The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

If anyone understands Russian cyber dangers, it's Estonia's former president

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Comment

Welcome to The Cybersecurity 202! I say any alleged list of the greatest romantic comedies that doesn’t include “His Girl Friday” is way off the mark. Also, probably not top 50 but Albert Brooks’s 1991 rom com “Defending Your Life” is underrated. 

Below: The Biden administration’s planning a government spyware ban, and a new legal ruling says scraping websites doesn’t count as hacking. 

Estonia's former president has warnings for Ukraine

Toomas Hendrik Ilves knows what it’s like to face a grueling Russian cyberattack.  

As president of Estonia in 2007, he led his nation through a blistering digital attack that shut down government and financial websites for days. 

The digital strike was an apparent Kremlin response to the removal of a Soviet-era statue in Estonia’s capital of Tallinn and the first-known example of a major nation-on-nation cyberattack. The Kremlin denied responsibility for that attack, as well as later attacks targeting Georgia, Ukraine, the United States and European nations.

Now, as Russia’s invasion of Ukraine enters its second month, Ilves is warning that Russia could turn to disruptive or even destructive cyberattacks to alter the course of the conflict. 

“If things go badly for Russia, I think they'll pull out all the stops,” Ilves told me in an interview.

In the years since the attack, Ilves, who served from 2006 to 2016, has been a strong advocate for cyberdefense and cyber cooperation between nations. He's also been a harsh critic of Russian aggression in cyberspace and elsewhere. 

Here’s part of our conversation. It's been condensed for length and clarity.

Are you surprised hacking hasn’t played a bigger role so far in the Ukraine invasion? 

“I am, frankly, given the history of Russian behavior and Russian behavior in Ukraine in particular. They have [cyberattacked] Ukraine in the past [including a 2015 hack that disrupted large portions of the nation’s power grid]. But we haven’t seen anything debilitating — yet. I should always say yet.”  

Why do you think that is?

“I suspect it's that Russia would get the same back. Russia's power militarily is overwhelming in terms of manpower and weaponry, whereas there's much more of a level playing field when it comes to cyberwarfare. It's much easier for Ukraine to do to Russia back what Russia could do to Ukraine.”

Do you expect more damaging cyberattacks in Ukraine or targeting the West as the conflict grinds on?

“They’ve basically performed the first step [for significant destructive attacks by hacking into major industrial systems in many nations]. They have massive capabilities, and they are very good. But, so far, up to the second we’re speaking we have not seen that used in a particularly destructive way. That might change by the time you reach your deadline.”

Could some of the dearth of cyberattacks be because of improved Ukrainian cyberdefense?

“Well, I'm sure they're much better. I say that with pride because Estonia has been helping them on [cyber] defense since 2015.”

Was it difficult to get other nations to pay attention to the 2007 attacks in Estonia and the Russian hacking threat?

“As NATO allies, we went to NATO [in 2007] and said, ‘Look, we have this attack.’ And some very large countries just refused to believe us. Most of these those countries — maybe even today, but certainly at that time — couldn't tell the difference between a toaster oven and a laptop. They told us, ‘You're just being Russophobic.’ Basically, the two countries that got it were the U.S. and the U.K.”

Have things changed? Are some NATO nations still underestimating the threat?

“Anybody who actually knows anything about these issues is not underestimating it. But at the political level, we have seen grotesque levels of ignoring evidence.”

Has NATO become substantially better at cyber since 2007?

“Each country has gotten a lot better. That doesn’t necessarily mean there’s a lot of cooperation.”

What’s the biggest challenge?

“There's a hesitancy to share information. For NATO weaponry, you have interoperability. You can take a French jet and put on a U.S. missile and it clasps right on. But when it comes to cyber, we have an extreme reticence to share information.”

“Also, kinetic war is determined by geography. I mean, it's the North Atlantic Treaty Organization. But in cyber targeting Torino, Toronto and Tokyo, there's no difference. So countries like Japan, South Korea, Taiwan, Australia, New Zealand should be as much a part of a collective cybersecurity system as NATO I would argue.”

Estonia doubled down on relying on technology after 2007 despite the cyberthreat. Was there any thought about making the nation less reliant on the Internet for vital services?

“The problem is that [industries] are all increasingly digital. Everything that runs water and energy, they are more digital. So the only thing you can really worry about is resilience.”

Estonians vote online as part of a digital identification system that includes banking and other service. There’s been a push for online voting in the United States that’s been resisted by cybersecurity experts. Could the Estonian system work elsewhere?

“Not unless you take the whole ecosystem that we have, which is extremely robust. Don't ever do digital voting unless you have all the other stuff.” [Estonia’s digital voting system has also been criticized by cyber experts who reviewed the system and say it doesn’t have sufficient protections to withstand hacking by against advanced adversaries].

“There are basically three pillars for digital security. You need a secure, unique identity so no one else can be you. The second pillar is the architecture, which should be as distributed as possible so that if anything is hit, then other things are still safe. The third thing, which has gotten far too little attention, is data integrity. If someone changes the record of my blood type and I end up in the hospital, that could kill me.”

That first element would be a tough sell in the United States, where there’s a long-standing aversion to a national ID system — digital or otherwise. 

“The U.S. has a bizarre thing about identity. It’s kind of irrational. Everyone has a driver’s license that would be perfect to put a chip on for identity. You could have encryption and multi-factor authentication.”

The keys

The Biden administration plans to ban some U.S. government spyware purchases

The Biden administration plans to launch “a ban on U.S. government purchase or use of foreign commercial spyware that poses counterintelligence and security risks for the U.S. government or has been improperly used abroad,” White House spokesperson Adrienne Watson told the New Yorker’s Ronan Farrow. 

The U.S. government previously restricted NSO’s ability to receive American technologies in the wake of an investigation by The Washington Post and 16 media partners, which found that Pegasus was used to target dozens of journalists, activists and executives.

Here are a couple other takeaways from Farrow’s 9,000-word deep dive into NSO:

The United Kingdom’s government was seemingly targeted

  • In mid-2020, Pegasus infected a device on the network of 10 Downing Street, the office of Prime Minister Boris Johnson, the research group Citizen Lab found. U.K. investigators weren’t able to find the infected device, but Citizen Lab suspects the hack “included the exfiltration of data.” 
  • NSO told the New Yorker that the allegations were false. Citizen Lab also found that phones connected to the U.K. Foreign Office were hacked at least five times from mid-2020 to mid-2021. 
  • NSO later said it was blocking its spyware from being able to target U.K. numbers.

Tech companies dueled with NSO in the shadows

  • Farrow also extensively details the cat-and-mouse game between NSO and U.S. companies like WhatsApp, which are trying to protect their users from being hacked. 

In 2019, WhatsApp fixed a flaw in its software that had allowed Pegasus to steal data from victims’ phones. During the process, WhatsApp engineers found a link to the music video for Rick Astley's “Never Gonna Give You Up,” a popular Internet meme signaling “we know what you did, we see you,” WhatsApp head Will Cathcart said.

Catalan separatists targeted with NSO spyware

Dozens of people from Spain’s autonomous northeastern Catalonia region, including elected officials, members of the European Parliament and lawyers, were targeted with spyware, researchers from Citizen Lab said. It’s “by far the largest” number of NSO targets and victims that the researchers have uncovered in a single investigation, they wrote. Some were also targeted with spyware made by Candiru, another Israeli firm.

The victims were targeted while Spain’s government and officials in Catalonia were in negotiations about autonomy, Citizen Lab wrote. Farrow first reported on the hack. 

“Many of the victims were not charged with serious crimes, and most were neither criminals and certainly not terrorists — the typical justifications mercenary surveillance companies employ for sales of their spyware to government clients,” the researchers wrote. They didn’t definitely say who was behind the hacks, but wrote that there is “strong circumstantial evidence” to suggest that Spain’s government was responsible.

U.S. appeals court rules that digitally ‘scraping’ public information isn’t hacking

The decision implements a recent Supreme Court ruling that significantly pared down what counts as hacking under the United States’ main anti-hacking law. Cyber experts have long said the law was interpreted too broadly.

The 9th Circuit Court of Appeals' decision is a loss for LinkedIn, which argued that competitor hiQ Labs violated the hacking law by using computer tools to extract large amounts of data from its customers profiles, as CyberScoop’s Tonya Riley reports

LinkedIn, which is owned by Microsoft, says the fight isn’t over. “We’re disappointed, but this was a preliminary ruling and the case is far from over,” LinkedIn told CyberScoop. “We will continue to fight to protect our members’ ability to control the information they make available.” 

That doesn't mean scraping is innocuous: Tech companies and activists have opposed scraping in many cases, arguing that when companies like facial recognition firm Clearview AI take user data from their sites, they’re harming people and violating their privacy.

Securing the ballot

Trump allies continue legal drive to erase his loss, stoking election doubts (The New York Times)

‘Election integrity summits’ aim to fire up Trump activists over big lie (The Guardian)

Global cyberspace

Ukraine war stokes concerns in Taiwan over its fragile Internet links (The Wall Street Journal)

Cyber-attack on Bulgarian Posts disrupts payment of pensions (Bulgarian National Television)

Government scan

Cyber Command details $236 million in new spending wish list (The Record)

One-on-one with the Air Force’s cyber chief (The Record)

Cyber insecurity

Beanstalk cryptocurrency project robbed after hacker votes to send themself $182 million (The Verge)

Daybook

  • The Joint Service Academy Cybersecurity Summit kicks off at 10:30 a.m. Wednesday.
  • The Cyber Threat Alliance and Radware host an event on cyberthreats and trends on Thursday at 11 a.m.
  • The Atlantic Council hosts an event on recently discovered malware targeting industrial control systems on Friday at 9:30 a.m.

Secure log off

“Leave the rooster story alone. That's human interest!" Thanks for reading. See you tomorrow.

Loading...