington.
- Opponents included former government cyber officials, cyber industry leaders, academics and activists.
A common argument from experts who said offensive hacks are justified was that citizens fighting for their country’s survival should get more leeway than they would during peacetime.
“I don’t think it’s for us to judge whether Ukrainian cyber volunteers are justified in launching offensive cyberattacks,” said Lauren Zabierek, executive director of the Cyber Project at the Harvard Kennedy School’s Belfer Center. “Russia is launching attacks on civilians, and so civilians are fighting back.”
Many supported Ukrainian’s right to conduct hacks even as they worried about potential consequences, such as accidentally disrupting U.S. intelligence operations in Russia.
- “Ukrainians are fighting for their very survival. I can’t make an argument to them that they should avoid offensive cyber operations against Russia because it might impact someone else’s intelligence operation,” said Jake Williams, a security analyst at the SANS Institute and former NSA hacker.
- Dan Geer, chief information security officer at the CIA-allied nonprofit investment firm In-Q-Tel, expressed his mixed feelings succinctly: “Justified, yes. Wise, maybe not.”
Among the 53 percent of experts who said offensive hacks aren’t justified, most said they feared unintended consequences.
“It is a bad idea,” said Suzanne Spaulding, a former top Department of Homeland Security cyber official who’s now a senior adviser at the Center for Strategic and International Studies. “No one knows what the rungs up and down the escalation ladder look like because we don’t have enough experience using cyber during a conflict.”
- Here’s Shane Huntley, director of Google’s Threat Analysis Group: “Like in the physical domain, there is real risk of collateral damage, misidentified targets and unforeseen consequences.”
- Allan Liska, director of threat intelligence at Recorded Future: “I understand the urge — I really do — and my answer might be different if I lived in Ukraine or a surrounding country. But hacking back is almost always a bad idea.”
- And Joe Hall, senior vice president for a strong Internet at the Internet Society: “Offensive hacking makes everyone less safe, period.”
Civilian hackers also often lack the skills and information to launch offensive hacks that are targeted and successful, warned Katie Nickels, director of intelligence for Red Canary.
“Vigilante volunteers are the wrong people to conduct offensive operations,” she said. “Offensive operations require a great deal of careful research and coordination to be done properly, and conducting these operations improperly risks inflicting damage on innocent victims.”
Civilian hackers would be more effective aiding Ukraine’s digital defenses, suggested Marcus Fowler, director of strategic threat at Darktrace and a former CIA cyber official.
“ ‘Attacking back’ is always easy, but achieving defensive superiority is the more important challenge,” he said.
More response to our Network poll about Ukrainian civilians hacking Russia:
NO: “It’s less exciting to say you did your part to defend against cyberattacks by patching all your devices … than to brag about joining an anonymous DDOS attack against Russian government targets, but it actually does more toward promoting peace and stability.” — Katie Moussouris, founder of Luta Security
YES: “While I generally do not approve of nonstate attacks against governments, Ukrainian volunteers defending their homeland are justified in using cyber tools.” — Sam Visner, a technical fellow at MITRE
NO: “People in glass houses shouldn’t throw stones. No one who is seriously considering launching attacks on Russian computer networks believes that American networks are prepared to stop any retaliatory onslaught their activities might provoke.” — Tom Cross, entrepreneur in residence at the tech start-up community Company.
YES: “In real war, those defending their sovereign nation should not always be asked to justify their actions to those of us sitting safely at home with our families.” — Marten Mickos, CEO of HackerOne
NO: “A model we should explore is a ‘cyber reserve corps’ that enables the brightest minds in the private sector to directly support government-sponsored cyber operations during times of crisis.” — Steve Grobman, McAfee’s chief technology officer
YES: “Are they justified by the horrific war crimes that Russia is committing? Yes. Should we condone this behavior? That’s another story. It may feel great to clap back at the enemy, but in this tense geopolitical situation, volunteer civilians attacking the Russian government may very well take us into WWIII.” — Tatyana Bolton, policy director for R Street Institute’s Cybersecurity and Emerging Threats team
NO: “ ‘Volunteers’ risk further muddying the waters of international law and [international humanitarian law] when they step in on one side of a conflict.” — Megan Stifel, chief strategy officer for the Institute for Security and Technology
CISA sounds alarms about Russia cyber threats in 3-hour briefing
Cybersecurity and Infrastructure Security Agency officials convened a 3-hour call with over 13,000-industry officials yesterday doubling down on President Biden’s warning that damaging Russian cyberattacks may be in the works.
- CISA urged companies in critical sectors to take a slew of common protective measures that are nevertheless often ignored, such as patching against known computer bugs and requiring authenticating procedures beyond passwords
- The agency is also asking those companies to alert it about even minor-seeming breaches and other cyber activity
Got some hours to fill? The full briefing is on YouTube here.
Okta claims a breach was limited but big questions remain
The online verification company has downplayed the hack, saying it was limited to a third-party support engineer and wrapped up in January. But cyber experts say the company took too long to disclose the breach and hasn’t answered questions clearly enough.
Okta disclosed the breach after the ransomware gang Lapus$ published screenshots of Okta systems that the company says were obtained during the January breach that lasted five days. About 2.5 percent of Okta customers may have had their data compromised in the breach, the company said
Runa Sandvik, a member of CISA’s technical advisory council:
If you’re confused about Okta saying the “service has not been breached,” remember that the statement is purely a legal word soup. Fact is that a third-party was breached; that breach affected Okta; failure to disclose it affected Okta’s customers.
— Runa Sandvik (@runasand) March 22, 2022
Lapus$ is also taunting Okta, claiming its statements minimize the breach.
“The potential impact to Okta customers is NOT limited, I’m pretty sure resetting passwords and [multifactor authentication] would result in complete compromise of my clients’ systems,” the group said on its Telegram channel.
The Sans Institute’s Jake Williams:
Okta has handled this disclosure extremely poorly. Don’t just take my word for it, the threat actor is also taunting them… https://t.co/yaamIZsjZo
— Jake Williams (@MalwareJake) March 22, 2022
Questions also remain about what other companies might have been breached through the Okta contractor.
Forbes’s Thomas Brewster:
The obvious question now is: Who else was hit in the Sykes breach?
The company says it provides services to “Global 2000 companies.”
It’s another supply chain attack, folks.https://t.co/c7eA0YoBZP
— Thomas Brewster (@iblametom) March 22, 2022
Solarium Commission co-chairs push for cyber provisions in U.S. competitiveness package
Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), co-chairs of the congressionally led commission, are pushing for a slew of cyber provisions in the bill aimed at increasing U.S. competitiveness with China.
According to a letter to Senate leaders shared with The Cybersecurity 202, they want:
- A program that makes it easier for federal employees to rotate through cyber-focused jobs at different federal agencies
- Increased funding for a State Department center that fights foreign disinformation
- An expansion of the CyberCorps: Scholarship for Service program
- A new program to find and prioritize cyber and physical risks to critical infrastructure
House and Senate lawmakers are jostling over a conference version of the bill that must be approved in both chambers before it reaches the president’s desk.
Also on Capitol Hill: Lawmakers are introducing a bill to codify into law CISA’s federal computer network monitoring program, according to a draft shared with The Cybersecurity 202.
The bill by Sens. Maggie Hassan (D-N.H.) and John Cornyn (R-Tex.) would also establish a pilot program to make CISA’s Continuous Diagnostics and Mitigation program available at the state and local level.
Russian authorities arrest Russian hacker-turned-entrepreneur
Russian authorities have accused Pavel Vrublevsky of money laundering for Russia’s largest dark net marketplace and operating fraud schemes. But it’s just as likely that Vrublevsky was arrested “thanks to his propensity for carefully documenting the links between Russia’s state security services and the cybercriminal underground,” journalist Brian Krebs reports. Krebs profiled Vrublevsky at length in his book “Spam Nation.”
- Homeland Security Secretary Alejandro Mayorkas, CISA Director Jen Easterly, National Cyber Director Chris Inglis and other U.S. government officials speak at the Hack the Port 2022 conference this week.
- Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) speaks at an Information Technology Industry Council Bridge for Innovation event today at 11 a.m.
- Mandiant chief executive Kevin Mandia discusses Ukraine and private sector intelligence today at 1:30 p.m.
- CISA Executive Assistant Director Eric Goldstein and Department of Energy cybersecurity official Puesh Kumar speak at Accenture’s operational technology cybersecurity event today at 1:30 p.m.
- CISA senior adviser and strategist Allan Friedman speaks at an Institute for Critical Infrastructure Technology event on Thursday at 1 p.m.
- The ShmooCon hacker convention convenes in Washington from Thursday through Saturday.
- Inglis speaks at the Atlantic Council’s opening of its DC Cyber 9/12 Strategy Challenge on Friday at 8:30 a.m.
Thanks for reading. See you tomorrow.