CYBERWARFARE: RUSSIA’S ATTACK ON THE 2016 ELECTION

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is my sixth post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 North Korean ransomware attack; and the 2009 U.S. National Security Agency (NSA) cyberwarfare attack on Iran. My second post covered the leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine. The fourth and fifth posts described China’s cyberattack on Google and Google’s response.

This post summarizes Russia’s attack on the 2016 U.S. election which began in June 2014 when Russia sent two agents to the U.S. for a three-week reconnaissance tour to gather intelligence on U.S. politics and elections. Their report became the field guide for Russia’s interference in the 2016 election. Starting in 2014, the Russians tried to hack into voter registration and election systems in all 50 states. They are known to have succeed in accessing Arizona’s and Illinois’s voter databases. In 2015 (and probably before then), the Russians aggressively hacked into computer networks at the State Department, White House, and Joint Chiefs of Staff of the Defense Department, although this was probably unrelated to the election and was just “routine” espionage. Occurring in the midst of the unprecedented and mind-boggling presidential campaign that was ongoing at the time, these cyberattacks got little coverage in the mainstream media.

Russia’s social media propaganda agency, known as the Internet Research Agency (IRA), had as its goal for the U.S. election in 2016 to “spread distrust toward the candidates and the political system in general. … [to create] division, distrust, and mayhem.” [2] In September 2014, the IRA created a Facebook group, Heart of Texas, focused on right-wing Texans that generated 5.5 million likes within a year. It also created another Facebook group, United Muslims of America. Then, among other things, it used these two Facebook groups to promote rallies and counter-rallies at the Islamic Center in Houston that led to real-world confrontations. The IRA used the stolen identities of Americans to make their work more credible, but nonetheless its cyber manipulators were surprised at how gullible and susceptible the Americans were to their Facebook disinformation.

Based on its success in Texas, the IRA began replicating this approach across the country, focusing on purple states. Its staffing grew to more than 80 people who were directed to “Use any opportunity to criticize Hillary and the rest (except Sanders and Trump – we support them)” according to leaked memos. [3] The IRA:

  • Communicated with Trump campaign volunteers.
  • Bought Facebook ads promoting Trump and attacking Clinton.
  • Promoted race-baiting and xenophobic messages.
  • Worked to suppress minority voter turnout and to encourage voting for third party candidates instead of for Clinton.
  • Paid an unwitting Florida Trump supporter to put a cage on a flatbed truck and paid an actress to dress up as Clinton and sit in the cage as Trump rally goers chanted “Lock her up!” Based on this success, they promoted similar rallies in other states.
  • Reached 126 million Facebook users and generated 288 million Twitter actions, which are staggering numbers given that 139 million people voted in the 2016 election.

In June 2016, it was discovered that two other Russian groups had hacked into the Democratic National Committee’s computer network months earlier, extracting and releasing embarrassing emails, among other things.

The Obama Administration, facing multi-faceted and snowballing Russian interference in the election, finally decided in the fall of 2016 that a strong bipartisan statement (so it wouldn’t appear political) was necessary. Top Homeland Security and FBI officials were sent to brief Congress. But the response from the Republicans was completely partisan. Republican Senate Majority Leader Mitch McConnell refused to warn Americans about Russia’s efforts to influence and undermine the 2016 elections. He refused to sign any bipartisan statement, argued (falsely) that the intelligence on the cyberattacks was wrong, and claimed (falsely) that this was all just Democratic partisan politics.

After the election, the Obama Administration imposed significant sanctions on the Russians, but they were too little and too late. Although there’s some argument over the ultimate impact of the Russian’s efforts, Perlroth concludes that the Russian actions may well have tipped the election to Trump. Black voter turnout declined sharply in 2016 for the first time in 20 years, which was a constituency and an outcome that the Russians had aggressively targeted. Black voter turnout fell from 66.6% in 2012 to 59.6% in 2016, its lowest level since 2000. This represented a decline of 765,000 votes when less than 80,000 votes in three key states determined the outcome of the election. Furthermore, Trump’s margin in each of these three key states – Wisconsin (22,800 votes, a 0.8% margin), Pennsylvania (44,300 votes, a 0.7% margin), and Michigan (10,700 votes, a 0.2% margin) – was less in each state than the vote for the Green Party candidate. This voting for third party candidates instead of Clinton was another outcome that the Russians had aggressively targeted. Given the closeness of the election, a relatively small change in either (let alone both) of Black voter turnout or the number of votes for the Green Party instead of for Clinton would have changed the outcome of the election – and both of these were factors that the Russians specifically worked to influence.

Subsequent posts will outline the Perlroth book’s reporting on:

  • Russia’s continuing cyberattacks on the 2018 and 2020 U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2]      Perlroth, N., see above, page 310

[3]      Perlroth, N., see above, page 311

CYBERWARFARE: GOOGLE’S RESPONSE TO CHINA’S ATTACK

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is my fifth post on computer hacking and cyberwarfare, all of which are part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 worldwide ransomware attack by North Korea; and the 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant. My second post provided an overview of the book’s reporting on leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine and the fourth post  described China’s cyberattack on Google.

Google had begun doing business in China in 2006, agreeing to the censorship of search results that the government demanded. In 2009, it was still struggling to accommodate China’s increasingly draconian censorship rules. Nonetheless, China waged a cyberattack on Google in 2009 in an effort to make Google an unwitting accomplice in Chinese surveillance of dissidents. (See my previous post for more details about this cyberattack.)

In response, on January 12, 2010, Google publicly revealed the Chinese cyberattack and its decision to pull out of China, despite its being the largest and most sought-after market in the world. Fearing for its employees’ safety, it had briefed the State Department and the U.S. embassy in Beijing was prepared to undertake a mass evacuation of Google’s Chinese employees and their families. Google shut down its Chinese operation and routed all Chinese Internet traffic to Hong Kong. In response, the Chinese government scrambled to censor and block Internet content flowing from Hong Kong, lambasted Google, denied involvement in the cyberattack, and accused the U.S. government of conducting an anti-China propaganda campaign. It permanently blocked Internet access to Google and three years later, under new President Xi Jinping, took over total control of the Internet in China.

The Chinese hackers who had executed the attack, having been outed, unplugged their Internet computer servers and abandoned their hacking tools. They abstained from hacking in the U.S. for a number months, but one year later engaged in a sophisticated attack on RSA, the cybersecurity company that sold security services to, among others, high profile defense contractors. Based on this successful attack, the Chinese hackers were able to infiltrate Lockheed Martin and thousands of other western companies including banks, automakers, chemical companies, law firms, non-profit organizations, and more. They stole billions of dollars-worth of proprietary information, including military and trade secrets.

Back at Google, less than a year after the 2010 pullout, some executives began pushing to go back to doing business in China. As Google diversified its businesses and re-organized under the over-arching corporation Alphabet in 2015, re-entry into the Chinese market, with its 750 million Internet users, became a hot topic of debate. Ultimately, human rights, ethical considerations, and Google’s motto of “Don’t be evil” were overwhelmed by a focus on profits.

In 2016, Google established a new, artificial intelligence research center in Beijing and released some small-scale products, e.g., an app and a mobile game, into the Chinese market. Simultaneously, it was working on a search engine for the Chinese market, code-named Dragonfly, that met government censorship requirements. In August 2018, an employee leaked information about the work on Dragonfly. After protests by Google employees and others, the Dragonfly project was terminated in July 2019. Google does not offer a search engine in China at this time.

Google’s business ethics have been questioned not just for doing business in China, but for its behavior in the U.S. and elsewhere. It profits off sites that spread disinformation and conspiracy theories, and its YouTube subsidiary allows the spread of videos that harm the well-being of children. In Saudi Arabia, it hosted an app that allowed men to track and, thereby, control the movements of female family members.

In subsequent posts, I will outline the Perlroth book’s reporting on:

  • The cyberattacks on U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

CYBERWARFARE: CHINA’S ATTACK ON GOOGLE

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is my fourth post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 worldwide ransomware attack by North Korea; and the 2009 cyberwarfare attack by the U.S. National Security Agency (NSA) on Iran’s uranium enrichment plant. My second post provided an overview of the book’s reporting on leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine.

This post summarizes China’s cyberwarfare and, in particular, its attack on Google. The Chinese government’s cyberwarfare initiatives use both army personnel and contracts with non-government hackers at Chinese universities and technology companies. This contracting with private hackers is similar to President Putin’s strategy in Russia, where cyberattacks had been outsourced to cybercriminals for years to give the government some marginally credible deniability of responsibility. As in Russia, many of the private hackers in China are likely to have been conscripted, rather than hired in the private market.

For years, the Chinese have been hacking into defense companies where they focus on stealing aerospace, missile, space, and satellite technologies, as well as nuclear propulsion and weapon information. They have also been hacking into a broad range of U.S. businesses  and stealing intellectual property. A former Director of the NSA, Keith Alexander, called Chinese cyber theft the “greatest transfer of wealth in history.” [2]

In December 2009, now ancient history in the annals of cyber hacking, Google’s digital security team noticed an electronic intruder in their computer network. It was moving from computer to computer in what they called the fastest cyberattack they had ever seen. It had managed to breach what was one of the toughest digital security systems in existence at the time and was conducting a very sophisticated search across Google’s extensive computer network. As is often the case, the intruder’s access had been initiated by unsuspecting Google employees who had clicked on a link in a hacker’s phishing message. The link went to a website in Taiwan that put the hacker’s computer program, i.e., malware, onto the employee’s computer via a vulnerability in Microsoft’s Internet Explorer browser. The malware allowed the hacker to access the employee’s computer and Google’s network.

The attack was very sophisticated – the work of highly skilled, well-resourced hackers, not a small-time, individual cybercriminal. This was made clear by the hackers’ encrypting of their attacking computer program and obfuscating of their tracks, along with the expertise needed to use the Internet Explorer vulnerability.

Over a couple of weeks, Google assembled a team of 250 inside and outside security experts to counter the attack, and then determine who had attacked and what they were trying to accomplish. Team members worked 24/7 and December holiday vacations were canceled.

Eventually, the team’s work identified the attacker as a group contracted with by the Chinese government. It was being monitored by the NSA, which had code-named it “Legion Yankee.” It was one of the most active of the more than two dozen Chinese hacking groups that the NSA monitored. These groups had attacked U.S. government agencies, technology companies, think tanks, and universities in attempts to steal intellectual property, military secrets, and correspondence.

As Google and outside security experts dug into the attack, they traced it back to Legion Yankee’s computer server and discovered that dozens of other U.S. companies had been attacked as well, including Adobe, Intel, Northrop Grumman, Dow Chemical, and Morgan Stanley. As Google tried to warn these other companies, they found it was hard to reach someone who would take their warning seriously and understand its implications. Many of the companies refused to acknowledge that their computer systems had been breached – not wanting the bad publicity.

Google and its outside experts also eventually figured out what the attacker was after: Google’s source code. This is the computer programming that runs the Google application – it’s what displays its screens when you access Google, it’s what runs the search engine and displays the results, it’s what determines what ads to show you and what to do when you click on an ad or search result, etc. Microsoft’s Windows computer operating system, which runs many of our computers, is probably the best-known example of source code, along with Apple’s Operating System (OS) or the Android software that runs your phone.

This kind of attack wasn’t about short-term gain, e.g., theft of money or information, this was a long-term strategy that could bear fruit immediately but also for years to come. The hackers would insert code into or change the programming of Goggle’s source code to allow them access to the information that was flowing through Google, to Gmail accounts, and also to the computers and networks that were using Google.

Ultimately, Google determined that Chinese government wanted to change Google’s source code so it would have long-term access to any Gmail account and that its interest was in accessing the Gmail accounts of Chinese dissidents, including pro-democracy activists in Hong Kong, Tibetan and Uighur Muslim dissidents, pro-independence Taiwanese, the Dalai Lama, and others. In other words, China’s goal for its most sophisticated cyberattack capabilities was to be able to monitor, threaten, and thereby control its own people.

U.S. State Department officials would eventually connect Legion Yankee and the Google attack to the Chinese government’s top security official, Zhou Yongkang, and to Li Changchun, a member of China’s top ruling body (the Politburo Standing Committee) and China’s top propaganda official. Li had reportedly googled himself and was not happy with what he found and, therefore, ordered the attack on Google.

My next post will summarize Google’s response to the Chinese attack: it made a big splash by publicizing China’s attack and pulling out of the Chinese market completely in 2010 – only to re-enter the Chinese market in 2016. Subsequent posts will outline the Perlroth book’s reporting on:

  • The cyberattacks on U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021. page xix

CYBERWARFARE: RUSSIA’S ATTACKS ON UKRAINE AND USE OF NSA’S CYBER WEAPONS

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is my third post on computer hacking and cyberwarfare, part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on:

  • The scale of computer hacking, cybercrime, and cyberwarfare,
  • The 2017 worldwide ransomware attack by North Korea using a Microsoft Windows vulnerability stolen from the U.S. National Security Agency (NSA), and
  • The 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant.

My second post provided an overview of the book’s reporting on:

  • Electronic surveillance in the U.S. and the use of encryption to protect privacy, and
  • Leaks from the NSA, including of its cyberwarfare weapons.

This post provides an overview of Russia’s cyberattacks on Ukraine. Russia is and has been a formidable and active player in espionage and international warfare since the 1950s Cold War, which Perlroth touches on as background for her reporting on cyberwarfare.

Not surprisingly then, Russia has been an early, active, and formidable participant in cyberwarfare. It has attacked Ukraine both to demonstrate its capabilities to the world and to display its ongoing displeasure with independence in Ukraine, which threw out the Russian puppet government in 2014. Russia’s cyberwarfare has interfered with Ukraine’s elections and its everyday life. In 2014, Russia planted disinformation during Ukraine’s election and engaged in serious cyber hacking of its election infrastructure. Ukrainian election officials discovered the hacking just before manipulated results would have been announced to the media. It was the most brazen cyberattack on a national election ever at the time.

For its next attack, on Christmas Eve in 2015, Russia’s cyber warriors flipped off circuit breakers in the Ukrainian power grid, turning off electricity for hundreds of thousands of people. They also shut off backup power in many locations and shut down emergency phone lines. Things were turned back on roughly six hours later, but the message and the capabilities were clear. This represented an escalation of cyberwarfare; no country had ever shutdown another country’s civilian power grid before. A year later, Russia did it again, this time shutting down the power and heat in the Ukrainian capital of Kyiv.

On June 27, 2017, Russia launched another, much more devastating cyberattack on the Ukraine, this time using weapons from the U.S. National Security Administration (NSA) that had been stolen and leaked in 2016 and 2017. (See my previous post for more details on this leak.) Russia specifically timed its attack to occur on Ukraine’s independence day to underscore its political message. The attack shutdown government offices, trains, ATMs, the postal service, and almost all financial systems so people couldn’t get paid and electronic cash registers didn’t work so people couldn’t buy anything, even food and gas. Even the radiation monitors at the Chernobyl nuclear disaster site were shutdown. The attack destroyed the data on 80% of the computers in Ukraine. The damage was so severe that it took over two years for Ukraine to recover from this Russian cyberattack.

Not unexpectedly, the cyberweapons (i.e., malicious computer programming) that Russia used in the attack on Ukraine self-propagated through the Internet and other computer networks so that any company doing business in Ukraine was vulnerable. The cyberweapons shutdown factories in Tasmania, destroyed vaccines at pharmaceutical companies Pfizer and Merck, infected FedEx’s computer systems, and brought the world’s biggest shipping company, Maersk, to a halt. The cyberweapons even spread back to Russia, destroying data at the giant, Russian government-owned oil company, Rosneft, and at the Russian steelmaker, Evraz.

When author Perlroth visited Ukraine in the winter of 2019, a year and a half after the attack, the damage estimate there was $10 billion and climbing, and significant disruption of daily life was still evident. Railroad and shipping systems were still not back to normal, pension checks still hadn’t been received, and people were still trying to find packages that had gone missing when shipment tracking data was lost, for example. It was also estimated that the attack cost just Merck, Fed Ex, and all the other companies that were affected billions of dollars. Some insurers refused to pay for damages from this cyberattack, claiming it was an act of war and therefore fell under a war exemption clause in their policies.

This Russian cyberattack made it clear that cyberweapons are weapons of mass destruction. Russia could have done much worse. It could have crashed trains and planes instead of just disabling scheduling, ticketing, and payment systems. It could have created explosions or toxic incidents at manufacturing plants or nuclear power plants.

Some experts believe Russia used the NSA’s tools in this attack to discredit and expose the NSA and the U.S. government.  Others believe Russia was just using this attack, and the earlier ones in the Ukraine, to test its capabilities and prepare or signal its capability to execute even more devastating attacks in the future. By the way, Russia has continued to harass Ukraine. For example, in 2019, it inundated Ukrainian Facebook accounts with anti-vaccination propaganda as the worst measles outbreak of recent times spread there.

In subsequent posts, I will outline the Perlroth book’s reporting on:

  • The Chinese attack on Google and Google’s response,
  • The cyberattacks on U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

CYBERSECURITY AND THE DEVASTATING LEAK OF THE NSA’S CYBER TOOLS

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

My previous post on computer hacking and cyberwarfare began my overview of New York Times cybersecurity reporter Nicole Perlroth’s book, This Is How They Tell Me the World Ends. [1] My post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare, while also outlining two examples from the book:

  • The 2017 worldwide ransomware attack by North Korea using a Microsoft Windows vulnerability stolen from the U.S. National Security Agency (NSA), and
  • The 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant.

This post provides an overview of the book’s reporting on:

  • Electronic surveillance in the U.S. and the use of encryption technology to protect privacy, and
  • Leaks from the NSA, including of its cyberwarfare tools.

After the September 11, 2001, attacks, the U.S. greatly expanded its electronic surveillance within the U.S. In 2013, Edward Snowden, a consultant for the NSA and a former CIA employee, released thousands of classified NSA documents. They described activities the NSA was engaged in, including mass surveillance of Americans. Among many other things, the documents revealed that the NSA was secretly surveilling users of Microsoft, Facebook, Google, and Yahoo and that in a single day it had collected roughly 445,000 Yahoo email address books, 105,000 from Hotmail, 83,000 from Facebook, 34,000 from Gmail, and 23,000 from other providers.

Snowden was charged with espionage. He left the country prior to releasing the NSA documents and is living in Russia under a grant of asylum. In 2020, a U.S. federal court ruled that the NSA’s mass surveillance program exposed by Snowden was illegal and possibly unconstitutional.

As a response to U.S. government surveillance and cyber hacking, software and hardware providers started offering users’ the ability to encrypt their data. Initially, intelligence agencies and law enforcement had ways to overcome the encryption and access the data, typically with the assistance of the product’s provider. Then in 2014, in the wake of the Snowden revelations, Apple announced that the iPhone 6 would automatically encrypt everything on the phone using the phone user’s unique password, making the data impossible to unencrypt by anyone else. Previously, Apple had a key that could unencrypt a user’s data when requested by law enforcement. The FBI and those running government surveillance programs were upset and concerned about this truly secure encryption, but there was strong support from users because they valued their privacy.

A year later, two terrorists, who had sworn allegiance to ISIS, shot and killed 14 people and injured 22 at the San Bernadino, CA, health department. The terrorists fled and were killed in a shootout within hours. One piece of evidence recovered was an encrypted iPhone. The FBI demanded that Apple unencrypt the phone, which apparently it could not, and also demanded that Apple change its software to allow the FBI to unencrypt data in the future. Apple refused, pointing out that if there was such a capability others would want access to it too and that hackers would be able to find it as well.

The FBI initiated a court case to force Apple to allow it access to iPhone data, but four months after the shooting it abruptly dropped the case. It turned out that an unidentified hacker had sold the FBI a way to overcome the encryption. Surprisingly, the FBI Director, Comey, admitted that it had paid the hacker at least $1.3 million for this capability. This was the first time the U.S. government had admitted to paying a hacker a large sum to give it access to a vulnerability in a widely used electronic device or piece of software. The FBI claimed that it did not know what the underlying flaw was and that it had no intention of letting Apple know so it could fix it.

Apple was correct, of course, in stating that any ability of the FBI or U.S. intelligence agencies to circumvent the encryption of users’ data would eventually be available to others, including those with less scrupulous intentions (assuming you believe U.S. intelligence agencies and the FBI always have scrupulous intentions). International adversaries and individual computer hackers are constantly uncovering computer software and hardware vulnerabilities. They use or sell these vulnerabilities to obtain unauthorized access to data, for use in international cyberwarfare, or for use for private gain through theft of money, trade secrets, or other valuable information. These computer vulnerabilities can also be used in ransomware attacks, where computer systems are disabled or data stolen for nefarious use unless a ransom is paid.

Probably the worst piece of news for the U.S. intelligence agencies in the history of cyberwarfare was the leak of the NSA’s tools and techniques in 2016 and 2017. While Snowden’s leaks revealed what the NSA was doing, these leaks revealed, in detail, specifically how it was doing its cyber espionage and cyberwarfare.

Over a nine-month period, an unknown individual or individuals leaked specific software vulnerabilities and the computer code the NSA was using to exploit them. These NSA hacking tools had been stolen and were now being released publicly on the Internet, sharing the world’s most powerful cyber arsenal with anyone and everyone who might want to use it. These NSA cyber weapons were used, for example, by North Korea in its global ransomware attack (described in my previous post) and by Russia in its devastating attack on the Ukraine in 2017 (to be described in my next post).

The leak of the NSA’s cyber weapons exposed what was probably the biggest federal program the public had never heard of, a cyber espionage and warfare effort so classified it was invisible: hidden through blacked out budgets, large cash transactions, shell companies, contractors, and nondisclosure agreements required of everyone involved in it.

In subsequent posts, I will outline the Perlroth book’s reporting on:

  • Russia’s cyberattacks on Ukraine,
  • The Chinese attack on Google and Google’s response,
  • The cyberattacks on U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

THE COST, DAMAGE, AND THREAT OF CYBERCRIME AND WARFARE

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

The lines between computer hacking, cybercrime, and cyberwarfare are blurry. They are threats to our national security and also to you. At risk is not only your financial welfare and identity, but also your health and well-being. Cyberwarfare is at a level of threat that has similarities to nuclear weapons in that it can inflict major societal harm and is restrained or deterred only by the threat of retaliatory harm and damage, similar to the mutual assured destruction that deters nuclear war.

This is not an exaggeration, as the book by New York Times cybersecurity reporter, Nicole Perlroth, This Is How They Tell Me the World Ends, [1] makes clear in great detail. She presents the development and evolution of cyber hacking, crime, and warfare since she began reporting on it for the Times in 2013. She also puts it in an historical context of espionage going back to the Cold War and the 1950s and then outlines its transition from human agents to cyber capabilities over the last 40 years. I encourage you to read her 406-page, revealing, convincing, and downright scary book if you are so motivated. I will attempt to summarize it in this and subsequent blog posts.

The scale of computer hacking, cybercrime, and cyberwarfare is much greater than I had any idea it was. The costs to individuals, businesses, governments, and other organizations (such as hospitals) are enormous. A 2018 RAND Corporation report, the most comprehensive study of cyberattacks at the time, estimated that the worldwide losses for the year from cyberattacks were hundreds of billions of dollars. By comparison, the estimated cost of terrorist attacks in 2018 was just $33 billion. Some current estimates put the costs of cyberattacks at over $2 trillion a year and growing.

The number of ransomware attacks, where hackers prevent an organization from accessing its computer systems and data until a ransom is paid, more than doubled from 2019 to 2020, for example. [2] Much of this is done by cyber criminals looking to make money. However, back in May 2017, one of the cyber hacking tools stolen from the U.S. National Security Agency (NSA) (more on this in a subsequent post) was put to use by North Korea in ransomware attacks all around the globe. Within 24 hours, 200,000 organizations in 150 countries were attacked. For example, nearly 50 British hospitals were incapacitated as were Russian railroads and banks, Indian airlines, Germany’s railroads, Spain’s largest telecommunications company, Japanese police, South Korean movie theaters, many gas stations and universities in China, and small electric utilities and Fed Ex in the U.S. Russia and China suffered the most, partially because vulnerable, pirated software was widely used there.

The attack used a vulnerability in Microsoft’s Windows operating system that the NSA had discovered and exploited for years. When knowledge of it was stolen from the NSA and released publicly, the NSA notified Microsoft, but, needless to say, there was not enough time to fix the vulnerability (aka bug) and get the fix onto millions of customers’ computers before the vulnerability was exploited by North Korea and others. Exacerbating the problem, many customers are not always quick to install Microsoft’s Windows updates, particularly at companies using it on computers performing critical functions where software updates must be closely managed to minimize downtime. Making matters worse, many computers, including ones controlling critical infrastructure, were running an old version of Windows that Microsoft had stopped updating three years earlier. Now, Microsoft had to go back and update this software so its users wouldn’t be held hostage by cyberattacks from North Korea or run-of-the-mill cyber criminals.

Microsoft’s President, Brad Smith, was angry; this was not the first time the NSA had put Microsoft in this position. He publicly criticized the NSA for withholding the Windows vulnerability from Microsoft and then, when it became a problem, dumping it in Microsoft’s lap to fix on short notice. At the time, this story got short shrift in the U.S. media because of all the focus on the new Trump administration and the controversies it was generating. The administration was, however, quick to identify North Korea as the culprit, in stark contrast to its failure to out Russia for its cyberattacks, including its meddling in the 2016 U.S. election. (More on this in a subsequent post.)

Initially, government-sponsored cyber hacking, with the U.S. leading the pack, was used for espionage and surveillance of foreign governments and agents. The U.S. has multiple agencies spending billions of dollars developing and using cyber hacking capabilities. It has large teams of computer experts identifying vulnerabilities in computer software. Rather than alerting companies to the vulnerabilities in their products, U.S. intelligence agencies developed the software vulnerabilities into weapons for spying on adversaries (e.g., by stealing data from their computers). This use of cyber hacking is considered defensive as it is used to protect the U.S. and not to harm others.

The U.S. government also bought software vulnerabilities from private hackers who had discovered them, sometimes paying millions of dollars for them. Private computer hackers’ uncovering and selling of software vulnerabilities is a worldwide entrepreneurial business, given that any computer-savvy individual with a computer can do this.

However, as was probably inevitable, computer hacking shifted to being used offensively, to harm adversaries, given that it has the inherent capability to disrupt computer-controlled equipment and communications. In 2008 and 2009, the U.S. government, led by the NSA, probably with Israel’s participation, successfully executed a cyberwarfare attack on Iran’s nuclear enrichment plant. It damaged the centrifuges used to enrich uranium in order to delay Iran’s ability to generate enough, sufficiently enriched uranium to build an atomic bomb. Many experts view this attack as marking the shift of cyberwarfare from espionage and defensive uses to offensive uses.

After a cyberattack, given time, effort, and expertise, the target can almost always identify the source of the attack. So, when U.S. intelligence agencies say they “think” a cyberattack came from say Russia, they know that it came from Russia. Furthermore, they usually know what organization was behind the attack, although sometimes it can be difficult to ascertain whether it was a government-sponsored attack or private hackers physically located say in Russia (or China, Iran, or North Korea, etc.).

After the successful attack on its nuclear enrichment plant, Iran, not surprisingly, was looking for revenge. When it discovered the cyberattack, it also then had possession of the weapon – the software that had been used – and could turn it back on the attacker.

Furthermore, the weapon, as cyber weapons often do, spread itself out from the Iranian centrifuge plant over the Internet and around the globe, eventually reaching the U.S. and infecting computers at Chevron. Fortunately, because it was designed to specifically attack the Iranian centrifuges, it didn’t do a lot of damage at Chevron or at other sites it infected.

Despite this experience, the U.S. government continued to focus on its offensive cyberwarfare programs and largely ignored building cyber defenses. Surprisingly, it ignored the clear vulnerability of U.S. computers and systems to the types of attacks it was undertaking, despite the fact that the U.S. is more dependent on computers and the Internet than other countries, making the U.S. more vulnerable to a cyberattack than anyone else.

In subsequent posts, I will outline the Perlroth book’s reporting on:

  • Electronic surveillance in the U.S. and the use of encryption technology to protect privacy,
  • Leaks from the NSA, including of its cyberwarfare tools,
  • Russia’s cyberattacks on Ukraine,
  • The Chinese attack on Google and Google’s response,
  • The cyberattacks on U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2]      De Vynck, G., 9/22/21, “Treasury’s fight against hackers targets crypto payments,” The Boston Globe from the Washington Post