Welcome to Cyber Security Today. This is the Week in Review for the week ending January 21st, 2022. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by special guest Christopher Painter, former U.S. prosecutor and cyber diplomat at the U.S. State Department, who will talk about international cybercrime, including destructive cyber attacks last week in Ukraine. But first a look back at some of what happened the past seven days:
As a result of data-wiping website attacks in Ukraine, the U.S. Cybersecurity and Infrastructure Security Agency warned American organizations to take steps to reduce the likelihood of network attacks. Steps include patching and enabling multifactor authentication as extra protection for logins.
Russia says it arrested 14 people and charged eight with ties to the REvil ransomware gang. Reports say the action used information supplied by the U.S. It isn’t clear if the leaders of gang were caught or those charged are lower-level affiliates.
Police in Ukraine said members of a ransomware gang were arrested there. And police in 10 countries combined to take down a VPN service commonly used by cybercrooks.
The cryptocurrency exchange Crypto.com admitted a hacker stole funds from 483 customers this week. According to Bleeping Computer, the attacker withdrew the equivalent of over $33 million in digital currency. All customers were reimbursed.
Websites of Canadian and American small and medium businesses continue to be vulnerable to spoofing, clickjacking and sniffing. That’s according to a scan of thousands of websites by a company called CyberCatch. It suggests IT departments need to watch their websites more closely for vulnerabilities.
And two dark websites that sell stolen credit and debit cards are shutting. The operators of the UniCC site, believed to be the largest carding site on the dark web, and its partner LuxSocks, have decided they’ve had enough. No doubt other websites will take their place.
(The following transcript has been edited for clarity and length. To hear the full conversation play the podcast)
Howard: I want to now welcome Christopher Painter from Washington, D.C., where among other things he’s a senior advisor at the Center for Strategic and International Studies and president of the Global Forum on Cyber Expertise Foundation. As I said at the top Christopher has extensive expertise in international diplomacy. He started the State Department’s Office of the Co-ordinator for Cyber Issues. He helped promote norms of responsible state behavior in cyberspace, so he knows about negotiating with Russia and China. We’ll get to that in a minute. But first I want to start with the standoff in Ukraine and recent cyberattacks that it has suffered including the defacement of government websites. Do you think Russia is explicitly or implicitly involved in these attacks.
Christopher Painter: No firm attribution has been made by the U.S. government or others. But I think Ukraine now says it’s Russia. And it’s not just the defacement of websites, although that’s significant.[But] website defacements don’t have that much impact. It also appears there’s been malicious code that’s been planned and nationally triggered on a number of government and other systems in Ukraine. Although the jury is out on who’s responsible, all fingers right now point to Russia. It certainly looks like a Russian operation, especially because of the various tensions and threat of a kinetic action or actual physical war. [Cyberattacks] certainly would precede that, and be part of that in any case.
Howard: Microsoft has said it’s seen recent fake ransomware attacks on Ukrainian government sites that disguise malware that destroys the master boot records of computers and destroys text, PDFs, spreadsheets and other files. Interestingly Microsoft says the threat group behind these attacks isn’t associated with any other group it knows of. What do you make of that?
Painter: If it is a nation-state and if it is Russia, it wouldn’t be surprising. They’d use a proxy or they’d use a group to hide their identity. There are a number of Russian and Chinese and other intrusion sets that are known. So using a new one would not be particularly surprising. And as I said earlier, the more concerning activity is that destructive activity … It’s interesting they didn’t use one of their existing [proxy] groups. But if they’re trying to separate themselves or make it look like it’s not them they would use tradecraft to to make it look like some other some other group or some new group that wouldn’t be associated with them historically.
Howard: Things are serious enough that Ukraine renewed a deal with NATO for cyber support, including helping the government modernize its IT and communication services. Is that a good move?
Painter: Yeah. I think there’s been a lot of support for Ukraine for years now, certainly since the [Russian] invasion of eastern Ukraine. And with NATO there’s been capacity-building work to help Ukraine build better defenses in its systems and really up its own cyber security. So I think that’s an important aspect.
Howard: Nation-state cyber warfare isn’t new. Off the top I can think of the Stuxnet attack on Iranian centrifuges allegedly done by the U.S. and Israel, there were two debilitating cyberattacks on Ukraine’s power system several years ago, Russian-based attacks on the U.S. Democratic party in 2015 and accompanied by a huge fake news campaign on social media during the 2016 election, and the theft in 2015 of the entire database of us federal employees from the office of personnel management that was blamed on China. Canada accused China of stealing information in 2014 from the National Research Council. More recently, the Canadian Communications Security Establishment, which is our counterpart to the NSA, has said state-sponsored groups are trying to steal COVID-19 research. And the Conservative Party here believes that 13 federal ridings were targeted by foreign influence campaigns in the 2021 Election. New York Times reporter David Sanger has called cyberattacks the perfect weapon for nations.
Painter: Well, it’s certainly a tool in their toolbox. It’s not surprising, especially for countries like Canada and the U.S. who are so dependent on these technologies for really everything. Other nation-states who have interests adverse to ours who are adversaries will try to exploit those technologies. Look at the range of cyber conduct — the theft of information, the theft of intellectual property. That’s largely been China in the past. It goes to their attempt to build their competitiveness and economy based on the backs of innovation made by the U.S. and Canada and other parts of the world.
The destructive/disruptive type of conduct, which includes things like the NotPetya worm, was attributed to Russia by the U.S., Canada and a number of other countries. It essentially knocked out systems around the world, and had a major impact on the shipping giant Maersk in Denmark. Also, the Wannacry worm was launched by North Korea and took down, among other things, the national health system in the U.K. Those destructive level attacks I think have become ever more serious. So you have both of those different kinds of attacks happening. It’s not surprising this has grown as something that states are using as a way to project power. In particular, it’s not surprising that Russia or China would use this, but smaller states like North Korea and Iran can use it to project power because it’s somewhat of an asymmetric threat. You don’t need a huge infrastructure — you don’t need a huge army or a bunch of tanks to impose some costs on countries that you don’t like. We’ve seen that more and more, and I don’t think that’s going to abate anytime soon.
And then you have the things like election interference, which is incredibly serious. It’s something that we as cyber experts didn’t see coming. We were looking at the data thefts, we were looking at the attacks, but we really weren’t focused on this kind of hybrid threat — influence and disinformation operations. So yeah, we’re really seeing a wide range of activity by states, and also by criminals sometimes acting at the behest of states, acting as proxies for states. It’s obviously not a good environment.
The major message is we need to do a better job of protecting ourselves, at hardening our targets. But also, we need to make sure that we are deterring and dissuading this kind of conduct by being better at working collectively with countries to stop it. Let others know we will impose costs. I don’t think we’ve done that particularly well so far.
There’s been a number of messages from our FBI and our Department of Homeland Security about a number a range of potential attacks or intrusions that people should pay attention to, that they should start protecting against. This is something that I think we’re only see accelerating going forward.
Howard: This podcast is being recorded on Thursday. This morning the Canadian government and its intelligence agency also gave the same warning to Canadian organizations to be on the lookout.
Painter: And those are ones that if you’re in that position of a potential victim you should pay attention to.
Howard: What’s the difference between cyber espionage and for lack of a better word cyberwar.
Painter: The press is fond of using the term cyberwar. We really haven’t been in a [nation-state] cyberwar where there’s a loss of life or property. There’s been some times when it’s gotten close to that, but we really haven’t seen that yet. We’ve had some attacks on critical infrastructures. You mentioned the Ukrainian power grid, for instance. We’ve had other things that I think are clearly serious, but they haven’t risen to the state of war, but there’s been very very serious and ongoing activity that I think we need to pay attention to. I don’t think we’re going to have a standalone cyberwar as they call it. But I do think that cyber is going to be a part of any traditional warfare, and we’ve seen that already in the past.
Howard: As a diplomat you tried to negotiate norms of behavior in cyberspace among nation-states. Have we had success?
Painter: I think we have. Look, there’s different parts of this puzzle. There’s no one silver bullet that’s going to solve all these issues, that’s going to keep these kinds of malicious activities from happening, whether they be from nation-states or from criminals. So you have to have a widespread multi-pronged approach. And part of that is doing a better job of cybersecurity, of hardening the targets so they’re not so easy to get into. We need to do better at having technical responses — having national computer emergency response teams to respond to these attacks. Part of it is having stronger law enforcement and other capabilities, and having national cybersecurity strategies. But part of it really is the long-term diplomatic play. How do we craft an environment where we’re promoting stability in cyberspace, where there are some rules of the road? Just a few years ago I think a lot of people assumed that there were no rules and that’s just not true and I don’t think it’s ever been true. There were others who thought you need a whole new legal structure for cyberspace because it’s different. Well, it’s different in some ways, but it’s grounded in the real world and having two different structures doesn’t make a lot of sense. So a lot of activity over the last 10 or so years has been devoted this idea of stability in cyberspace. The stability framework in cyberspace is comprised of international law applying in cyberspace. That may seem like a no-brainer, but there were doubts that international law — including what’s called international humanitarian law, the law of armed conflict — applies in cyberspace just like it does in the physical world. Below that there are certain norms of behavior, rules of the road. Voluntary, but important things like don’t attack the critical infrastructure of another country absent of wartime, having an obligation to co-operate if malicious conduct is coming from your country, don’t go after things like the hospitals or the ambulances in peacetime. And finally the idea of confidence-building measures, which are de-escalation measures — things like hotlines and points of contact [in every country]. Those are all important as we’re trying to get to this larger level of stability. And frankly, I think in a very short time in diplomatic terms we made a lot of progress on that agenda. Even getting agreements with countries that have very different views of cyberspace.
The U.S., Russia China have all agreed to these norms, have all agreed international law applies [in cyberspace], and agreed to various conference building measures. And so that’s been very, very important. We’ve also done a good job of capacity building with other countries to up their defenses, to have get them in the game and understand this. But the shortfall has been that as good as having some agreement on all these rules of the road is they get violated, and they seem to get violated frequently. And if you don’t have accountability, you don’t have consequences for bad actors — whether they be criminal or nation-states — they’re going to keep doing it. And those [countries] who are on the sidelines thinking about whether they should do it will jump in, because it’s a largely costless enterprise and they’re getting some gain out of it … We have to put our money where our mouth is and start enforcing those rules of the road as well. You don’t want to be escalatory, but the same time you want to make sure that you’re making it clear if you do these things it’s not acceptable — just like you would in the physical world.
Howard: And those consequences are through prosecution or trade sanctions or …
Painter: It’s a range of things. They are diplomatic actions that you can take, not just act alone but in a coalition with partners. There’s joint attribution statements where you can say, ‘This nation state’s responsible for that.’ As a practical matter, you’re probably not going to deter Russia or North Korea by saying they’re responsible [for a cyber attack]. They’re not going to be named in shame. But then you had to follow that up with other activities, and those could be economic. Economic sanctions have been used both in by U.S. and Europe. I’d say we haven’t been as strategic as we need to be with that, or as consistent. You know, I still think economic sanctions can have a major effect if you really target things that the other side cares about and do it in the right way.
There are, as you mentioned, law enforcement actions, which have more of an effect on criminal groups and nation-states — I mean, the people who you indict are largely not going to travel so you’re not going to really get them in a courtroom in the U.S. or Canada, so it’s going to have a limited effect, but it sends a message. You have the potential of using other trade tools. You have the potential of even using cyber tools — a lot of countries have cyber capabilities now. Again, using those tools is constrained by international law and by the norms you’re trying to promote. But if someone goes after you, you can in certain circumstances respond.
Howard: There was an agreement with China during the Obama administration to not go after American companies and steal intellectual property.
Painter: I was involved in that quite a bit. I used to, among other things, run our U.S.- China cyber working group, which was started in the throes of all the challenges between the U.S. and China on the theft of intellectual property. We actually made some progress. But the group was put on hold by China when the U.S. indicted five People’s Liberation Army officers for this kind of activity. Finally, after about almost two years of pressure from the U.S. at a very high level — from President Obama to then Vice-President Biden to the Secretary of State and everyone else consistently saying this is an important issue we were willing to take friction on in the overall relationship — that finally got China to the table a week before President Xi was going to make his big summit meeting in Washington and agree that neither country should steal the intellectual property of the others to benefit its commercial sector.
Two things about this: One, normal espionage, intelligence gathering information has been going on since the beginning of time and will go on to the end of the time. You’re not going to ban that. But the type of theft where you’re stealing commercial secrets to benefit your own commercial sector, we don’t do that. We don’t think any country should, and China agreed. That was really a watershed moment, and indeed for a while after we saw not a stop but there was a significant diminution in that kind of activity. And then we also reached the agreement in the G20 with all the 20 countries, so that was significant a few months later. Once the U.S.- China relationship deteriorated I think China just went back to doing what it was doing before.
Which raises a couple of things: It tells me you can’t treat cyber as this boutique issue that is just a technical issue. You have to make it part of your larger national and economic security and diplomatic discussion. It really has to be core to your larger national security interest. And it also raises the fact that as important as cyber has been over the years, it’s still struggling to be at that level of importance where I think it needs to be. Interestingly, I think one thing that’s transformed that had been recent ransomware incidents, which are largely criminal. But it’s had an effect on ordinary people and has really catapulted it to a political and national security priority where it hadn’t quite reached that level before.
Howard: What’s it like to negotiate with nations like China and Russia that don’t see eye to eye with the West.
Painter: It’s not always easy to negotiate with your friends and partners, right? I used to chair a G8 high-tech crime group that had Russia in it. Every country has its own interests but like-minded countries obviously have a lot more in common. But Russia and China you know were very difficult. With China, we were trying to make inroads. We were trying to have a more thorough discussion about stability, about confidence-building measures and theft of intellectual property issues. You don’t expect the other side to say, ‘Hey, you got us?’ But you want them to change their behavior, so you have to understand that it’s going to be a longer-term thing. It’s not going to be just an overnight change, and it wasn’t with them. With Russia, we have a long history in the arms control area including things like confidence-building measures, hotlines stability issues. So I think that translates to some extent to the cyber discussions. But Russia also has its own self-interest. So you’re not going to get them to agree to something that they feel constrains them. So it’s tough … But that also raises the importance of when you’re doing these negotiations to reach some common ground and setting on norms of behaviour and international law and some of these other issues. And we able to reach some agreements with them. So it’s not completely impossible to do, but you also have to recognize there are times where there’s going to be major differences. I don’t expect, for instance, we’ll make much progress in the U.N. setting on the issue of accountability because that tends to be too controversial an issue. But I think we have to make sure that happens. Diplomacy is one aspect in negotiating with Russia or China, but the same time you have to have all the other activities you’re doing as a government, all the other relationships have to be heightened, too.
Howard: How helpful is Canada in cyber diplomacy?
Painter: Canada has always been very helpful in cyber diplomacy. Canada was always a country that paid attention to these issues. When I first took over the G8 group that was when Canada held the presidency of the G8 (in 2002) we made a lot of progress that year [on cyber] … I was probably the first dedicated cyber diplomat in 2011, and now there are about 40 around the world, but Canada was one of the countries that very quickly did that as well.
Howard: The reason why I asked you to come on the show this week is that a United Nations committee in New York was supposed to start a three-year effort to draft a cybercrime treaty. Unfortunately, that got delayed because of COVID-19. How important is a cybercrime treaty?
Painter: This has been a debate that’s gone on for a number of years. The Budapest Convention was formed out of the Council of Europe and involved a number of countries including the U.S., Japan and Canada who are not European countries. That convention is important because it was really the first convention in the world that dealt with cybercrime that tried to say there are certain substantive offenses. Lots of countries didn’t have laws that punished hacking into computer networks. The ILove You worm was from the Philippines. They didn’t have a law at the time that punished [the author]. So the Budapest Convention was really a trailblazer in both procedural law and substantive law around cybercrimes, particularly on attacks on networks as opposed to crimes committed using the internet. Over time more countries signed up endorsed it. China for years has opposed it for various reasons. Some other countries didn’t want to sign on because they weren’t part of the negotiations. The U.S. position had always been they don’t have to accede to the convention formally, they can just follow its precepts so we have strong laws around the world and interoperability.
There’s been an effort by Russia for at least 10 years to have a U.N. convention which didn’t really go anywhere until last year, when they won a vote to have negotiations. A U.N. cybercrime treaty could be significant because you want all countries to sign on. You want all countries to have good cybercrime laws and that’s important. There are significant obstacles or challenges in reaching agreement on something that’s going to be in any way as strong as the Budapest Convention, which I think is quite good.
Howard: Just to make it clear a convention on cybercrime isn’t going to touch, what shall I say, the mischief that nation-states cause.
Painter: The way the U.N. works is there’s a committee dealing with nation-state and arms control issues, norms and international law. The cybercrime convention is really about crime. There are overlaps … But when nations states are harboring criminals and providing a safe haven there’s a connection between nation-states and criminals, or when criminals are acting at the nation state’s behest, that’s different. The main challenge [to a cybercrime convention] is different expectations of what that convention should cover. There is a fear among a lot of civil liberties and human rights groups — I think justified — that some countries, and I think Russia is among these, view what the convention should cover is more content issues — things that we would consider freedom of speech or dissent and issues like that. That’s concerning. We [the U.S.] would never agree to that … You’re likely not to get as something as strong as the Budapest Convention, although [a country] can still follow both Budapest and whatever comes out of of the U.N.. but that’s very much to be seen.
Howard: In its initial written submission to the U.N. committee, Russia has suggested a draft treaty. What do you think of it?
Painter: I suspect that that was done for tactical reasons … It’s an effort to make that what we call sort of zero [initial] draft to make it the negotiating platform. And that’s not really happening. I think the chair of that session has said we’re not going to operate off of one country’s draft. Other countries are going to want to negotiate provision by provision.
Howard: And I noticed one of the provisions in the proposed Russian treaty is any nation can disavow the treaty.
Painter: It doesn’t give you a lot of certainty if you have a convention that says, ‘Okay, we’ll sign up the convention, but if we don’t like it we could just say no.’ … It makes you wonder why are we engaged in this effort. My hope is a lot of the countries who don’t yet have strong cybercrime laws and have been reticent to engage with Budapest because either they haven’t really focused on the issue or they were waiting for the U.N. to take action that this will get them more involved in understanding the importance and need for strong cybercrime laws now, and not wait five or 10 years down the road.
Howard: It’s telling that the U.N. has set aside three years for this [negotiation].
Painter: It took, I think, five years to negotiate the Budapest. There are challenges with procedural law and how do you make sure [a country or law agency] can access documents. A lot of countries argue a lot of the data is stored in the U.S. with respect to crimes in our countries, how do you access that while still respecting due process. The U.S. has been trying to be innovative in coming up with the Cloud Act that will allow countries to access data from companies here with certain procedural protections. The Council of Europe and the Budapest Convention are working on what they call an additional protocol that deals with some of these issues. The technical issues are hard. The evidentiary issues are hard. The substantive issues are hard. So three years doesn’t seem out of range.
Howard: What in your opinion would an ideal treaty look like?
Painter: Very much like the Budapest Convention. It would lay down substantive laws that really talk about attacks on computers and computer systems, and maybe a small cadre of other crimes like theft of intellectual property or child pornography, but narrowly constrained and not trying to cover the world. Because I think that’s where you go into problems. It would also have a set of procedural laws, and ways for countries to co-operate. I really think the Budapest Convention has done a very good job of trying to put these down and make it not technology-dependent. You don’t have to come up with a new provision every time the technology changes, but you have the ability um to use this understanding going forward. So the countries can then co-operate with each other and have more certainty about what the laws mean. I doubt that’s going to happen because the Russians have long objected to one of the provisions of Budapest that deals with consent over their citizens’ data. And the U.S. only consents to access to their data by someone else as long as it’s knowing and voluntary. For Russia, their view is only the state can consent, so that’s a big difference. They are bound to be some differences, but if we can maintain that structure and those provisions [of Budapest] and amplify them as much as possible I think that be ideal. I don’t know that we can get there.
Howard: Tell me about your work with the Global Forum on Cyber Expertise.
Painter: There are difficult geopolitical challenges around cybercrime and cyber security. One thing I think that every country has an interest in is the idea of capacity building: Making sure that countries, particularly in the developing world, have the ability to have strong cybersecurity. That they have things like national strategies, national CERTS (computer emergency response teams), incident response abilities, trained law enforcement and the capability to co-operate internationally … The GFCE is a group of 150 members and partners, including about 60 countries and international organizations. Its purpose is to promote capacity building. Trying to match people who need help with those who could provide the help. We have a portal that allows anyone around the world to access a huge amount of best practices data papers et cetera on these issues.
Howard: I’m an IT manager, I’m a CISO, a CIO. What can I do to help ah fight cybercrime, to fight nation-state attacks?
Painter: The number one thing is when the Canadian U.S. government puts out these [cybersecurity] advisories, pay attention. We always talk about public-private partnerships and working with the government. It’s also really important to build those bridges between industry, CISOs and government and have a better understanding and sharing of information between them. The other thing, and this is harder, is for CISOs to get more stature within their own companies. So often they are kind of buried in the organizational chain. They don’t have direct access to the C-suite. That’s got to change. We’ve got to start thinking about cyber as a key risk area and just like any other risk area that organizations deal with. It can’t be a good metric that the CISO gets to keep their job if nothing happens, and they lose their job if something’s discovered. That’s ridiculous.
… A lot of companies say [about an attack], ‘This is nation-state activity. It’s espionage. We don’t really care about that. We care about it when it’s our intellectual property or our trade secrets, but we don’t see the money walking out the door immediately.’ Well, it might be [leaving] five or 10 years down the road … Cyber risk has to be a core national security issue, and for companies it has to be a core risk management issue.