Ideas

Ep. 48: Cyberwarfare today

In the first of a three-part podcast series, we're going to look at the contemporary risks of cyber warfare, from ransomware and extortion to online banking and culture wars.

Defense One Staff

|

Google Play Apple Podcasts

Our guests include:

  • Dawn Thomas, Associate Director and Research Analyst on the Safety and Security team of CNA;
  • Paul Gagliardi, a former U.S. intelligence contractor and current threat intelligence analyst at SecurityScorecard;
  • information security researcher The Grugq;
  • Adam Segal, who directs the Digital and Cyberspace Policy Program at the Council on Foreign Relations; 
  • and Jen Miller-Osborn, deputy director of Threat Intelligence and Unit 42 at the cybersecurity firm Palo Alto Networks.

A transcript of this week's episode is below.

Subscribe either on Google PlayiTunes, or Overcast, or wherever you listen to podcasts. Thanks for listening! 

When our days are mostly spent on devices, our lives are mostly cyber.

Today, the cyber world is an almost ubiquitous domain, affecting businesses, banks and livelihoods. Even your daily schedule.

But cyberwarfare is cultural and political business, too, affecting trust, identity and speech.

Of course it’s also disruptive geopolitically, combining soft and hard power to confuse or degrade enemies or alliances.

It’s hardly a secret that hacking and offensive cyber operations can offer a wild return on one’s investment. And not all of that has to be monetary. 

And not all of that happens on the level of ones and zeroes.

At the level of everyday news and noise, if left unchecked, cyber warfare slowly poisons the public record, rearranging the bindings of our most trusted sources of knowledge, forging some, erasing others.

And yet at the same time, the cyber domain involves so much more than our access to news and the truth. It reaches into the lamps of our homes, customizing how we have conquered our environments with programmable thermostats — connecting so many tiny devices, and all of us, likely at this very moment via the remote conveniences of the smartphone and cyber age.

For this episode, I wanted to take a look at the number of known cyber attacks in 2019 so far. What I found was, well, a lot. 

Here are some of the trends and findings we’ve discovered or stumbled upon or paid for in various ways over the last few months:

  • We began the year having learned suspected Iranian hackers had siphoned large volumes of email passwords and other sensitive data from multiple governments and private companies in late 2018.
  • Fast-forward to the past few weeks, and the White House’s war of words with Iran appears to have popularized fears of what the Department of Homeland Security called “wiper” attacks that can disable entire network workstations.
  • In June, the security firm CyberReason announced that suspected Chinese attackers hacked global telecommunications providers networks in a breach that appears to have begun seven years ago. 
  • Also in June, NASA’s Jet Propulsion Lab announced it seems to be a perpetually-favored target of hackers going back at least 10 years.
  • Electrical power plants around the world have become a growing target of so-called Triton/Trisis malware — a change researchers say seems to signal a shift away from the previous hot targets of global oil and gas sectors.
  • One other big likely change we’ll hear more about later: The threat landscape is evolving from "blended threats" that review "spray and pray" victims to identify targets for more in-depth exploitation. Which is to say, in many ways the data has already been collected; now the bad guys are off to a new phase of targeted exploitation of that personal data. 
  • Concerning hacks of a more profit-seeking nature, Americans city and citizens’ data held for ransom in 2019 include the Florida townships of Lake City, Riviera Beach, Key Biscayne; as well as Baltimore, Maryland; and the state of Georgia's Courts and Judicial Council.
  • Cloud services provider PCM Inc., of El Segundo, California, suffered a major breach discovered in mid-May. That one, according to cybersecurity analyst Brian Krebs, appeared to be aimed at hackers “harvest[ing] gift card information from a number of the company’s customers.”
  • Through the end of May, 885 million mortgage records at New York’s First American Financial Corp., including socials and bank account numbers — were exposed online. And state authorities are investigating that one. 
  • A growing target today: e-retailers, with troves of credit card data from hacked brick-and-mortar stores like hotels and restaurants.
  • Cloud-based payroll software company Apex HCM, out of Roswell, Ga., paid a ransom to get its customers' data back in February.
  • Some of the big companies that suffered public breaches this year include PR firm Fleishman-Hillard, media giants Fox Broadcasting, Gannett, and Hearst Digital, as well as Kohler, and Pandora.
  • For healthcare data by itself, some 20 million — yes, million — patients of the medical lab outsourcing giants Quest Diagnostics and LabCorp had their data breached in June under the American Medical Collection Agency. And on that note, “there were 149 hacking/IT incidents in all of 2018. We're already at 85 percent of last year's number and we're only half way through 2019." That includes vendors migrating servers of archived emails. Which may not mean much unless you’re an IT professional.
  • Just this week we learned a U.S. Coast Guard ship was hit with malware while entering a port in New York City back in February — enough malware, in fact, to trigger an investigation and a service-wide alert. 
  • And back in November, US Cyber Command opened a Twitter account just for malware alerts, which it used about a week ago to warn everyone of renewed activity by what’s believed to be Iranian-linked hackers, yet again.

All of those are just some of the bigger developments of 2019, and we’re just halfway through.

Now to our experts. 

Dawn Thomas is an Associate Director and Research Analyst on the Safety and Security team of CNA. CNA is a nonprofit research organization based in Arlington, Virginia. And they do both unclassified and classified work. Which means each employee has a pretty big target on their back.

To get things started, I asked Dawn how she would define the cyber domain today. 

What is cyber?

Dawn: “I think that’s a great question, and you have to ask it because people define it different ways depending on where you come from and kind of when you’ve grown up. So I think a bit before us when you said ‘cyber,’ people thought cybersecurity. And then they thought, ‘Well, you’re defending networks; you’re defending data; and you’re defending kind of bad acts to a very physical being that they might be trying to gain access to for political reasons or purely economic reasons.’ But that was cybersecurity and that was all it encompassed.”

Paul: “I mean I think the word cyber just encompasses the security of software, hardware and information.”

Paul Gagliardi is a former U.S. intelligence contractor and current threat intelligence analyst at SecurityScorecard.

Paul: “Used to be akin to maybe physical security such that you know a lawyer would lock up all their sensitive documentation in some cabinet and there was exploitations of those types of systems. In the modern age, that has just transferred to an interconnected IT world.”

Dawn: “Now it’s different. And I think it’s because cyber is bigger. Cyber is so interconnected with the way that we communicate.”

Watson: “The way that we live.”

Dawn: “The way we live, the way we do everything. The internet of things, other than being like a cool acronym with a small O, is also it’s a very real thing We are the internet of things, and we’re just on the cusp of how many more things it will be in the future. So now when you look at cyber, it’s where anything that is cyber touches any part of society — which is basically everything.”

And from that everything, there are roughly five areas we’re going to focus on in terms of how cyberwarfare impacts society today. 

Those five areas are: 

  • Elections
  • Military secrets
  • Damage to infrastructure
  • Political and corporate espionage
  • And polluting information spaces. 

In this episode, we’ll focus a little bit on espionage and infrastructure, and quite a bit on our everyday information spaces. Which involves all the stuff in your wallet and on your phone. 

Now back to my conversation with Dawn.

Watson: “Riding in here on the Metro I saw signs for 5G, I saw some companies even advertising 3G services still. It reminded me how my wife and I only just now got a handle on our data usage. We don’t have 5G here yet, and I’m thinking everybody’s rushing to give us 5G and competing with Chinese cybersecurity risks and espionage and so forth, and trying to get you know the British to not use it, et cetera et cetera, and I’m thinking if you give me 5G, I’m gonna blow my data usage bill and I’m suddenly gonna have a whole new problem to deal with on top of that.”

Dawn: “It’s absolutely true and it’s funny because I think as Americans, and this  has definitely shown up in the kind of workshops that we did around the world, we spend a lot less time thinking about, ‘Well, this is what you can do — but what should I be doing?’”

Ben: “That’s a ‘Jurassic Park’ quote.”

Film clip: “Yeah but your scientists were so preoccupied with whether or not they could that they didn’t stop to think if they should.”

Dawn: “Yes, it’s similar to making very large beasts that you cannot control: Do I really want to be doing things like my banking on a device I hold in my hand in a public space? Other countries, the actual citizens, so not just governments and the people who are paid to think about this sort of thing, but the citizens themselves think more about that than we do.”

Ransomware and extortion

Part of why those citizens from other countries seem to think more about it than we do is some of the most disruptive cyber attacks in recent years began in Europe. And the world is still feeling the effects of those two big ransomware attacks still today. We know them by the names WannaCry and NotPetya — both making their most disruptive way around the web almost exactly two years ago. 

Grugq: “The WannaCry event was basically a state-sponsored criminal group with financial motivation who developed a piece of software to get money and then that escaped the lab, so to speak. They didn’t realize how effective the exploit was, they put it in place, and you know, a few hours later all of NHS in the UK was going down.”

That’s information security researcher “The Grugq.” He was nice enough to speak to me while waiting on a pizza halfway around the world at his flat in Thailand.

Grugq: “That sort of revealed that you know from a telco interior in Spain, you could release a tool that only goes on local networks and you could end up in the NHS. Like, how does that work? They shouldn’t be connected, and yet they are. There’s sort of this shadow internet that exists and that’s sort of what WannaCry revealed. What NotPetya did is it revealed that that shadow internet is actually going to, it’s going to complicate people’s attempts to do cyberwarfare attacks. So NotPetya was designed as a sort of, I hate saying it, but let’s say it was  a cyber munition, right? This is a cyber bomb, with a blast radius set to exactly everyone who does business in Ukraine. But the problem was once they released it, it turns out that there’s enough people who do business in Ukraine that within a few hours, it had gone global. And it starts taking out you know all of these completely unrelated things. You know, condom factories ended up being shut down; medicine stockpiles sort of going short. All of these other things that are just connected via this shadow internet got taken down. And the story there is that even if you have a highly-targeted, very specific — you know this is going to hurt exactly who we intend it to — There’s unintended consequences that are very, very hard to predict.”

And making things even harder to predict? Some of the most powerful cyber tools ever created are floating around the web in use and for sale for certain shall we say enterprising users. Some of those tools came from the NSA, and were used against a major American city mere miles from the NSA’s headquarters at Fort Meade, Maryland. 

That city would be Baltimore. Here’s Jen Miller-Osborn, deputy director of Threat Intelligence and Unit 42 at the cybersecurity firm Palo Alto Networks. Unit 42 researchers Tom Lancaster and Rob Falcone (not Jen, as originally noted here) wrote a recent report on the cybertool used in attacks against Middle East governments, a tool known as EternalBlue. And here’s what Jen's team found out about how it works.

Jen: “We learned that a group called Emissary Panda — it has a bunch of other names, APT27, Bronze Union, Lucky Mouse — we caught them attacking a couple of governments in the Middle East. And their initial attack and foothold for how they ended up getting into these organizations is they used a newer CVE [critical vulnerability exploit], 2019-0604, which is for a vulnerability in SharePoint servers, which are obviously used by almost every organization on the planet. They were able to successfully get into three of those. And from there, they turned and pivoted to the internal network to actually try to carry out what the actual goals of the attack were. And one of the tools that they used when they were doing this pivoting to other systems was the EternalBlue vulnerability that was used in the WannaCry attacks, because it’s incredibly useful to use in networks where they haven’t been patched for it because it allows them to spread pretty quickly to a number of systems. And we hadn’t seen them use the vulnerability before, and we hadn’t seen them use the SharePoint vulnerability before either.”

One of Baltimore’s big problems? And it’s a problem across the country, in offices and homes everywhere: Install security patches, like as soon as they become available. 

Here’s Jen again on the difficulties facing cities like Baltimore. 

Jen: “Obviously there are a lot of factors that play into whether or not an organization can patch, how difficult it can be, if they have the staff for it — there’s just, it’s such a complex process when it sounds simple.  Yes, telling everyone to patch; and ideally everyone does patch. But there are a number of different legitimate reasons people aren’t able to. And this sort of activity highlights why that means other components of security are critical. You can’t just recommend patching. Because there are people and there are organizations that have systems they can’t patch because they can’t update to whatever because it’ll break something. So in that case, you know, the organizations or even individuals need to kind of focus on other ways to keep themselves safe. Obviously some of those are pausing when you get a strange email to kind of think about it for a minute before you do the clicking. Some of those are having security software installed on your own system. And that goes for organizations as well. There needs to be — and this has been a problem in general; you see it a lot where it’s hard to justify the money that it will take to secure a network that hasn’t had a problem, especially if you’re constrained budgetary areas to begin with. Which is why a lot of times you see there’s a breach and then there’s all this money kind of invested. But we’ve seen the pattern often enough and the world is so connected and so global at this point that this needs to become more of a first thought rather than a last thought for how to keep your personal computer as well as your corporate networks secure. And to be aware in cases where you know you can’t patch, well now you need a stronger security posture so you can keep that system or that laptop protected because you’re accepting that you’re gonna have vulnerabilities, which means the next logical step is to take other steps to keep it protected. And there are other options; you can have AV [anti-virus software], you can firewalls. You know I personally have a smaller Palo Alto appliance; actually all of the employees get them; I have that at my house set up.”

And that’s one way Jen protects herself. But one very mundane fact of cyber life today: solutions to problems like Baltimore’s can often in retrospect seemed to have been quite simple — involving somewhat fundamental principles of IT security.

Grugq: “You know the lists stay the same — it’s patch management. Making sure that credentials for people who are fired are taken out of the system; it’s always the same stuff. And patching is always in there. And personally, since I don’t have a huge network of computers to take care, I never thought of it as much of an issue; but speaking to a friend who he has to take care of a fleet of slightly over a million computers — like a million Windows boxes. And there’s literally no way of ensuring that the patch level for all of them — because it’s global — there’s no way to ensure that the patch level for this global fleet is consistent. They got statisticians in and they found out how many random samples they needed to take, and it’s something like 2 or 300,000 boxes that they check. And from that they extrapolate to what level of patching most of their fleet is at. And when you see those sort of numbers, you realize ok maybe it’s not such an easy problem. it seems so brain-dead simple, and yet here we are.”

Phishing and social engineering

Another easy way to defend ourselves, simply enough, is not clicking on funky links. 

And that’s something that’s quite a bit more challenging than it sounds. Consider this: At least 15 percent of computer users will click on a funky link without assessing whether or not its safe first. 15 percent may not sound like a lot, but for a hacker or nefarious dude doing shady cyber stuff today, that’s an enormous number of possible ways into a system. 

Dawn: “That’s true and you know our IT security department gets great delight in sending those fake phishing emails and seeing who clicks. I’m getting very savvy to them because that just makes me angry if I was ever gonna fall victim to it. I mean you see it at the kind of national politics level. There was — not naming names — but there were a series of emails, spoofed emails that went out that people that work in cybersecurity responded to. So everybody is a possible victim of this. Everybody. Which is—”

Watson: “Sounds so daunting.”

Dawn: “It is daunting. It’s frightening. And so you have to — you can’t stop it necessarily from the criminal side; you can try to tamp it down and you can work with your international partners, and you can try to develop kind of international rules of play about how to deal with it. So you can kind of decrease the supply, but you have to decrease the demand. We just we have to be savvier.”

Jen Miller-Osborn says she couldn’t agree more.

Jen: “Exactly, and that’s exactly why a lot of those emails come across with things like that. You know, confirm this charge to your credit card. Oh hey, your credentials were used in a different area. Confirm package delivery from UPS, FedEx. Things like that. Because they rely on people’s emotions to override their good sense. They rely on that ‘Oh my gosh, what could that possibly be?’ Click before your brain has a second to say, ‘That doesn’t make any sense. This looks kind of weird.’ And kind of take a step back and look at the email a little more critically. They’re relying on that emotional connection, that initial sense of panic, usually, to override people’s actual logical part of their brain. It’s social engineering, I mean, and it’s exploited by actors across the spectrum in the cyberspace.” 

Paul: “Yeah, I mean social engineering attacks and exploitation of the human psyche will always remain.”

Paul Galiardi again.

Paul: “What we were finding in some of our issues or factors that we scored on are not even to that level. They’re just like, ‘Is your front door locked? Does the lock have the defense mechanisms that we declare as mathematically sound.”

Speaking of mathematically sound approaches, here’s an amazing stat: Nine out of 10 people will insert into their computer a random thumb drive found on the ground. Like, no questions asked. I hope that’s not you. But statistically it probably is. 

And the stat is worth hearing again, so here’s Adam Segal — who directs the Digital and Cyberspace Policy Program at the Council on Foreign Relations — explaining the phishing and thumb drive threats, from his point of view. 

Segal: “Yeah I think when you hear from the people who are truly responsible for defending the networks you constantly hear that there is no technology solution to this problem; these are people problems and, as you said, people click on links and do things they’re not supposed to do. I think the other scary statistic is that something like over 90 percent of the people who find a thumb drive in the parking lot or the bathroom will come back to their office and plug it back in. Which is kind of human nature, right? You think, ‘Oh I found this thumb drive. Maybe I could figure out whose it is and return it to them,’ right? So they’re taking advantage of I think these kind of deeply ingrained desires and curiosity. So people are clearly a huge part of the problem.”

Another is the slow pace of the U.S. government in staffing experts who can proactively address both legacy and emerging cyber threats — or as Dawn Thomas described it, “decreasing the attack surface.” And we’ll get into more of that in a later episode. 

Here’s Dawn on some of the things she’s learned working with experts abroad. 

Dawn: “When we were doing our workshop in Munich, for example, they just laughed at doing your banking online on a device that you held in your hand. Why would you do that? It’s your money. It’s something that has an obvious target on its back. It’s the thing that many cyber criminals go after directly. And you doing your banking in public on your phone in your hand. That blew their minds. Why would you do that? Go to the bank. So you know, not that that secures the data on the backend, but still—”

Watson: “I need more German friends.”

Dawn: “Exactly. It at least decreases the attack surface in a way. And they’ve kind of thought through that. We have not. So I think there’s a couple of different prongs. It’s thinking through the like, ‘Yes we can, but should we?’ It’s education. The generation of kids right now, they’re doing a lot online in school. So it seems not easy, but doable that that kind of savviness can be built in, teaching that savviness can be built in while they’re using screens at school and computers at school. To question what you’re seeing. To make those decisions about, ‘Yes I do want to use electronic medical records because it can transfer it from one doctor to another and I’m willing to take that risk.’ But I’m not willing to program my refrigerator from my house because it’s not that important that it goes up one degree. So making those decisions, but also questioning information in whatever form it takes.”

Watson: “Skepticism, sure. Validation, fact-checking.”

Dawn: “Yes. And then at that backend, to build in those places to check your facts. You know remember when Snopes came out, you were like, ‘Ahhh,’ because it was this place you were like, ‘I wonder if that’s true…,’ well now you can go.”

What Dawn is talking about could be called tech literacy. And with today’s ubiquity of smartphones, tech literacy is becoming at least as useful for navigating our social media worlds as media literacy — double-checking data and stats, verifying sources, the stuff of journalists, in many ways. And with so much information out there competing for our attention one Facebook post, Tweet, or Instagram story at a time, well, who has the time to double-check each sensational or suspect post? 

Grugq: “Controlling computers isn’t the end-all and be-all of cybersecurity. It’s not the only information warfare thing out there.”

Here’s the Grugq again, explaining how not just nefarious state actors are wise to this information operations domain — but marketing companies are increasingly in on it, too.

Grugq: “You actually have this other layer of information processing, which is the human operator. Even if the human operator is, you know, people using Facebook. And so it’s very, very interesting and what I particularly find interesting about it is that even though this started off as this sort of niche, advanced technique used by a nation-state, the skills required for it are literally — it’s marketing. You know you can buy a marketing book and you’ve got everything you need to know about how to run an information warfare campaign online. So these skills are out there, they’re very, very well documented, and they’re very, very cheap. This is gonna spread. It’s not gonna be nation-states anymore; it could get down, you know, individuals could run this. But I think pretty much all countries are going to be developing some information warfare capability based around cyber. I’m pretty sure that corporations are gonna start using this as well. They’ve done stuff called astroturfing, which is similar. But this sort of takes it up to the next level. So astroturfing was when they’d create sort of fake users who said, you know, like, ‘I’ve never had a problem with the Ford Pinto; mine didn’t blow up.’ It would be like 17 people saying that all at once in the exact same way, and you’d suddenly go, ‘Wait a minute,’ you know.”

So skepticism may well carry us a decent distance through this cyber news and noise domain. But there’s something far more sinister about our own weaknesses as humans that we should also be wise to as we look ahead to the future. And it’s something that’s been with us for a long, long time already. 

Grugq: “A lie has flown around the world before the truth has got its pants on. People don’t look at news for information. They tend to look at it for ammunition. So they want to find something that they can hurl at the other tribe. And if you give them something that they can hurl, they will go for it whether it’s true or not. Because that’s what they’re looking for. And that’s pretty much always been the case. If you look at how propaganda is put together, it’s very, very easy to take something that people believe and make them believe it more. It’s slightly harder to get them to change their minds like a little bit — like make them believe it less. But to make them believe something else is incredibly difficult. Like you don’t even try unless you’ve got years to work at it. So I think that that’s what we’re stuck with. We’ve got this polarized society where it doesn’t really matter what goes on in terms of if there’s fact-checking, if there’s 17 Pinocchios, or if Snopes says this is maybe not true. Like none of that really matters because all anyone wants is something that reaffirms their basic beliefs. People have these identities of who they are that are based on a certain set of beliefs, and if you give them something that fits that set of beliefs, they’re just going to adopt it immediately. That’s gonna be very very hard to break; and theoretically one way to break that is to break the way that they are constructing tribes and to go from political-based tribal systems to you know blue collar workers at car factories would be a tribe. And you know lawyers would be a tribe, to get people to identify with something different. And you’ve got much smaller groups that you can target.”

Lessons of 2016

All this talk about noise in the information space reminded me of the 2016 election. I went back and watched one of the debates that featured a question for the two candidates on cyber security. I’ll spare you Hillary Clinton’s answer because she is not the president. 

But first the question from NBC’s Lester Holt—

Lester Holt: “Our next segment is called securing America, and we wanna start with a 21st century war happening everyday in this country: our institutions are under cyberattack and our secrets are being stolen. So my question is who’s behind it, and how do we fight it?”

Candidate Trump: "...Look at the mess that we’re in. As far as the cyber, I agree to parts of what Secretary Clinton said. We should be better than anybody else, and perhaps we’re not. I don’t think anybody knows it was Russia that broke into the DNC. She’s saying Russia, Russia, Russia; but I don’t — maybe it was. I mean it could be Russia, but it could also be China. Could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, ok?... So we have to get very very tough on cyber and cyberwarfare. It is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very very tough and maybe it’s hardly doable. But I will say we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester, and certainly cyber is one of them.”

Dawn: “You know I think at the time I tried to stay away from the news as much as possible during that time so I was probably less influenced than others.”

Here’s Dawn Thomas again.

Dawn: “But I think afterwards and kind of as it came to light what had happened and then you reflect on the divisiveness of our country and how that was used against us so effectively, I felt like the whole kind of old concept of cybersecurity just kind of went out the window for me. There are owner-operators of systems that will always be able to put the patches on and keep up with the latest malware and things like that. And I’m just I’m happy to leave it to them. And I think that we need to keep emphasizing that people need to go into those fields so that we stay competitive in that. But I’m less worried about that. I’m more worried about all the things that we don’t know. For example, I don’t think we really know how people take in information from a screen or from a social media post and process it and decision-make. We don’t know how that happens yet. So we don’t know how it can be used against us. We don’t know how video, how our eyes are trained to see video, and how we might be able to spot things that aren’t real.”

Watson: “The Pelosi video that was kind of manipulated. I think about that in terms of 5G, and I’m gonna get faster speeds. Well what would I do with faster speeds? Presumably I would use, I don’t know, video more? Because the other speeds are pretty adequate on my devices.”

Dawn: “Well because a picture’s worth a thousand words and to see it is to believe it. So yeah, you’re gonna be seeing a lot more things. And the underlying assumption in that goal is that you can believe it, that you can trust it because your own eyes are seeing it. But once that stops, once you can’t believe what you see, then we need a combination of a technical solution to help us identify when something’s been manipulated; and a way savvier population that always asks in what ways could this have been manipulated? Where else might I find video that is similar to this one so that I can compare and contrast?”

Watson: “Who has time?”

Dawn: “No one has time, so we need groups to do it for us. And that’s really frightening because then you have to trust those groups because they have to be working in your best interest.”

But until that day comes, here’s Dawn’s main takeaway from the 2016 election and the information domain today.

Dawn: “It is possible to bring down a democracy by just finding ways to have people lose faith in it. And those ways of losing faith in it are not as difficult as we once thought they might be.”

Grugq: “You know if you look at the 2016 stuff they were starting in you know 2014 and 2013 they had things going on. They start very early. And that’s because to be fair as an attacker doing an information op, there’s a lot more buildup that you need to do — you know, developing credibility, establishing personas, getting these backstories in place and all that.”

And that’s a point reiterated by Paul Galiardi. 

Paul: “The second part which I think is more troubling and a much harder problem to solve is this disinformation act that Russia seems to be executing on rather successfully. It really starts to attack, as we were talking about earlier, the human psyche, our social networks especially as applies online. Their goal is to drum up discontent and polarity amongst the U.S. voting base by sort of exposing our differences, but making it very apparent and very emotional for some people.”

How we’re different from each other. The things that divide us. The establishment versus the insurgents. The pendulum of American politics. It’s something I talked about with former Defense Secretary Ash Carter just a few weeks ago. The culture shifts that come with a new president. 

But the shifts that accompanied President Trump’s ascent to power in 2016 were unlike any shift seen since the 1960s, at least by the Grugq’s way of viewing things.

Grugq: “One of the things that’s been pointed out to me and I think it’s very very true is that so in the 60s, the sort of new left and the youth movement they were the ones having fun. And that’s where the kids went. They get to make fun of their elders, they get to do what they like and so on. These days, if you wanna be on the side that has fun, you gotta be on the right wing. You know it’s these extreme — basically it’s the white supremicists who are the ones having fun. So if you’re a 17-year-old guy and you’re looking for like the group that you can join where you can make terrible jokes, where you can enjoy yourself and do all the stuff, you end up going with white nationalism because that’s the side that lets you do it. If you join a left wing group, you’re going to get sort of tone-policed, you’re gonna have people saying, ‘Ooh, you know, you gotta be sensitive about this and that.’ So the left doesn’t have fun and I think that makes it much harder to attract people who are at an age where they’re very very susceptible and they’re open-minded about what they’re going to take. And if you’re the side that says join us, you know, we do all the cool stuff, that’s a compelling message.”

Trends and patterns

Jen: “If anything, the activity continues to increase, I would say, kind of across the board with the various motivations — whether they’re espionage or criminal or even to some extent hacktivism. Because everything takes place on the internet, at this point everyone is connected to the internet. There’s very few people left I think that don’t at least have a cellular phone that has access to the internet And people that are looking to do illegal things have followed to the internet. You know it’s so much easier to do a lot of things that you normally would have had to do in person or would have taken you know hand mailings or things like that, it’s so easy now to try to accomplish your mission and from a distance, wherever your office or your home is, and you can reach out and attack people all over the world. And I don’t expect that we’re going to see any real drop in that until more and more people, and there’s more and more focus on the security component and stopping all of that activity. Because you know humans will take the path of least resistance to accomplish whatever their goal is, whether it’s legal or illegal. And if the easiest way to do it right now involves the internet, then that is exactly what they’re going to use.”

But there are wider cyber trends we’d also be wise to note, CFR’s Adam Segal told me. He maintains what’s called a “cyber tracker” for the Council on Foreign Relations. And here are a few things he’s noticed over the past few years.

Segal “Probably the most important trend of course is just [that] we keep on adding nation-states to it. You know when we first started it was China, Russia, the U.S. and a few other operators. Since then we’ve added Vietnam and Mexico and lots of other countries that are now buying capabilities off the shelf, either private contractors or reusing the tools from the black market. So I think that has probably been the most important and useful trend. But the main story has been espionage. I think the other probable interesting trend, the one we didn’t expect, is the increase in public attribution from government sources. So you know we’ve seen especially the U.S. trying to organize like-minded — the Five Eyes and others — in attributing nation-state attackers. And before that they were pretty hesitant to do it. But now sort of for political and other reasons they’re really calling Russia and China and Iran and North Korea out.”

And offensive cyber operations are happening all the time. And there’s a kind of obvious and kind of ironic thing about that, as Paul explained to me. 

Paul: “Any cyber operation at the nation-state level, if it’s reported on or if it’s known by our countries or organizations that we’re attacking, it’s beginning to fail already.”

We’ll get into more of the nation-state level cyber operations in next week’s episode. In the meantime, Dawn told me, there are certain conditions and even imperatives I guess you could say which are likely to remain for months and years to come. 

Dawn: “So I think that we need to keep up, not because we’re not moving; but we’re not moving as fast as criminals. They have a motivation that is higher than  ours. I think part of it is understanding kind of how at risk we are, and I would like to believe that we’re starting to understand how at risk we are and that we just haven’t — it seems to big, and so we’re having a hard time addressing it. But I think the understanding that education — and maybe because of 2016 elections, at least a little glimmer in our mind of saying like, ‘Wow, this is scarier than somebody using my credit card number.’ This is, yeah — this is about the fall of democracy and so we should kind of get on it.”

One thing you can count on, according to Jen Miller-Osborn:

Jen: “It’s going to happen to everyone, whether it’s just nuisance emails to people where it’s kind of spam, or whether it’s attacks like we saw with Baltimore where it’s ransomware where it’s a for-profit kind of criminal enterprise.”

But despite that cautionary advice, and all the noise in today’s information spaces throughout our cyber world, I wondered if we’re not missing something perhaps even bigger. Something so large that we’re not seeing it, so quiet that we’re just not hearing it. And it concerns not just tech literacy — more young people using smartphones and tablets at younger ages, for example — but also global literacy levels. Are people around the world actually becoming smarter, and more literate… but we’re just not noticing because of the frenetic pace of today’s news cycles and social media feeds saturated with incredulousness and sensationalism over culture wars and tone policing in wealthy nations like America.

Put another way: Is the smartphone age, despite all that noise, in fact a net positive for the greater world in which we all live?

Paul: “I have to 100 percent say it’s a net positive — the wealth of information that you can have in your hand is absolutely incredible. To learn skill sets on YouTube, to research most historical or any historical event through Wikipedia or something is incredible. I think with this information, my generation and perhaps other countries have struggled with validation of some of it. And it’s just as we as consumers of media or information, we have to take into account the sources of that information and the perspectives that they might be trying to influence us on. It does require a more educated consumer when you have this wealth of information that’s not necessarily as curated as it was perhaps 30 years ago.”

We’d love to hear what you think. Especially as we turn to the future with our next episode in this series. Email us at production@defenseone.com. Or leave us a voice mail at 731-617-9124.

Our music comes from AudioNetwork.com and features work by Igor Dvorkin, Duncan Pittock, Ellie Kidd, Dave James, Michael Craig, Darren Leigh Purkiss, Bob Bradley, Paul Clarvis, Matt Sanchez, Matt Hill, Chris Egan, Andrew Cooksley, Duncan Pittock, David O'Brien, Philip Guyler, Sonia Slany, Barrie Gledden, Chris Bussey, and Evelyn Glennie. 

Thanks for listening.

NEXT STORY: Send Turkey’s F-35s to Eastern Europe