Between Two Nerds: Why the US is so uptight about cyber operations

Tom Uren

Hello everyone, this is Tom Uren. I'm here with the Gruck. G'day, Gruk, how are you?

Gruk

G'day Tom. Fine. And yourself?

Tom Uren

I'm well. So for this week's Between Two Nerds, we thought we'd talk about tight and loose control. And by that we mean some states have relatively tight control over the cyber operations that their organizations carry out and other states have just a totally different approach. But before we get to that, we're just going to pat ourselves on the back. Last week we spoke about attribution and how there is an incentive for advanced operators to hijack and steal the operations.

Gruk

Of other countries using other people's infrastructure.

Tom Uren

That's right. And we gave some examples. I mentioned Turla, which I mistakenly said was that svr, which is Russian foreign intelligence. A listener corrected me and said in fact they're the FSB and just yesterday Microsoft Threat Intelligence, who are obviously listeners of Between Two Nerds. If they're not, they should be published a report where they talk about a group they call Secret Blizzard that has been hijacking Pakistan based threat actors and I think others. And they've been both hijacking the infrastructure and launching their own operations using their hacking infrastructure of the Pakistani group. And they've also been stealing intelligence that the other groups have collected. So they're doing both the things we kind of spoke about. So we're setting the agenda. Gruk.

Gruk

You'Re welcome, infosec community. Yeah.

Tom Uren

But okay, so moving on to tight and loose control. So I think of tight control as in the context of this discussion. If you're doing a particularly aggressive cyber operation in the U.S. for example, the approval process might run all the way up to the President of the United States.

Gruk

Right.

Tom Uren

So that would be an example of tight control. So over the last couple of years that's been loosened to some degree, but I think for a big enough operation that would still be true.

Gruk

Right. I think that they're still very tightly controlled in that operations are not decided by line managers or frontline operatives. It's very much higher echelons either at the government or within the organization, set priorities and operations. They select what's going to happen and then it gets implemented by the line managers and the people further down. There's no sort of bottom up process of like hey, we accidentally hacked all the Russian nuclear command infrastructure. Should we do something with it? Or like what?

Tom Uren

Yeah, so in Western agencies there's, or Western bureaucracies, there's usually this process of whole of government. They generate national intelligence priorities and then they're divvied up by which intelligence agency is best suited to do them. So if it's a cyber espionage thing, that would probably go to nsa, if it's a HUMINT thing, probably to CIA, satellite imagery, NGA etc, etc, etc. And so that is gathering intelligence requirements across all of government. And in the past, there used to be an Obama setup process for cyber operations where it would have what they call an interagency process which would gather input from, I don't know, for example, Department of State, Defense Department, et cetera, et cetera, et cetera. And the story is that that was, I think someone called it, a recipe for gridlock. But to your point, there's a whole lot of inputs. No single individual is empowered to make that decision.

Gruk

Right. And I think the other thing is that there's a lot of authorizations that have to be done beforehand as well. So like legal gets involved. So you'll say, this is an operation we want to carry out. After this long process, we've come up with this thing, here's what we're going to do. And then legal is going to go over it and say, all right, actually this, this would violate the law. We need someone who is not wearing a uniform to have hands on keyboard so that it's. Or, you know, like whatever, like something. Yeah, some, some loophole to, to avoid some specific gotcha. Right. And they will do that sort of approval. And that's sort of part of the tight control. And that there's, it's sort of very, it's very structured.

Tom Uren

Yeah, right.

Gruk

It's very much built around the idea that there's, there's people in charge and they decide what to do and then everyone sort of executes underneath them as their direct. That's the sort of principle.

Tom Uren

I think that's probably a good description of the way it was. It seems to be looser now in. During the Trump's, Trump's first administration, they threw out that policy and made one that was more agile, involved less input from other agencies, especially for cyber command. So I think this dealt specifically with offensive cyber operations, ones that were destructive or damaging. And to me, the old way of doing things made sense in the context of an organization coming out of the Cold War, where looming over the top of you, you've got this idea that if we overstep the mark and somehow end up on an escalation ladder that we can't get out of, it all ends in nuclear war.

Gruk

Right.

Tom Uren

And so at every step there's this Tight control and thinking about, do we really want to do this right?

Gruk

There's a lot of opportunities for checks and.

Tom Uren

Yeah, yeah. And how do we de escalate if we end up in an unhappy place? And so that seems to me like the way cyber operations were running seems to be a hangover from that time when that was a serious concern. I don't think it was probably ever appropriate to think of cyber operations as the same. But like, when you come from that cultural heritage.

Gruk

Well, I mean, if you go back 20 years, you'll see that most of the literature talking about cyber was treating it very much like nuclear.

Tom Uren

Right. Yeah.

Gruk

So, I mean, it makes sense to me that if you have the same people talking about the same stuff, they're going to look at the same control that they had in place of a nuclear and put it over like the new nuclear that they have. It's logical. That's how you'd go about doing it. So, yeah, I think there's a lot of drivers.

Tom Uren

Yeah. You've got one tool to avoid escalation risk and that's tight control. And you apply it even when the problem you're trying to solve is vastly different. Right, yeah, so that makes sense. And it makes sense that it's gradually been loosened. But, you know, that's an attractive theory to me, but it doesn't at all explain how Russia behaves. It's one small flaw. It works for only half of a sample set.

Gruk

I mean, you could draw a line. As long as you don't have another point.

Tom Uren

Russia's an outlier. Problem solved. Yeah. Very good, very good, Tom.

Gruk

Thank you. We've out of our two data points, one of them is an outlier. Yeah. So like the Russian approach, I think, pulls from a different heritage and sort of has the same, followed the same sort of inertia driven bureaucracy in which they had a sort of, they had a strategic culture that had built up under one set of conditions, which was Stalinist era Soviet Russia that was decades underneath. Someone who literally killed everyone who didn't do things the right way he wanted it. So that's a very good evolutionary pressure to get a particular type of organization. And the culture that built up around Stalinist era KGB stuff was very much do the things that you think Stalin wants done.

Tom Uren

Is it do the things you think he wants or is it avoid doing the things you think he doesn't want?

Gruk

Yeah, it's. There's a lot of stuff on that. Like you can be a bit of a cowboy and do things and as long as you don't get caught, that's fine. But if you get caught and it makes him look bad, that's a huge problem. Whereas if you get caught and it makes him look badass, that's okay. Right. And if you only kind of get caught, then it can probably be covered up and fixed in some way.

Tom Uren

Right.

Gruk

It's like, oh, yeah, you know, he's new, he's young. Like, we all make mistakes. It's not.

Tom Uren

So there's a bias to action. You just have to think about the actions in terms of looking good rather than doing nothing. Always looks bad, I guess, is one thing.

Gruk

Yeah. Like, doing nothing is non escalatory, but it's also not a good way to get promoted.

Tom Uren

Right, yeah.

Gruk

Right. And so I think that they sort of had the strategic culture that they then brought forward because it was just how they knew how to operate. And so what you end up seeing is that they have very, very fast turnaround times, but they also have a range of operations that they do from sort of well planned, well executed, like amazingly. Like the satellite stuff that Turla did. Right. Like, that wasn't a spur of the moment. You know, since we're here, why don't we do this extra thing as well? That was obviously.

Tom Uren

Yeah. So the satellite stuff, they had compromised a device somewhere and they were sending commands to it, but the box was responding to an IP address that didn't exist, and they were using satellite interception infrastructure to complete that back wall. So they were just sitting in the downlink of where the IP address would be, and it was just going on the Internet. It was just going nowhere. But they were able to intercept it and then rent it to their command and control. So I thought that that was very cool, I guess.

Gruk

Right. Like, that was amazing. Like, that was very clever stuff. There's that sort of thing. And then you have, for example, in 2016, when the leak of, like the DNC documents first happened, and it was immediately attributed to Russia because of various sloppy things they did in not properly sanitizing the documents. Like, the usernames of the computers were things like Derzynski or like Iron Felix, the founder of the KGB, and just various other little mistakes like that within 24 hours, they had set up this Persona, Guccifer2. Right. And they'd set this up and they had what we'd call an attribution front. Right. So a front that claimed responsibility and was like, yeah, I'm Romanian, I did all of that. The reason that things like Iron Felix were in the usernames was because I watermarked my stuff by putting in the names of famous people. The next set of documents from the Gucci for two Persona, they sent a PDF that had been printed from Windows. But one of the things Windows will do is if you're like missing a font or like missing an image, it will write in your local language like resource missing. So there were Russian, Russian in the PDF saying resource missing, whatever. That wasn't in the one that they released on the website. That was one of the ones that they sent to a reporter. So it was different. So they'd clearly printed it to PDF differently. But yeah, so when they sanitized the stuff now they had like Margaret Thatcher like written in with a hex editor, like not, not as a username of the PC that was modifying the document, but just as like the hex editor had added it somewhere at the end. And I mean the thing is like that was done amazingly quickly. It was very clever in terms of muddying the water. But like the thing to look at is that there wasn't a lot of effort put in into making things like clean and proper and doing it in a well planned out, thoughtful and well executed way. It was very much like, okay, you know, release the documents. Oh no, things have gone bad. Quick, all hands on deck. Right? How do we fix this? Dmitry, you're on websites you like. Ivan, go and do start emailing people. You know.

Tom Uren

So what I would think of as a western approach to that type of operation, and by that type I mean something very significant where you're concerned about getting caught and having it being effective, like so you want it to work and you don't want to get caught, is that there'd be a whole lot of planning beforehand. There'd probably be like a hundred page document that would list out all the things that could go wrong, the steps.

Gruk

That you take and how you mitigate it or. Yeah, yeah, exactly.

Tom Uren

Whether you accept the risk of that and what you do to mitigate it, what you would do if something went wrong. And so that kind of thing just wouldn't have happened in the first place. And that's the sort of tight control. That document would go up to someone who would actually read it and go, okay, yeah, that seems fair enough. Typically you'd have something like a few questions that they would ask just to make sure that people knew that they weren't just going to sign.

Gruk

Right. There had to be a little bit of pushback. So the U2 spy plane incident, there's the, the YouTube spy plane that was flying over Russia.

Tom Uren

Yeah, the one that got Gary Powers.

Gruk

Yeah, Gary Power, who got shot down. Their cover story was that he was supposed to fly over the North Pole and got lost. He went south instead of north.

Tom Uren

Well, once you're at the North Pole, you have to go south.

Gruk

It's pretty much all south.

Tom Uren

Yeah, yeah, who can blame him?

Gruk

But they had these navigation maps that were loaded on onto the spy plane. So they had actually loaded a cover one for him, and he was supposed to destroy the original one and then, like, the COVID one would be there. So if they look at the. If they look at the wreckage, they would see like, oh, yeah, you know, his flight path was set out to go like this, and he's just obviously strayed 2,000 miles in the wrong direction or, you know, whatever it was. But they didn't just say, like, yeah, he was doing this and he got lost. They created all of the backup documentation. Right. Like, there was all of the. I mean, in human, you'd call it pocket litter. The stuff that you. It's like if you're being dropped into occupied France, you don't want to have like a London ticket theater stop in your pocket, but you do want to have like a Paris theater stop. So, like, that would be the pocket litter sort of thing. We make sure that you have the right stuff for the COVID that you're doing. So, yeah, like, they made sure that all of that stuff was in place. Whereas this initial leak that they did, like, the document leak, like, it seemed very, very amateurish. Right. Like, the amateur way of thinking about things is like, I'm going to rob a bank. So I get a gun, I go into the bank, I say, give me all the money and I've robbed a bank. Like, you get to the point where you've done the part that you think is the actual job, and then you just kind of stop. As opposed to professionals who are like, how am I going to get away? What's the response time in this area? What are the traps I'm going to fall for? Okay, all of that's taken care of. Now then how do I get into the bank? It seemed very much like that where like, they sort of, okay, we're going to release the documents and that's going to do this thing. And they didn't think about what are things that could go wrong.

Tom Uren

Yeah, I mean, one of the things that I find curious is that the US invested a lot in tight control of nuclear commander control. So to make sure that they didn't accidentally fire off a nuclear missile and start a nuclear war. And they would actually go to the Russians and try and encourage them to adopt the same type of culture. And they. I don't think they had a huge amount of success. So it seems like there is this just gulf between the two.

Gruk

Yeah.

Tom Uren

And so your position is just that they think differently about all these things and it comes down to the type of, I guess, prime leader in the way they behave and the type of responses they're getting from their people. Right, right.

Gruk

When I say strategic culture, I do mean sort of culture, but also, like, kind of being molded by whoever's in charge. They can. They can shift it to some degree and it does direct how they operate, but it's still like, it's. It's deeply ingrained, it's in their DNA. And, like, it makes sense to me because if you look at, for example, how the GCHQ do their things, it looks a lot to me like a monarchist lineage. Right. Like all the way back to. What's his name? Wallingham. Right. Where there's very much. You've got the person in charge, the Queen, kind of. Yeah.

Tom Uren

Queen Victoria. I think if you're talking about Frances.

Gruk

Walsingham, I think it was Elizabeth.

Tom Uren

Was it Elizabeth? Yeah, maybe.

Gruk

Yeah. Yeah. I mean, it was like 15 something.

Tom Uren

I've seen the movie with Geoffrey Rush. That's about where he plays Walsingham. Yeah, yeah. The movie's Elizabeth, 1998, and Geoffrey Rush plays Sir Francis Walsingham, who, if I recall correctly, was like her spy master or something like that. Yeah, yeah.

Gruk

Like a whole bunch of stuff. But as a spy master, essentially, what would be happening would be the monarch basically says, I need this thing done. Like, you have authorization to do this, and then within that remit, you basically have a very wide scope of what you can do. The overall thing has been approved. What you're doing is within those parameters. It's up to you to execute. There's no lawyer involved at that point, going over. And that's still sort of how the UK does it. And rather than the monarch making decisions, I think now it's a minister. So you'll go and you'll make a pitch to the minister. If he signs off on it, then it's off to the races, you're good to go. There's probably internal reviews and things like that, but it's very much. It's a bit looser than the US approach, I think.

Tom Uren

Yeah, yeah. So up until 2001, the Australian, it was the Defence Signals Directorate, then the Signals Intelligence agency. Everything it did was just authorised by the Minister. So it was just, here you go, you're good to go and intercept signals. That was it. And so in 2001 they implemented legislation, but that's still very similar where a significant enough operation floats up to the Minister of Defense and sometimes the Prime Minister and the Minister of Foreign Affairs.

Gruk

Right. I mean that would be for something that could lead to an international incident. If it goes.

Tom Uren

It has to be pretty.

Gruk

And you just don't want to. Yeah, you need to have top cover for that and someone could.

Tom Uren

Something like that. It's right. There's different authorizations spelt out in the legislation and I mean lawyers is definitely involved, but it's. It's similar to that in the. It relies on just a single person or two people authorizing it.

Gruk

And then there's China.

Tom Uren

Yes. So some of the colorful things we've learned in those ISOON data leaks. So that was a cyber espionage contracting company and there was leaked messages and leaked materials from that company. And in it were chats and they talk about how they would go around hacking companies and then they would try and sell the stolen data to the Ministry of Public Security or the Ministry of State Security, some government body. One of the notable ones is that one of them broke into the office of Jens Stoltenberg, who is the head of NATO and he was trying to sell the data and the guy comes back and goes, nah, they don't want it. It's not worth anything. Now my thinking about that is that all those types of operations are not the ones that lead to escalation.

Gruk

Right.

Tom Uren

At least not in the short term. And so that kind of makes sense, right?

Gruk

Yeah. So like just to go on the tight and loose thing we've got, the US is very uptight. Then the Commonwealth is, you know, kind of chill, bit relaxed about it. Then you've got the Russian still control.

Tom Uren

But it's, it's. It's just a different way of doing tight control.

Gruk

It's less constrained by the letter of the law and more constrained by the spirit of the law, maybe whatever that means. It's like there's this personal touch of like if the minister makes a reason decision based on what they believe is right, as opposed to a bunch of lawyers who've looked over everything and then say, well, actually authorization for this only came from blah, blah, blah. There's a lot more, I think, leeway for human decision making.

Tom Uren

I guess I would describe it. The Minister is the end of a shorter chain of bureaucracy, less involved Chain.

Gruk

Yeah, absolutely. Then you've got the Russians, which are a lot more of a ask forgiveness culture. So it's the ask forgiveness, not permission. So they'll go out and they'll do things and as long as it's successful and it works, everything's great. And if it's not successful and doesn't work, then it may or may not get fixed up afterwards, but it's one way of doing things. And then you've got the Chinese approach, which is they've got like hundreds of thousands of intelligence officers. Many, many thousands of them are cyber officers. And then you have this sort of freelancer network, commercial space. Like, I often make fun of how the US complains that there's private companies helping the Chinese to do spying.

Tom Uren

Yeah.

Gruk

Because, you know, no one else ever has a military industrial complex. But, you know, there is a qualitative difference between a contractor like Raytheon providing cyber tools, nsa and a random company going out and hacking a bunch of stuff and then coming back and being like, hey, who wants to buy some data? I guess.

Tom Uren

Yeah. So Alex Josky, when we spoke to him, said that the MSS was very focused on ideological purity. And so that in a way it's, if you're not Communist Party enough, we can still use those skills. You'll just be in a contracting company, not within the MSS itself.

Gruk

Right. So, yeah, I've been reading his book actually and like, one of the things that's interesting is that the actual security apparatus that they have mirrors what we see in cyber in that, like, you've got Beijing with their people, but then every regional office has their own MSS and their own stuff. And like each of these regional offices also do foreign intelligence collection. Right. Like they basically, they're more like kingdoms in that they can operate and do their own thing as long as they report up to the emperor. Right. So you do have this complete chaos in a way of like all of these different groups doing their own thing. And I think in that environment it would be impossible to have tight control. It's too big, there's too many people sort of jockeying for power and position to have sort of this top down forced set of instructions. How do you direct 100,000 people?

Tom Uren

Yeah, yeah, yeah.

Gruk

So the approach that the Chinese use is sort of, it's the most loose of any of the command and control infrastructures that we've discussed so far. Essentially, the Communist Party will issue very broad strategic directives of what they want to achieve and then it's sort of up to the lower echelons to implement that.

Tom Uren

Yeah. I'm wondering if there's actually a dual structure in the. A little while ago I wrote about how the PLA kind of disappeared as a hacking force, and yet clearly they're doing something and it seems like they're doing pre positioning and so that seems like that military part where the consequences of getting found are potentially high. They do do seem to have a tighter commander control because it's not as if we're hearing about like isoon hacking critical infrastructure.

Gruk

Right, right.

Tom Uren

And that would be logical, right? That would make sense.

Gruk

Absolutely. I mean, if you're trying to do intelligence collection and one of your assets is you've just got a huge number of people, then as long as you can direct generally what they're focusing on, you can just see what falls out. And that's not really a problem because intelligence collection is sort of. It's not tolerated, but it's accepted as part of the way that the world works. No one's going to start a nuclear war because someone was stealing some information. Like, that's just par for the course. On the other hand, if you've got people going out and flipping the light switches on American cities just to see if they can, and then going to MSS and being like, hey, I tested it out on New York. It works. Can I get any money for this?

Tom Uren

Yeah. So, I mean, what's the story here then? That strategic culture actually is really important. Sometimes nuclear war trumps that and sometimes it doesn't.

Gruk

Yeah. So part of what I find so interesting is like the Commonwealth approach to doing these things dates back hundreds of years of sort of how spy masters have operated within that structure. And so it's drawing on these quite old lineages of just operation. China obviously has millennia of espionage history, but the bureaucracy is very new. Right. It's only post civil war Chinese civil war. And so it's. It's quite young. And it was also developed in this environment of we're very large, but we're very weak and we need to do everything we can to get as strong as possible as fast as possible.

Tom Uren

Yeah. It was basically created after World War II and where they'd been invaded by the Japanese and had a civil war at the same time, which was following.

Gruk

From when they had a warlord era, where there was basically rampant civil war following from when the Qing dynasty got it. It's Q I N G, which is.

Tom Uren

Yeah, that's Qing.

Gruk

Yeah. Okay. So the. In following like the. The Qing Dynasty getting like knocked over by various embarrassing military engagements with the Japanese, which followed on from various embarrassing military engagements from the British, which followed on from. Yeah. Which followed on embarrassing engagements against the Portuguese. So there was a little bit of a history of doing quite poorly against these much more advanced, industrialized and sophisticated opponents. And so I think there is a very recent understanding of, like, we need to catch up and we need to do it quickly.

Tom Uren

So, like, at the end of this discussion, I kind of have this sense that I'm still happy with the US like, they've got this formative, very serious competition that went on for a long time that shaped that culture. I'm actually kind of happy with the Chinese approach because it seems like they have arrived at a place that also matches what their big picture wants are, like they've stolen a whole heap of IP because they've just had an army of contractors go out and steal it. And under broad sort of strategic direction, very loose control. But that.

Gruk

Because it works.

Tom Uren

It was a tidal wave of hacking, but it never really escalated into anything meaningful. And they possibly seem to have the PLA doing the sensitive more under tight control. And that seems to have happened only in the last 10 years, say, and that like. Okay, so that makes sense. So the mystery for me is still just Russian behavior.

Gruk

Russia. I feel a little. I'm not sure how I feel about ask forgiveness when you're talking about international relations.

Tom Uren

You know what's funny, what's funny about the US Approach is it's do exactly what the executive wants, and they actually try and export that approach to the rest of the world as well. It's like, we don't want you doing that hacking. We don't want you doing that hacking. And it's been a total failure.

Gruk

What we see is that, like, each of these different strategic cultures has developed around solving a different set of problems, but somehow the Americans are the only ones who believe that they've found the correct solution.

Tom Uren

Thanks, Scott.

Gruk

Thanks a lot, Tom.