Menu Close

Cyberattacks: What can Biden do about Russian hackers? Not much, says Dmitri Alperovitch, Founder of CrowdStrike

Dmitri Alperovitch, Founder of CrowdStrike Photo: Forbes
Dmitri Alperovitch, Founder of CrowdStrike, in this riveting conversation on diverse cybersecurity issues with Bloomberg’s editor and writer Tobin Harshaw, analysed among others, Fancy Bear, ransomware, the mounting threat of North Korea, and what the United States Government can do about it in respect of President Joe Biden’s 16 critical infrastructure “entities” and “off-limits” to cyberattacks presented and discussed with Russian President Vladimir Putin recently. Excerpts:

Gbenga Kayode | ConsumerConnect

Meeting with Russian leader Vladimir Putin June 2021, United States (US) President Joe Biden presented and discussed a list of 16 critical infrastructure “entities” that must be “off-limits” to cyberattacks.

This, according to agency report, raised a fairly obvious question: Is everything else fair game, then? And another:  Just what do you think you can do about it, Joe?

The latter is something the US and its Western allies have been struggling with openly ever since Russia’s meddling in the 2016 presidential election.

It has become increasingly pressing given ransomware attacks like that on the Colonial Pipeline.

United States President Joe Biden (l) and Vladimir Putin, President of Russia

Yet, Putin has a solid advantage in plausible deniability — how can anyone prove these groups are directly tied to the Kremlin? — and it’s unclear that he could really stop them if he wanted to.

Thus, in discussing Biden’s options, Putin’s culpability, and why Russian hacking groups have such silly names, Harshaw turned to Dmitri Alperovitch, Founder and former Chief Technology Officer of the cybersecurity firm CrowdStrike on his takes in all of this.

CrowdStrike was said to have led investigations of the hacks of Sony Pictures Entertainment Incorporated, the Democratic National Committee, and others.

Alperovitch, who left Russia at age 14 and is a US citizen, now heads Silverado Policy Accelerator, a nonprofit seeking “bipartisan economic, strategic, and technological policy solutions.” Here is a lightly edited transcript of our discussion:

Tobin Harshaw: You were born in Russia. Do you have a theory for why it produces so many hackers?

I don’t think it’s anything specific to Russia. I think in some ways it’s analogous to why you had some of the early organised criminal groups evolve in Italy.

Law enforcement was not taking action against those criminals early on, and it gave them a chance to learn to evolve, to develop sophisticated business schemes, and get really good over time.

It’s not that cyber criminals don’t exist in the West or aren’t any good, it’s just that their shelf life in terms of staying out of jail is not very long.

You’ve been one of the leaders of sourcing attacks to Russian hacking groups. But do you think they can be linked more directly to the Kremlin itself?

You have to separate the two. There are attacks that are being launched directly by Russian intelligence services and the Russian military; certainly the 2016 elections are part of that. Recent ransomware attacks, however, are separate.

There’s no indication that they’re connected to the Russian government. It appears that these are simply criminals that are operating from Russia, but are provided safe haven by Russian law enforcement, in that they are not arresting them, they’re not prosecuting them, they’re not pressuring them to stop.

This is in part probably because local officials, mid-level officials, in the Russian intelligence services and Russian law enforcement are likely getting payoffs from these people.

Even if the Kremlin is not directly involved, it still benefits by these attacks putting a lot of pressure on our way of doing business and politics.

It absolutely does, and you know as President Biden has said, even if Russia is only harboring these people and is not directing the operations, that’s enough for us to start holding them accountable.

Biden has talked about a ‘proportional response’. But it’s unclear to a lot of people what that means, and certainly sanctions haven’t been terribly effective, whether they’ve been for hacking attacks or for aggression against Ukraine or what have you. What would such a proportionate response look like in cyber itself?

Well first of all I think we have to disabuse ourselves of the notion that the response has to be in cyber.

We never hold ourselves to that standard in any other domain. So, it is the position of the US government that the response will be proportional, but not necessarily in the same domain.

The response can be varied. It can certainly be indictments and attempts to arrest these people, particularly when they travel overseas.

It can be attempts to put pressure on the Russian government to start arresting these people, and maybe some cyber operations to try to disrupt their operations in progress, which would not necessarily have a deterrent effect, but may slow them down and make it more difficult for them.

If there is a US cyber-counterattack, what might it look like specifically?

This would not be an operation against Russia as much as it would be an operation against these criminals directly.

An example is one we saw last month (June), when the US Government was able to retrieve part of the ransom money from the Colonial Pipeline criminals.

Denying them access to the funds that they’ve been able to procure via these illicit activities is a very good action.

So, Biden and Putin talked again about this the other day. Do you feel that there was any progress made there, or is Putin just going to continue to do whatever Putin wants, the way that he does in geopolitics otherwise?

I co-wrote an op-ed in the Washington Post, arguing for a need to deliver a private ultimatum to Putin — that unless he starts acting, there will be severe repercussions.

I don’t know if that ultimatum was delivered; in fact, we argued that such an ultimatum should be delivered privately, not publicly.

The fact that the sites for the hacker group REvil went down suspiciously on Tuesday may be an indication that some action is being done.

There has been speculation that the Russian Government may have been responsible for the REvil blackout on the dark web, or it may have been the US. Is it too early to speculate?

It doesn’t look likely that it’s the US. It doesn’t look like it’s a cyber operation. It doesn’t look like it’s a law-enforcement operation.

The most likely scenarios are that REvil did it voluntarily because they wanted to lay low for a little bit, maybe take a summer vacation, or maybe they got pressure from the Russian government.

You co-wrote another article this spring that called Russia’s SolarWinds attack “highly targeted and even quite responsible,” as opposed to the China Microsoft hack being “unfocused and dangerous.” What does that mean?

The US Government found the SolarWinds attack objectionable, but that doesn’t necessarily mean anything, because we always find espionage objectionable of course, as does any country.

But we acknowledged that it’s an acceptable norm, and every country will engage in it. The targets were very constrained to the US Government and other infrastructure that would be used to penetrate the US Government, and nothing was destroyed.

When they hit targets that were not part of their interest, they voluntarily shut down their own access to it and ability to do so in the future.

In every respect this was a very responsible espionage operation, not unlike one that the US Government would want to orchestrate against the Russian government or Chinese government.

That’s what intelligence agencies do, right? They do espionage, and we want the Russian government to do it in a responsible fashion. Some of their previous intrusions were not responsible, and the U.S. government has called them out on it.

And so far at least, the information that was stolen has not been weaponised, has not been leaked anywhere, has not been used for disinformation campaigns, so that is also an encouraging sign.

So what was the purpose if none of that was done?

Well with traditional espionage, the purpose is to inform your government on what the other side is thinking of doing.

China and Microsoft then

Yes, China was a very different situation. It started out as an espionage campaign — them wanting to get access to their traditional targets — nonprofits, think tanks, dissidents, etc. — via this vulnerability that they discovered in Microsoft Exchange.

However, at some point, and we don’t yet know how, they got wind of the fact that Microsoft was now aware of this vulnerability and was going to issue a patch which would close down their access to further victims.

So, what they did then in response was highly unusual and completely irresponsible, which was to scan pretty much the entire internet, find any vulnerable mail servers and exploit them all, regardless of whether they were legitimate targets or not, and leave the door open for others to come in through that vulnerability and conduct further attacks against those organizations.

And we saw ransomware attacks being done not by the Chinese but by other groups that leveraged the access from China. That whole part of the operation was of course completely objectionable because it was not constrained to a legitimate purpose.

You opened up these organisations to true damage, not just theft of information but destruction, and that’s something that we have to stand up very strongly against.

For the last year you have pinned to the top of your Twitter account the comment that “We don’t have a cyber problem, we have a China, Russia, Iran and North Korea problem.”

When you look at the vast majority of the attacks that we’re seeing, both cybercrime and nation-state sponsored attacks, they’re emanating from these four countries.

So, whether the government itself is involved in those attacks or they’re simply tolerating it, they are the real problem and the reason of course is that they are our principal adversaries in the geopolitical sphere.

Not to belittle the Iran and North Korea threats, but certainly China is America’s biggest geopolitical threat in all senses. Where does it stand in terms of being a cyberthreat, compared to the level of Russia? 

So it’s different, and all four present different types of risks, both in traditional geopolitics as well as in cyber.

When it comes to China, the vast majority of the attacks, and this is why the Microsoft exchange attacks stands out so brightly among them all, have been in the area of traditional espionage as well as economic espionage.

Breaking into companies, stealing their intellectual property, giving it to the domestic industry to help better compete.  There have been very few destructive attacks emanating from China, and there has actually been fairly little cybercrime activity emanating from there as well, as the Chinese would want to keep close tabs on any cybercriminals and keep them under close control.

But we’re starting to see some signs where things are loosening up and becoming a little bit more reckless, and the exchange hacks are one sign of that.

How about Russian challenge?

Russia presents a very different challenge. They of course are doing traditional espionage via cyber means.

They are doing some intellectual property theft, but it’s actually not a huge part of their operations because they just don’t have as huge of a domestic industry as China does that can benefit from it.

And of course they’re doing election interference campaigns. They’re doing destructive attacks like they did against Ukraine that spread and affected a number of American companies.

They’re attacking innocent institutions, like the Olympics in 2018 in South Korea. And you know they’re tolerating cybercrime — these ransomware attacks are becoming a critical US national security threat they’re allowing to continue.

When it comes to North Korea, I’ve argued that they are the most innovative threat actor and I worry a lot about the future, particularly if we get to some sort of accommodation with Russia, which I do think is possible on cybercrime.

The North Koreans may very well take up that void, and of course we have very few pressure points against them, given that they’re a rogue regime that’s already sanctioned to the hilt and we have deep concerns about their nuclear and ballistic missile programmes.

They’ve engaged in basically state-sponsored cybercrime. They don’t necessarily have independent criminal groups, but their intelligence agencies are being given a free reign to conduct these operations to raise funds for the regime’s nuclear and ballistic missile programs.

The RGB, their main intelligence agency, has been breaking into banks, and they stole hundreds of millions of dollars in funds.

They have broken into cryptocurrency exchanges. They’ve done some ransomware operations. And they do traditional espionage and some intellectual property theft as well.

And then Iran. I can’t forget about that little dam up in Westchester County that they hacked five years ago. Obviously, they’ve done bigger things than that.

That’s right, they’ve attacked Aramco, they’ve attacked Sheldon Adelson’s Sands Casino. They’ve conducted espionage attacks, they’ve conducted deep-penetration campaigns against the US military.

So, they’re a force to be reckoned with for sure, and they’ve got criminals within Iran that have conducted similar campaigns as well.

Then again, they’ve been on the receiving side, with attacks on their nuclear programme.

That’s right. What’s interesting about Iran is that when you look at North Korea, when you look at China, when you look at Russia, they all got into the cyber game very early on. The Russians started in it probably before anyone else, in the ’80s.

The Chinese and the North Koreans joined in the late ’90s. But the Iranians really did not have a cyber program until they found out they got hit with Stuxnet in 2010, and that triggered huge investments in offensive capability as well as defensive capability, and that’s when we started to see a rise in these attacks coming from Iran.

When we were talking about North Korea, you mentioned a possible future accommodation with Russia. How do you see that taking place — as part of a larger geopolitical agreement?

You can only make progress with Russia if you are very focused. If you’re not coming in with the kitchen sink’s worth of demands, and you’re very precise about what will happen if they do not cooperate.

And that’s why I think focusing on ransomware is so important. Because unquestionably when our pipelines are going down, when our meat processors are being ransomed, when small businesses all over the country are getting hit by these attacks, we can’t tolerate this.

We can tolerate espionage. I mean we don’t have to be happy about it, but that’s sort of “good on them, shame on us” for letting them.

I doubt very much that we would make any progress on election interference matters, because the Russians rightly or wrongly think that we are interfering in their elections by supporting Alexey Navalny and other dissident groups.

But ransomware is one of those things where, on one hand, it has a huge impact on us, so we care enormously about it, and at the same time, Putin doesn’t care about these people, he doesn’t really care about these operations, they’re not being conducted by his government, so you could see him making some tradeoffs.

Kindly Share This Story

Kindly share this story