Between Two Nerds: Is US cyber espionage too careful?

A

Hello everyone, this is Tom Uren. I'm here with the Gruk for another between two nerds discussion. G', day, Grok. How are you?

B

G', day, Tom. Fine. And yourself?

A

I'm well. This week's episode is brought to you by Zero Networks, which makes a micro segmentation solution. So it slices and dices your network to make it much harder for adversaries to laterally transfer all over the place. And it does it automagically. So last week, Gruck, we spoke about a paper and during that discussion we talked about how it reminded us of broader defense procurement, where the Defense Department in the US buys bigger and better, more expensive, more exquisite capabilities for more and more money. And it seems like there's this kind of decision making culture behind it. And so we thought we'd talk today about is there this kind of, I guess you might call it, a strategic culture of getting exquisite, very precise, very expensive capabilities? And is when it comes to cyber operations, is that the right approach?

B

It's geared, right. It's sort of structured and geared towards this exquisite top end, bespoke, highly tailored.

A

Yeah. And a lot of it is in service to not getting caught and operating covertly. And so I guess there's a couple of different questions there. It seems like historically one question is, was that appropriate for the time? So maybe we should touch on that. Is it still appropriate going forward? Has the world changed? Is it more accepting of states hacking?

B

Right.

A

And then I guess like a sort of peripheral or question related to that was, would we know, like you and I sitting here.

B

Well, obviously we've got our ear to.

A

The ground, like we pay attention. So those are kind of the issues that we thought we'd discuss. And so just to sketch out the way I think about it, there's an interesting contrast between the US and China. China has a much a noisier cyber program, I guess you could say, right. They get caught a lot more often, but it appears that they do a lot more stuff. Whereas.

B

But they, I would point out that they don't get caught every single time, Right? They do, they, they still have those top end capabilities they just mostly have. Not top end, I guess like the mid tier to low tier volume stuff. Right. So for example, the, the RSA hack that they did when they, they broke into it, I think it was Lockheed all those many years ago, like that was an impressive sequence of hacks that they put together. Now I'm sure that the NSA people will look back at that and be like, that's, you know, like this is pathetic. We've done much more exciting stuff and that's certainly true, but it's. That wasn't like their, their poison ivy level, right. Bottom tier stuff. So they've got both sides. I think they have a spectrum. They don't focus exclusively on the top end. And I think that the US approach, not so much focuses on it. It's just they don't have anything else. They don't do anything else except the top end.

A

Right. There don't seem to be operations that they run with the expectation that they'll get caught as a cost of doing business, maybe.

B

All right, so Dooku 2 was found inside Kaspersky's research network. And when they looked into it, they found that it was a sort of a repurposed version of an Israeli implant that they linked to Israeli operations. And so they sort of exposed and burned that. But it seems to me that that operation was conducted with the expectation that it was going to be caught and burned. So the things that were used, they weren't so much low grade as end of life. So they used the repurposed already burned backdoor like an implant that they modified sufficiently that it wouldn't be detected as the previous version. But they didn't write something new from scratch. So when that got burned, there wasn't a new loss they used. I think it was a win 32 sys LPE, like a local privilege escalation exploit. And at the time those were cheap and common, there were many of them. And losing one would not set you back at all. You just go into the bin and get another one. So, Right. It was made up of components that were disposable, but it was still, it was still conducted as a top tier operation, I think.

A

Right, right. So that seems to be like the protection of capability in terms of making smart decisions about what you're going to put at risk.

B

Right. So it's. I'm just saying it's not so much with the expectation of getting caught that defines things. Because I think that when you have the expectation of getting caught, you choose like you make a decision about what you're going to lose. I think it's a more profound thing about getting caught that's here.

A

Right. What I'm thinking is that it's a trade off between stealth and coverage. So you can get a lot more coverage by being less stealthy or by accepting the risk of getting caught. And so my impression is that the US and its allies tend to forego breadth for continued operation under the radar.

B

Right.

A

Whereas the Chinese approach is the opposite.

B

And then I wonder if that, that's a reflection of national strategy. The US is looking like the US and its allies, historically at least, have been looking at how can we maintain this for the next decade and the decade after that and the one after that. You know, it's the how do we keep things going forever where we're at the top? Like, to a degree, the sigyn culture that the US has was born out of the Enigma process during World War II. This sort of. If you've hacked someone else's stuff and you have that capability of seeing what they're doing and they can't do that to you, that's an amazingly powerful, like, it's super great. And they want that. Like, they, they, they, they, they want to be in that position forever. They really like that. And I think that's flavored, that sort of colored their approach forever.

A

Well, I think it's broader than just Enigma in World War II. Right. So we spoke maybe a month or two ago about information warfare, where the publication, which was actually from the nsa, spoke about the success of precision guided munitions in the first Gulf War. And the US has been tremendously successful ever since World War II with having.

B

Advanced technology minus two very notable exceptions.

A

Right, right, right. I would say they've been successful at having tactical application of military force. They haven't necessarily won the wars, but they've won a lot of battles.

B

But they've won the war that counts, which is the. They've got better Hollywood movies out of it. So.

A

Like, even the atomic bomb is an example of having advanced technology that allows you to have apply overwhelming force when and where you want to. Right. And I think it's this constant straight line from the Manhattan Project through to precision guided munitions. And so there's all these reasons that would imbue the entire, the entire bureaucracy of this is the way we win.

B

Right. And that's sort of reflected by the never fight in a fair fight. Right. It's the use a sledgehammer to crack a walnut. It's this idea that you just overwhelm and dominate. And I think that that's worked very well for industrial domain things where you can just outcompete in terms of the technology or the volume, whatever. And I don't know if that can be maintained in a domain where industrial might is not the. Like, it doesn't translate directly into capability, like where it's a knowledge and information domain. So it's a lot more open to anyone.

A

Right. So I guess there's a couple of reasons I'm thinking about this. One of them is just what's going on in Ukraine, where it seems like there's a lot of use of very cheap technologies like drones, which are used in innovative ways that are kind of a counterweight to advanced technologies. The US has supplied a lot of weapons to Ukraine, but then recently it's announced that it's going to stop because it's running out. And so that makes you think that perhaps the exquisite technology is not the maybe.

B

Yeah, producing eight perfect missiles every year.

A

Is not as good as 100,000 drones.

B

Right, right.

A

I guess, yeah. That's the extreme kind of question. Right, yeah. But does that apply in, well, cyberspace?

B

There's a really good anecdote about Enigma from the North Africa campaign, Operation Torch, when they'd landed in Tunisia and all that. So what happened was the. The Germans, which was Rommel and I think Kesselring, were preparing this counteroffensive against the Americans. And because the Americans had the ultra intercepts, they could see what was being planned. And Rommel had sent a request saying, I don't have enough tanks. Please give me, like, the second army that we have out here so I can have enough tanks to do a proper assault. And Enigma, it captured the request, but they didn't decode any of the replies that came back that said, yes, okay, you're approved to have the second Army.

A

Right.

B

So what ended up happening was looking at the Enigma decrypts, it said, he doesn't have enough tanks for the assault. Right. And then because the assault was planned inside Africa, so it was all done face to face, so there was no indigma decrypts for the actual planning. So the Americans were completely unprepared because they were like, well, it's not going to happen. I mean, he was begging for more tanks. It's just like, not a thing we need to worry about. And they'd missed that crucial part of it. I think that that's something that gets lost in SIGINT stuff where it's like, yeah, if we can just read everything, then we know what's going on and it's true. But what if you only read 90% and you miss the crucial bits? So maybe there is something to having more coverage rather than depth of coverage.

A

Well, I was thinking before we started talking that it seems like one way to think about the US approach is it's to find the person or organization that is the key and get access to them, ideally forever, because we never get caught. Whereas the Chinese approach Might be more death by a thousand paper cuts, where you get a lot of coverage instead. And so is the world changing in a way that makes one strategy more successful? I guess another way of thinking about this is would you say that China has been winning in cyberspace? And to me it's not at all clear that either country is actually winning.

B

Right. That's what I was going to say is that, I mean, what does winning look like? Because it's very hard to tell what superiority would look like in the space. Because, I mean, one of the characteristics of cyberspace is that both sides have complete advantage. Right? Like as an attacker you always have attacker advantage, and as a defender, you're both vulnerable, but also you have, you know, home turf advantage. So it doesn't really favor either side. And there's also no way, there's no way that your activities against me necessarily impede my activities against you. Like, you can steal all of the stuff you like from me and I can steal all of the stuff I like from you, and it's just going to continue like neither one of us is stepping on each other's toes in that process. That's one of the things that makes it quite hard. It's not like you hold territory or you have attrition where like, I've got more tanks in the field than you do, or any of that stuff, because there's this disconnect anyway. I think that that dynamic makes it very hard to say who's winning and you have to try and find other things that you measure it by. And it's sort of like, is the sustainable. Like, that's, that's the point of last week's discussion. In last week's paper was the, Is this approach sustainable over the long term? Like, given the way that things are changing, can you continue to maintain this very elite, very highly sophisticated edge?

A

Yeah. So I mean, in a way, that paper is one data point that tends to indicate that the US system hasn't changed radically. Because probably if it had changed radically, then the acquisition process would also reflect that.

B

Reflect that. Yeah.

A

And so again, one of the things I was thinking about is how would we even know? And I suppose one way we would know is if all of a sudden there was a whole lot more reporting about American operations that was broad based, but also in a way didn't amount to anything in the sense that there wasn't any diplomatic blowback. Because it seems to me that the point you want to operate at is we want to collect as much intelligence as possible. You want to maximize the return and also minimize the pain. And I think that the most significant pain is probably diplomatic blowback or push back.

B

Yeah, that's like, that's when your bosses start getting involved. I think it's, I think the espionage is very much a thing of like, you could ignore what's happening until you get caught.

A

Right?

B

Like you're, the people are very happy to get the intelligence from you until you get caught, at which point they're like, this is outrageous. How could you get caught? This has gone on too much. Like, this has gone too far. So I think one of the things is also, what are you doing with the intelligence and how much do you need? Right. I think this goes back to the discussion we had about should the US get into stealing intellectual property. China is at a point in its development where it believes that it needs to collect a very, very large amount of data on a lot of different things in order to maintain its position in the geopolitical landscape. And I think that the US doesn't believe itself is in that position. So it doesn't see itself as having to collect the same breadth of intelligence. Like, it doesn't need that same broad expanse of data. It needs targeted military intelligence, or it needs financial intelligence, or it needs political intelligence. Like it's got these very sort of clear things that it, it sees itself needing. And because those are more focused and targeted, I think they do lend themselves a little bit better to that. You know, we have exquisite niche capabilities that we're using for these high end, very important targets. And if you only care about that sort of stuff, then that's fine. But that doesn't scale.

A

Yeah, that makes a lot of sense that knowing what Xi Jinping thinks is very important, knowing what Huawei is developing.

B

For next quarter is not. Basically.

A

Well, Huawei is probably a bad example because there are several companies now that seem like they're close to world eating.

B

Yeah, I think you probably want to know something about Huawei stuff, but probably more for specific reasons, like are they inserting back doors and if so, what are they so that we can exploit them as well? Or what's the next thing that's coming out that we can then have early access to that we could then develop exploits for, or, you know, it's stuff like that. It's not the, how can we duplicate what they're doing?

A

Right. Yeah.

B

So even then it's a, it's a more targeted vision. I think it's, it's much more, there's more purpose and focus.

A

Well, there's specific intelligence questions, I guess that you answer. So I think there is reporting that there was an NSA project called ShotGiant maybe.

B

Okay.

A

Targeting Huawei and the question was exactly that. Are they inserting back doors? What's their relationship with the state?

B

Right, right.

A

And so those are very like, those are legitimate questions that it makes sense that you would want to know.

B

Right. And it's, it doesn't have anything to do with Huawei being a commercial vendor or whatever, or like you're not looking for Huawei's intellectual property, you're just looking for the relationship that Huawei has with the state. And how does that impact you or your allies? Right. Even when they do focus on commercial entities, it's with a different viewpoint, a different perspective. As you said, they have specific intelligence questions that they're trying to answer. They're not broadly looking at what are future trends that are being identified that we can also get into, or what R and D successes are they having that we can try and leverage ourselves.

A

Yeah, so that makes a lot of sense in terms of a small number of targets where you've got specific questions. So I guess that makes me think about whether there are any targets where there's a lot of them where a more broad based approach would be useful. And I can't actually think that there's that many.

B

I mean, they're not so immediately apparent that there's obviously a billion of them. We're not like, oh, of course, you know, X, Y and Z, for example.

A

Yeah, it's. The non state actors were the first thing that came to mind. But it doesn't seem like they're a large group of non state actors. Like there's not hundreds of thousands of them.

B

Right.

A

Like they may be very important, like back in the day, I guess, Al Qaeda or isis.

B

Sure.

A

But that's still a narrow target set where you could use more, less refined capabilities.

B

Al Qaeda, while the Al Qaeda operatives that Saudi Arabia was finding all the time, they were using Samsung mobile phones exclusively. Samsung for some reason. But that would mean that if you have an Android capability that gives you access.

A

Right, right.

B

And it's very likely that an Android capability would give you access to maybe not Xi Jinping, but probably one of his lieutenants or someone close to him. Like there's just a certain level of technological capability that everyone sort of has. Yeah. Like if you've got that as a default, that gives you pretty much access to 80%. That's the sort of 20% capability that gives you the 80% coverage.

A

Right. Right, right. I'm reminded of a story I wrote about maybe a couple of months ago where the Syrian army, in the dying days of the regime, there was a campaign that targeted them. And basically it was like 95% social engineering where it purported to be a humanitarian organization that was giving financial aid to Syrian army people. And so it's basically just paying them to install an app and fill out a questionnaire. And because of the economic situation, a relatively small amount of money was actually a significant amount. So. Well, like that's the sort of campaign.

B

How much money spy agencies actually spend on this stuff? It's really low. Whenever you look at the arrests for these people and it's like, you know, he got $10,000 in cash for turning over, you know, the blueprints to nuclear submarines. 300 gigabytes of classified documents and you're like, that is, I mean like that's nothing, right? That's given.

A

Yeah. And I guess where I was going is that for certain targets you don't actually need advanced capability, you just need some sort of pretext. And if you're willing to spend a bit of money instead of having a zero day. Well, yeah, More power to you.

B

Yeah. Well, this again touches on something that we've brought up a lot which is that O days are a. Sometimes food. Right. Like you don't need these really top end capabilities all the time. They're very useful for hardened targets, things that you want to access without them knowing that you've accessed them ever and that are quite hardened and difficult to get to. But for the vast majority of cases, you can probably get away with something where like if you close the loop, they're not going to know about it. Right. So if you remember way back when, there's the Edward Snowden leak about, you know, I Huntsys, admins, right?

A

Yep.

B

Right. Like there was nothing sophisticated about that. It was like I go to the database of all of the stuff that we like, all of the data that we collect off the Internet and I just grep for password and then I pull out the username and password and I tried against the IP that I'm looking at and it's not a sophisticated oday attack, it's just like if you've got that sort of data pool and people are using telnet, then yeah, go for it. You can log in. You're not using a Cisco O day, you're not developing some elite whatever. You're just looking at. Have we already collected the logs by accident?

A

Yeah. So one of the things I was Thinking about is that in a way China has shown that you can do a lot of hacking and just get away with it by being brazen. And it seems like if the US was really going to change its approach, it would have been after the Snowden hacks or Snowden leaks. Sorry. Where the problem is that the. They were doing a lot of hacking and they didn't really get away with it in that there was a lot of diplomatic pain that occurred afterwards. And so that in a way seems like a reinforcing lesson of don't get caught.

B

Right, right. So that maybe they learned the wrong lesson from all of that.

A

Well, I don't know that it even was the wrong lesson because I think what you said earlier about them still not feeling that they need a broad based wide intelligence campaign.

B

Right.

A

Still rings true to me. And I think that actually is in fact true. Like it's not just that they feel it, but it probably for the whole now, despite the fact that we actually had a whole podcast how they should get into intellectual property theft, we can ignore that episode, btn, whatever that was.

B

Oh God.

A

As the thought experiment that it was. And so perhaps this approach is just right. Everything's fine except for the way they get zero days. It's clearly broken.

B

Yes. So I mean, I think the thing is, it's like, is this approach sustainable? And I think it is because for the requirements that they have, they can continue to meet them with the approach that they have, which is what we're getting at in that unless the requirements change where they sort of, if they shift into China's position of suddenly needing this sort of broad spectrum, I don't think that they need to sort of be operating like that. They don't need to just be hacking everyone and hack everyone that. God, sort them out.

A

Well, I was thinking about ransomware actors and cyber criminals in general. Right. Where it does, the Western agencies are more active against them. So there's like a story that asd, the Australian Signals Directorate, deleted a bulletproof hosting service. I love the story in that they went and waited until the administrators were out drinking. So it's a good example of how you combine intelligence collection, they're at the publisher with action to sort of maximize your window of opportunity, I guess. And this is a perfect example. ASDs, at some point much later, I think, claimed responsibility when that group, I think it was when they were sanctioned. And so that seems like the sort of group where you could just do whatever you would want, some sort of opsec just to separate it from your Other activities. Separation rather than necessarily stealth.

B

Yeah. Compartmentation stuff.

A

Yes, exactly. Yeah. And so that seems like the group of actors, we're like being relatively open.

B

Like, what's the diplomatic fallout of taking down ransomware?

A

Maybe Russia will get angry at you.

B

Right.

A

One of the questions would be how would we know if they had changed? So I spoke about that ASD example. That seems like an example where you could say, okay, ASD has, and there's several stories that I've spoken about over time where they've been public about attacking ransomware or cybercriminals. And so that, to me seems to indicate that they've at least got a stream of activity where it seems likely that smart thing to do would be to use low.

B

Right.

A

Low equity tools and have that compartmentation to separate it from your other activity. But, you know, whatever, if it gets burnt, we will probably talk about it anyway. So it seems like that's evidence to me that they're doing things differently. It seems like when it comes to the US most of the activities are being claimed by the FBI when it comes to anti ransomware or anti cybercriminals. So that is a lack of evidence. Like, it's not evidence either way.

B

I kind of wonder if NSA would even go after, like if they would go after cybercriminals or if they feel that's beneath them. Well, like, that's an FBI law enforcement thing. Yeah.

A

And yeah, they've got difficulties because they've got a relatively stringent separation of who can do what.

B

Right. Yeah. There's very much title 10, title 50 stuff. Yeah. The legal stuff that the Americans really love that the rest of us find very confusing. Yep. Yeah. So I, I mean, maybe one of the reasons that we haven't seen any indication is because they actually don't need to change. Right, right. So as I was saying earlier, the requirements they have don't include sort of dragnet operations of just collecting huge amounts. Well, okay, that's not quite fair. Ignoring X key score, ignoring the passive monitoring, they don't actively go after a large number of diverse targets for the sake of getting more data. Right, right. That's not a thing they need to do.

A

Because from a cyber espionage perspective, like from a cyber operations perspective now, I would say that the passive monitoring was an enabler for more targeted stuff.

B

I'll defer to you. I mean.

A

Not that I'm trying to defend them, it's just from the point of view of what it was doing.

B

Right. I mean, it helps to address certain specific questions that they have, which are not the, what is Huawei's R and D spending goals and focus and so on. Like that's, that's not the sort of thing that they would be collecting. And I think to that point they don't need to adopt China's approach to cyber operations because they don't have China's cyber operational requirements.

A

Right, Yep.

B

Right. They don't need the same sort of data and so they don't need to do that. They probably do need to change in other ways, but I don't think that those ways would be things that we would notice. Right. Like if they change their acquisition pipelines or if they become more nimble in other areas. Those are not things that would show up in suddenly an increased flood of apt reports about NSA attacks.

A

Right, right, right. I mean, there's also structural reasons we probably wouldn't get in a flood of reports just because most companies that we read are Western companies that tend to be a bit reluctant.

B

Yeah, very much so. I mean, from, from those reports earlier this year where the Chinese did report on NSA operations, even then, the stuff that they were reporting on was like, it wasn't Gucci top end capabilities, they're just sort of pedestrian useful. And they were targeted. Right. They weren't broad, they weren't sort of going after everyone in the space.

A

Yeah. My recollection is that they were targeted at universities that had relationships with the pla, the Chinese military. And even though we call them pedestrian, they had been doing it for something like a decade. So it's like, I mean, obviously it's good enough for the job.

B

Well, I was going to say, like, to be fair, like hacking into a university and staying hidden is not exactly like the pinnacle of success. Right. Like children do that.

A

It seems like they chose the right tool for the job.

B

Exactly, yeah. It's like they, they don't need to use their top end stuff because it's not required. And on the off chance that it does get discovered, it shouldn't be burned over this.

A

Yes, right, yes.

B

It's very unlikely we will get caught. But if we do get caught, this is what we can afford to lose for this sort of tier of information collection. So to sum it all up, is the US approach fit for purpose in the modern day and age? And I guess, yes.

A

Carry on, everyone. Like, interestingly, before we had this discussion, I thought that maybe it wouldn't be right.

B

This is not what I thought we would find.

A

Right, yeah.

B

Coming into this, I thought it was very much a. Oh, their legacy. They're doing this old thing from the 1990s. They've got this, you know, early 2000s approach.

A

That's right.

B

And the world is all wrapped up.

A

In the American way of war.

B

They've got this big idea of how to approach things and it's, you know, it's archaic and it makes a lot of sense in an industrial environment. But does it work in a knowledge based environment? And I mean. Yeah, I guess so. It does.

A

Yeah. Everything's fine.

B

Yeah, I guess. Carry on.

A

Thanks a lot.

B

Thanks a lot, Tom.