The CNN report supporting the conclusion that Russia has been hacking the State Department and the White House for months plays into the cyber security narrative for both sides of the debate, those who see little new from the cyber domain and those who see this as a revolution in military and diplomatic affairs. Given my perspective as a cyber moderate, I find much of the same with the incident. It does demonstrate that cyber actions are a reality and occurring with more frequency, but it also supports the point we make throughout our book that cyber actions are typically low level espionage attacks and often the fault of the target.
Putin suggested that is it now “sport” to accuse Russia of the hack, a likely response. But given the Obama Administration’s careful nature with leaks and reporting regarding cyber activities, there is little doubt that pointing the finger at Russia is warranted. As I have said in the past, cyber activities often will come with little direct attribution, but we clearly have motive, responsibility, and process to back up the assertion that Russia did this. If this is sport, what does CNN get for correctly reporting the story?
So what exactly did Russia do? Not much. They were able to use spear phishing techniques to get into the State Department network which then gave them a back door into the White House’s non-secure network. They had access to non-confidential information. While troubling, critical information is secure and remains so. If there is a problem, it is that there is a back door to the White House from the State Department, that the State Department is so easily violated by email phishing, and that some important aspects of the President’s daily activities were so public. Changes clearly need to be made, but is this is the great cyber-attack we have been fearing? In short, no, not at all.
This attack demonstrates the typical process we (most of my cyber work is with Ryan Maness) uncover in cyber relations, low level nuisance and espionage level attacks exploiting vulnerabilities in the target rather than the skill of the attacker. The American systems are so weak and problematic, they still seem to not be able to root out the Russians from the State Department networks. Clearly changes need to be made and training needs to be undertaken, but is this attack a harbinger of doom to come? Clearly not.
The cyber security story is one of a new technology being leveraged for an advantage, but what does this advantage really give the attacker? The efficacy of cyber operations have yet to be demonstrated. I am not so sure they ever will be. Certainly cyber actions might be helpful in combination with a multitude of other strategies, but they typically represent more of the same by new means.