The US needs to change how it hires hackers and other tech talent if it wants to stay competitive in the cyber arena, former FBI special agent Clint Watts told the Senate Armed Services Committee during a Thursday hearing on “cyber-enabled information operations.”
Watts, now a senior fellow at George Washington University’s Center for Cyber and Homeland Security, argued that Russia’s ability to hack into US political organizations last year and launch a sustained disinformation campaign — which it now appears to be replicating ahead of the French and German elections — stemmed not from its “employment of sophisticated technology, but through the employment of top talent.”
Many experts say Russia has harnessed some of the best tech talent in the world because of its willingness to hire hackers who would likely be passed over in the US — either because they aren’t “technologists” in the traditional sense or because their records would preclude them from obtaining security clearance.
“Actual humans, not artificial intelligence, achieved Russia’s recent success in information warfare,” Watts said, referring to Moscow’s election-related meddling.
“Rather than developing cyber operatives internally, Russia leverages an asymmetric advantage by which they co-opt, compromise or coerce components of Russia’s cyber criminal underground,” he added. “Others in Russia with access to sophisticated malware, hacking techniques or botnets are compelled to act on behalf of the Kremlin.”
Brandon Valeriano, a researcher at Cardiff University specializing in international relations and cyber coercion, said the strategy allows the Russians both to “maintain their control over the hackers” and “take advantage of whatever capabilities these hackers might have.”
Ian Bremmer, president of the political risk firm Eurasia Group, went one step further. “Cyber crime and state espionage go hand in hand in Russia’s system,” he told Business Insider last month.
“Russia has employed cyber criminals for state ends for as long as they have been hacking,” Bremmer said. “Private hackers are a source of talent, for one thing, as well as a degree of separation and deniability between state organs and end users.”
The New York Times’ Andrew Kramer reported on the phenomenon in December, writing that “for more than three years, rather than rely on military officers working out of isolated bunkers, Russian government recruiters have scouted a wide range of programmers, placing prominent ads on social media sites, offering jobs to college students and professional coders, and even speaking openly about looking in Russia’s criminal underworld for potential talent.”
“If you graduated from college, if you are a technical specialist, if you are ready to use your knowledge, we give you an opportunity,” one of the ads read, according to the Times.
But cybersecurity expert Dave Aitel cautioned against emulating the Russians’ strategy of outsourcing cyber operations to actors the government might not be able to fully control.
“There’s no point in hiring people you don’t trust, or trust less, to do these kinds of operations,” said Aitel, CEO of the cybersecurity firm Immunity, Inc., and former research scientist at the National Security Agency. “That doesn’t mean there isn’t room for outsourcing, but then the question becomes how the government can manage these risks in an intelligent way.”
Aitel suggested that, rather than outsource tasks or projects to particular individuals without security clearance, the government could allow private companies specializing in penetration testing — the practice of testing a computer system, network or application to find vulnerabilities that a hacker could exploit — to apply for security clearance and compete for a contract.
The scoping and goal of this agency’s work, Aitel said, would require “massive transparency,” as well as legislative liability carve-outs to protect private citizens and firms who have been entrusted to take the reigns on a state-sponsored cyber operation.
“There’s a lot of risk,” Aitel said. “How do you protect those people? Are they going to get kneecapped? They’re not government employees, so they’re not afforded the same protections both domestically and internationally.”
Either way, most experts agree that the US needs a dramatically new approach to countering Russia’s cyber-enabled influence operations.
“When the U.S. has done something to date, at best, it has been ineffective, and at worst, it has been counterproductive,” Watts said on Thursday.
“America will only succeed in countering Russian influence by turning its current approaches upside down,” Watts added, “clearly determining what it seeks to achieve with its counter influence strategy and then harnessing top talent empowered, rather than shackled, by technology.”