by Natasha Bertrand – Business Insider
The US needs to change how it hires hackers and other tech talent
if it wants to stay competitive in the cyber arena, former
FBI special agent Clint Watts told the Senate Armed Services
Committee during a Thursday hearing
on “cyber-enabled information
operations.” Watts, now a senior fellow at George Washington University’s
Center for Cyber and Homeland Security, argued
that Russia’s ability to hack into US political
organizations last year and launch a sustained disinformation
campaign — which it now appears to be
replicating ahead of the French and German elections —
stemmed not from its “employment of sophisticated
technology, but through the employment of top talent.”
Many experts say Russia has harnessed some of the best tech
talent in the world because of its willingness to hire
hackers who would likely be passed over in the US — either
because they aren’t “technologists” in the traditional sense or
because their records would preclude them from obtaining security
clearance. “Actual humans, not artificial intelligence, achieved Russia’s
recent success in information warfare,” Watts said, referring to
Moscow’s election-related meddling. “Rather than developing cyber operatives internally, Russia
leverages an asymmetric advantage by which they co-opt,
compromise or coerce components of Russia’s cyber criminal
underground,” he added. “Others in Russia with access to
sophisticated malware, hacking techniques or botnets are
compelled to act on behalf of the Kremlin.”
Brandon Valeriano, a researcher at Cardiff University
specializing in international relations
and
cyber coercion, said the strategy
allows the Russians both to “maintain their control over the
hackers” and “take advantage of whatever capabilities these
hackers might have.” Ian Bremmer, president of the political risk firm Eurasia
Group, went one step further. “Cyber crime and state
espionage go hand in hand in Russia’s system,” he told Business
Insider last month. “Russia has employed cyber criminals for state ends for as
long as they have been hacking,” Bremmer said. “Private
hackers are a source of talent, for one thing, as well as a
degree of separation and deniability between state organs and end
users.”
The New York Times’ Andrew Kramer
reported on the phenomenon in December, writing that
“for
more than three years, rather than rely on
military officers working out of isolated bunkers, Russian
government recruiters have scouted a wide range of programmers,
placing prominent ads on social media sites, offering jobs to
college students and professional coders, and even speaking
openly about looking in Russia’s criminal underworld for
potential talent.”
“If you graduated from college, if you are a technical
specialist, if you are ready to use your knowledge, we give you
an opportunity,” one of the ads read, according to the
Times.
But cybersecurity expert Dave Aitel cautioned against emulating
the Russians’ strategy of outsourcing cyber operations to actors
the government might not be able to fully control.
“There’s no point in hiring people you don’t trust,
or trust less, to do these kinds of operations,” said
Aitel, CEO of the cybersecurity firm Immunity, Inc.,
and former research scientist at the National Security
Agency. “That doesn’t mean there isn’t room for
outsourcing, but then the question becomes how the government can
manage these risks in an intelligent way.”
Aitel suggested that, rather than outsource tasks or
projects to particular individuals without security clearance,
the government could allow private companies specializing in
penetration testing — the practice of testing a computer
system, network or application to find vulnerabilities that a
hacker could exploit — to apply for security clearance and
compete for a contract.
The scoping and goal of this agency’s work, Aitel said,
would require “massive transparency,” as well as legislative
liability carve-outs to protect private citizens and firms who
have been entrusted to take the reigns on a state-sponsored cyber
operation.
“There’s a lot of risk,” Aitel said. “How do you protect
those people? Are they going to get kneecapped? They’re not
government employees, so they’re not afforded the same
protections both domestically and internationally.”
Either way, most experts agree that the US needs a dramatically
new approach to countering Russia’s cyber-enabled influence
operations.
“When the U.S. has done something to date, at best, it has been
ineffective, and at worst, it has been counterproductive,” Watts
said on Thursday.
“America will only succeed in countering Russian influence by
turning its current approaches upside down,” Watts added,
“clearly determining what it seeks to achieve with its counter
influence strategy and then harnessing top talent empowered,
rather than shackled, by technology.”