The last two days have seen two major developments regarding Russian hacking. First, Russian President Vladimir Putin tacitly admitted that Russian hackers might have influenced the U.S. election, but claimed that any hackers were just patriots, acting independently of the Russian government. Then The Intercept published a leaked NSA report stating that Russian military intelligence had tried to penetrate U.S. voting systems. Tim Maurer co-directs the Cyber Policy Initiative at the Carnegie Endowment for International Peace, and is the author of the forthcoming Cambridge University Press book "Cyber Mercenaries." I asked him a series of questions about these dramatic events.
President Putin, in an interview, suggested that patriotic Russian hackers had perhaps acted entirely independently of the Russian government. He also claimed that state hackers have never interfered with foreign elections. How credible are these claims, given your research and the newly leaked NSA report?
Many Russian hackers, including those engaged in cybercrime, are politically motivated and patriotic. It is therefore possible that they could act autonomously of the government while their actions still benefit the Kremlin. However, the January 2017 joint report of the U.S. intelligence community paints a very different picture detailing that the Russian government was directly involved in interfering with the U.S. elections in 2016. Moreover, even if Russian hackers acted independently, it doesn't meant that Moscow couldn't have stopped them given the power of its security services, especially after President Obama's warnings.
Why might Putin have wanted to admit that Russian hackers were involved in the U.S. election, even if he doesn't admit that they were likely working with the state in some way?
With the recent allegations about Russia's military intelligence targeting U.S. voting software suppliers, more and more details are becoming available about what looks like a comprehensive, multifaceted operation targeting U.S. elections in 2016. After the Kremlin tried to deflect initial reports about the Kremlin's involvement as "nonsense," such attempts are losing their effectiveness as more and more details to the contrary come to light. Bear in mind that this issue is not only closely watched in the U.S. but around the world and Moscow needs to be mindful of the court of public opinion not just in Washington but elsewhere, be it Beijing, New Delhi or Berlin. With Putin now pointing to Russian hackers acting independently of the Russian government, he might be trying to maintain plausible deniability while also identifying a potential scapegoat (that he might eventually be willing to sacrifice on the geopolitical altar).
Has Russia tried in the past to take advantage of how hard it is to attribute hacks specifically to states or private actors?
Yes, absolutely. For years, there have been rumors about how Moscow has created a permissive environment for hackers to operate as long as they would refrain from hitting targets in Russia. The Kremlin's sanctioning of such activity in turn provides the government with the ability to mobilize such private actors when needed. For example, the March 2017 U.S. indictment of three Russian and one Canadian hackers is one of the most detailed accounts of how such relationships (allegedly) work. According to the indictment, a Russian national, sought by the FBI as one of its Cyber Most Wanted, was working with two agents of the Russian FSB to hack Yahoo accounts while also being allowed to make personal profit on the side through credit card fraud, spam, and redirecting search traffic.
In your forthcoming book, you talk about three relationships that states can have with purportedly independent hackers — delegation, orchestration and sanctioning. What are the differences between these kinds of relationships?
The difference is essentially the degree of detachment between the state and the hackers. Delegation describes relationships where the state keeps the private actor on a very tight leash. Think of conventional private military and security contractors. There is a growing market of private cybersecurity contractors offering defensive and offensive tools and services with such ties to governments. Orchestration describes murkier relationships. The private actor is not under the state's effective control but rather orchestrated by the latter and supported through funding, tools or information. Iran is a good case study for such proxy relationships, which are not unique to cyberspace and hackers but emulate states' conventional interactions with nonstate actors. Finally, sanctioning is about what counterterrorist experts have called passive support; a situation where a state is not actively supporting a nonstate actor but knows of its existence and activities, yet does not take action against to stop them or is willing to cooperate to stop them.
Which of these relationships best describes interactions between the Russian state and non-state employed Russian hackers?
Sanctioning, or passive support, best describes the environment in Russia. The Russian government is turning a blind eye to the activities of Russian hackers as long as they focus on targets abroad. Nevertheless, Russian security agencies maintain a vast and effective network to crack down on hackers if necessary. In fact, when I met with security researchers and hackers in Ukraine in 2015, they suggested that some Russian hackers were leaving the region and moving abroad to countries in Southeast Asia and elsewhere precisely so they could worry less about the FSB showing up on their doorstep any second.