In the last year, the political sphere has become the latest casualty of the growing cyber threat. Hacking was rampant in the run up to the US elections, there have been reports of political think tanks being compromised in Germany, and in France fake polls have been published and En Marche emails leaked.
With the UK general election tomorrow, it would be foolish to assume cyber defences are sufficient to counter an attack, indeed, GCHQ has warned those with links to the election to be wary of cyber attacks. However, Fidelis Cybersecurity‘s threat intelligence manager, John Bambenek believes that there’s no indication to suspect the UK General Election will be hacked.
>See also: Nation State hacking: a long history?
In an interview with Information Age, Bambenek discussed the intersection between cyber attacks and political motivation. He went into detail about the past political breaches in the run up to the US and French election, while elaborating on how stolen information in breaches can be weaponised by nation states.
Is it too late for hackers to hit the UK General Election?
If the previous pattern holds, then I would have thought that something would have happened by last weekend. Hacks on the French election – on a Sunday and the American election – on a Tuesday – took place three days before the election. They like this three day thing. I suspect we would have seen something by now. There’s really no indication, even with the French election’s we saw the precursor of the attack and then the email dump. We’ve seen nothing in regard to the UK election that’s anything beyond noise. People target and hack political parties all the time, but nothing really stands out on this occasion. You don’t know what you don’t know, but I suspect that it’s in the clear at this point.
Is there any particular reason for this? Why hasn’t there been an attack?
In the case of the UK, I looked at both the Conservatives and Labour parties, and it appears they do everything relatively in-house. There was no clear third party partners, or technology providers. In the US, the hack on the DNC was through one of their IT providers. In France it was mimicking Office 365, which En Marche was using. So, I didn’t see anything like that.
There really wasn’t a clear political side that the Russians could pick geopolitically. Russians like going for an anti-establishment angle and they may have found nothing there. Some of the stuff that got leaked over the course of the French elections had to do with various corruption scandals and then there was the email dump. But, the reason in the US those operations had, and I don’t what to say success or impact (the only success criteria is how many votes were changed, and I suspect not many.) But, in terms of generating news stories the Clinton Foundation – and the Clintons – have had there fair share of scandals over the past few decades, so that gave a lot of traction to various things that were leaked.
>See also: Hacking the upcoming General Election
In the UK Theresa May’s only been in power for eight/nine months. She’s not been Prime Minister for that long and if I were the Russians or if I were an intelligence agency at this point I would care less about the outcome of the British election than I do about the Brexit negotiations. That’s going to be the defining geopolitical feature of what Europe looks like less than two years from now. So if I were an intelligence agency, let’s just establish and keep a foothold simply to monitor and influence Brexit negotiations, because that’s going to have the bigger impact over the long term.
You mention Brexit. How important is it for the UK and the rest of Europe to keep sharing threat intelligence, relating to cyber threats? Should enterprise and public bodies use the same strategy?
I think government information sharing and private industry sharing are affected by two different dynamics. The biggest problem in the growth of cyber crime generally is that as an American I could theoretically hack anyone in the world. But at the end of the day, if the FBI or US law enforcement doesn’t pick me up then there’s no consequence for that behaviour.
Sharing intelligence information is good, but the defining problem we face is that cybercrime is a global problem, but we still enforce laws nationally. Now, Brexit isn’t going to solve that problem, but we don’t want criminal entity’s to operate in Europe simply because Germany and the UK can’t cooperate under a common interest and the Mirai arrest was an Israeli-born British national living in Germany if I recall. And the NCA was involved, while the German Federal Police picked him up.
That needs to continue or we’re going to see a continued growth in cyber crime because quite literally crime does pay, because there’s no consequence to it as long you manage to operate it in the right country by ‘the rules’. For example, Russian criminals will not impact or target Russian citizens that will get the FSB’s detection. They can target Americans, the Brits and Europe all day, it doesn’t matter.
So intelligence sharing needs to be continued, but what needs to be more profound is law enforcement cooperation. The problem is no one acts on the intelligence that is sent from say the US to Russia if it concerns Russian hackers. I would hope on this level that these kind of relationships continue, where the NCA can go to the BKA and say this guy in your territory is committing crimes against our people. We need to do something about that and something gets done.
Why have political parties been targeted?
The adversary will attack you any way they can. But, they’re now focusing on soft targets. The DNC and En Marche were not the objectives. It was foreign policy, the geopolitical structures of a country that were the target. It just so happens that political parties are not government and they’re not entitled to governmental protection. They often don’t spend money on protection because they don’t have to.
But, from the prism of an intelligence agency this is where the first draft of government policies are written. I am sure there was discussions on the stance of Brexit negotiations in both the Conservatives and the Labour party’s emails. They’re not governmental, it’s not official discussion but that’s the first draft.
So when the adversary attacks they will often go through soft targets. We saw this in the US with retailer breaches. We had a big breach of Target, which is a chain of thousands of grocery stores and retail. They way that 30 million credit card details were stolen was that the attacker first hacked a heating and cooling contractor, and then moved through them into the enterprise. The big question is be mindful of the soft targets. They don’t necessarily have to compromise you, they can compromise a third party partner and then they’re in, because that partner has access and you expect them to be secure. Why would a heating and cooling contractor spend hundreds of thousands on information security? They wouldn’t. The same is true of parties. The true objective of an attack is the government and affecting government influence, not the political parties. They represent a means.
>See also: Hackers: who are they and what drives them?
The attacks on the DNC and En Marche probably stemmed from Russia. One of the objections of the Russians, in these cases, is to diminish confidence in democratic institutions. The French handled the attack on En Marche better than the Americans. The French said it was no big deal, the outcome was the outcome. But in the US, the intelligence community and Congress, all these people are saying it was a grave threat. We are undermining our own confidence in democratic institutions.
Russia could have done it, but no one is asking ‘how many votes were changed, did it impact the outcome?’ If the answer is no, having congressional meetings is self-destructive behaviour. It is enhancing the perceived impact, and making the perception a reality. This is true for enterprises as well. If you’re breached, don’t lie, but don’t over estimate or over explain the impact of the breach.
In terms of the data that is stolen in a cyber attack, how can it be weaponised?
In the case of the DNC it was self-weaponised. The US documents spoke for themselves. One of the documents I like pointing to is there was a spreadsheet that listed major donors to the Clinton Foundation, combined with what ambassadorships they got in the United States. You don’t need to weaponise that you just show it.
In the French election there wasn’t really much that was weaponisable except the infamous old member of parliament who went to the dark internet to buy drugs with Bitcoin and shipped them to their parliaments, and had the receipt in his email.
>See also: Cyber security from a hacker’s perspective
Hackers aren’t really good at making up things, they rely on – and this has been true of Russian intelligence even before hacking-related issues – being able to embarrass you they will use that. When they have to make something to embarrass you, it’s usually easily discovered that it’s false. Because it’s very hard to create a context appropriate forgery. It’s more than creating a fake document, it’s about creating believable data. You have to have something to work with. When you have individuals who have been aligned with corruption, like the Clintons, it is very easy to make people believe things about them.
That’s a confirmation bias problem. We look at information in the prism of our already held notions and prejudices, and those vary between countries. They’re very hard to discern outside country boundaries. It’s hard, therefore, to create that believable but fake information without that really in-depth cultural understanding that you really can’t get from a distance.
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here