Response to Russian government cyber attacks – a lost opportunity?

Where is James Bond when you need him?

Russia’s apparent interference in the United States’ Presidential election marks an escalation in the targeting of state sponsored cyber attacks.  What the US does in response to this strike against the very basis of our (somewhat) fair and free elections process really matters.

Letting Russia achieve its goals without any response is problematic, as it would encourage them and other state and non state actors to continue to target the US without fear of retribution.  If you believe (as I do) that cyber operations will play a significant role in 21st century conflicts, doing nothing is clearly not an acceptable response. 

So, if the US were to respond, what is a proportionate response?  As imperfect as our electoral system is, interference in Putin’s sham elections in which there is no opposition with a snowball’s chance in hell of winning, is clearly a non starter.  A limited attack on critical infrastructure (shutting down the electric system in Novosibirsk) sounds good at first, but would seem to violate the laws of war about collective punishment and targeting civilians. There is also a risk that mounting such an attack would tip off Ivan to methods and sources, and make it harder to use such weapons in war time.  An attack on a manufacturing control system aimed at shutting down production or damaging machinery might be more appropriate as a demonstration of both capabilities and intent.  

So, if the US were to take out Vodka Distillery No. 6, should we take public credit or would a private note government to government be enough to deter future attacks?  It seems to me that taking public responsibility for such an attack is important if we want to deter Russia and other state and non state actors in the future.  

Of course, all of this seems to be academic as the next administration clearly benefited from this attack and seems to include many with close ties to Russia and Putin.  Even if the Obama administration could plan, mount, and execute a response it is unclear whether the new administration would pursue a policy of continuing response over the next four years. Without threats of future retaliation for new cyber attacks, a response now would be a one time gesture of revenge. 

Getting political here for a minute, it seems to me that a President who does not pursue a program of responding to serious attacks by a nation state on our homeland would be, at the very least, not be doing their job and at worst, acting as an agent of a foreign state. Time will tell what President Trump will do, but you will have to pardon me if my expectations are low.

In the coming days, the Obama administration should make every effort to collate and make public all the evidence of the Russian government’s role in this affair.  Then, it is up to we as a people to demand a proportional response from our elected officials.

Response to Russian government cyber attacks – a lost opportunity?

The other big hack of 2016?

Obligatory stock photo of masked hacker.

According to CSO Online, someone is offering for sale what they claim is a 6GB file of “data enrichment” information pertaining to over 200 million people.  The information in this file is truly disturbing – it provides over 80 attributes for over 200 million Americans, including:

…a person’s credit rating (listed A-H); the number of active credit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.

In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.

Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).

There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.

The price for this treasure trove?  US$600.

With this information in hand, cyber attackers could craft extremely realistic phishing attacks targeted with laser precision.  They could choose victims to concentrate their effects on for maximum profit.  Real world attackers could also use this information to plan crimes such as burglaries or kidnappings.  Governments (both foreign and domestic) could use this information to select targets for surveillance.

The source of this information is not yet clear, but of it is genuine, it most probably came from a private company aggregating it for marketing use.  If companies are to be allowed to capture and collate this kind of data, they must be held to strict standards when it comes to data protection.  If this data is real, whoever let it fall into unauthorized hands should be subject to some serious legal and civil action.

This story does not seem to have made it to the mainstream media as of yet – I am hoping that this is because they are working to validate whether the data is in fact real.  If this turns out to be a real story, I think we have the winner for the biggest non political hack of 2016.

Stay tuned.

The other big hack of 2016?

Today, I want to be a Canadian

canadaflagThis morning, I read an amazing story in the New York Times about a Syrian refugee family building a new life in Canada.  As you would expect, the piece highlighted the many challenges they are facing, from cultural differences to finding work.  What really stood out for me however was that Canada not only took these people in, but that everyday Canadians “adopt” each family and volunteer their time to help them make the transition.

When I contrast the attitudes expressed here in the US about taking in these refugees, who are truly fleeing persecution and death, it makes me very sad.  Canada’s response seems much more in keeping with American values than anything I have heard down here in a long time.  I fear that the US has lost its place in the world as a beacon of hope and democracy.

If I wore a hat, it would be off to the government and people of Canada.

Today, I want to be a Canadian