To massively downplay over a century’s worth of strife, it’s fair to say that the US and Russia don’t really get along. There have been many ways that these squabbles have manifested themselves: the US implementing trade embargos (as it did following the Bolshevik Revolution) and Russia moving its missiles into Cuba, for example. But now the two nations have a new tool to use to mess with each other: hacking.

In recent days, the US Government has formally accused Russia of hacking the Democratic National Committee’s (DNC) computer networks and stealing more than 19,000 emails from Democratic party officials, including presidential nominee Hillary Clinton (the formal bit is important because the US has been accusing Russia behind closed doors for months). “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities,” said the office of the director of national intelligence and the Department of Homeland Security (DHS) in a joint statement; to which President Vladimir Putin eloquently retorted “rubbish”.

Since June last year, US cyber-security company CrowdStrike has been alleging that the DNC hack was orchestrated by Russian intelligence-affiliated hackers. Writing about the two hacking groups that CrowdStrike believed breached the DNC’s network – Cozy Bear and Fancy Bear – the company said: “Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities.”

CrowdStrike’s president is the former executive assistant director of the FBI, Shawn Henry. He spent 24 years running the bureau’s criminal and cyber investigations globally, so although this may be a relatively new political weapon to us, Henry has been aware of the problem for decades. “I knew back in the mid 90s that it was a big issue and it was going to grow. We’d seen certain types of criminal activity migrate to the network, child exploitation was one, but I really saw, and colleagues that I worked with [saw], this existential threat because of the ability of adversaries to target information well beyond child exploitation,” says Henry.

Has Russia crossed a line?

If Russia is behind the DNC attack – and that’s looking increasingly likely – then that wouldn’t really be anything extraordinary. Nations have always gathered information on each other, and the fact that this happens is accepted in the intelligence community, however it would be extraordinary if Russia had decided to use stolen information to influence US politics.

“I think that attack is really a defining moment in this space. People can see that the theft of information for espionage is acceptable if it’s about finding out what a future leader is going to do, what their national security strategies are and what their economic strategies are. That’s fair game from an espionage perspective,” says Henry. “If that information is used to have some impact in terms of affecting the election it changes the dynamic, and the US state department and the Obama administration have to have that discussion with the Russian Government to find what’s acceptable and what’s not, and this is a defining moment in that space.”

“If you get to the point where nations are taking aggressive actions against other nations, where they’re taking information they’ve collected and turning it into some type of an operation that changes the dynamic, and we have to decide what the norms are. In the physical world if nations are taking actions against other nations that’s typically not accepted. We see sanctions occur all the time because of actions nations have taken against other nations, physical actions. In cyber and information security I think it’s very similar that nations have to define what’s acceptable and what’s not and if you cross the red line, there can’t be gray area there has to be clear red lines, nations know what the response is going to be, and only then can we really come up with clear norms.”

Is cyber terrorism the new terrorism?

Henry is quite clear that cyber attacks constitute an existential threat, so what nations now have at their disposal is a cost-effective tool that can potentially put victims’ very existence at risk. Is it any wonder then that more and more high-profile attacks are being reported? Not really; in fact it’s not hard to imagine a day when cyber terrorism replaces physical terrorism altogether. Although Henry doesn’t think we’ve reached that stage yet.

What we’re seeing is not a displacement of physical [terrorism] in support of cyber, but the merging of the two

“What we’re seeing is not a displacement of physical [terrorism] in support of cyber, but the merging of the two. Where we see attacks on critical infrastructure where information security, or lack of information security, is enabling physical implications of digital attacks, where you see destructions of networks like we saw in Sony or Saudi Aramco, then that’s [an example of] merging and there’s a blurred line there,” says Henry. “That should be a cause for concern because when you see that merging it’s not just the loss of data but it’s the physical destruction of property and potentially life. That’s a big issue.”

“It’s a weapon. This is an attack vector. If you think about who the adversaries are: organised crime groups, nation states, terrorists, it’s just another tool in their arsenal. Terrorists interested in attacking critical infrastructure: transportation, electricity, water and sewer [systems], they might use kinetic attacks, they might use IEDs [improvised explosive devices], but they might also attack the computers that run those systems. The impact is the same,” explains Henry. “In some cases it may be greater, it may be safer and more cost-effective to do it digitally and electronically and as they recognise that they’re going to migrate to that attack vector; but it all comes down to who the adversaries are, that’s why attribution is so important because then you can better detect and deter the adversaries. Attribution is critical because the attack vector is going to constantly change, but the adversaries are not.”

Good guys versus bad guys

Hacking may be a tool used by terrorist groups, but it isn’t a weapon that is used exclusively by them and other criminals. Consider the case of Edward Snowden who, in revealing thousands of classified NSA documents to journalists, was simultaneously called a hero, a whistleblower, a dissident, a patriot, a traitor and a terrorist. Depending on the circumstances, a hacker can be good, bad or both, and sometimes it may be in the public’s best interest to have information leaked.

“I think that citizens have the right to privacy and that citizens have an obligation where they see abuses by a government to call it out. I absolutely believe that, and I’ve said many times that the media plays an important role in identifying abuses and bringing abuses to the public [arena]. I think that that’s critically important,” says Henry. “I don’t put Snowden in that category; I think that if Snowden saw things that he thought were abuses that there were avenues for him to pursue lawfully and legally to call them out, and I think that he had a right to do that if he saw something that was an abuse. Without going into all the details I don’t think that’s what happened in Snowden’s case. I don’t think that that’s the case, and I think that the media has somewhat twisted or misinterpreted some of that based on what I know.”

“I’ve been on both sides of this equation for a long time, but that said, I think that governments have a fundamental right to protect their citizens and they need to do it in a way that doesn’t impinge or impose upon their civil liberties, and that’s a delicate balance. Using the terrorism example, governments have a right to protect their citizens that allows them to be safe, but the citizens have to define where the balance is. If every time you try to get on the tube you have a police officer who wants to physically search you the citizens might say ‘I’m not going to abide by that; I don’t think the risk of terrorism is that high that I’m going to have a physical strip search every time I get on the tube’. There might be other occasions where citizens understand and maybe when I go to the airport it’s acceptable because the risk is so high. That’s a balance and I think the citizens have to weigh in and I think that citizens ultimately will weigh in.”

Unwinnable war

Regardless of the safeguards that Henry believes are in place to protect against Snowden-style patriotism, the battle between cyber security teams and cyber criminals can’t be reduced to a battle of good versus evil, but normally we would want governments to collect and retain reasonable amounts of intelligence to keep citizens safe. Given the vulnerabilities that were exposed in the DNC hack though, can we trust governments to protect their data, or are cyber security experts like Henry and CrowdStrike fighting an unwinnable war?

“We’re never going to win. Winning to me would be stopping it, all out stopping it. We’re not going to end cyber attacks, we’re going to manage them, and we manage them by detecting them and mitigating the consequences of the attack, so we manage the impact. When I was in the FBI my agents would go out every single day, dozens of times a week and tell companies that they’d been breached because the companies didn’t know, and after they did an analysis those companies would find out that the adversaries were in their network for months or years, undetected,” says Henry.

I don’t think that we’re going to end the attacks anytime soon

“If you can detect them immediately, and within hours or even days disrupt the attack, you can mitigate the consequences. That’s managing the attack, but I don’t think that we’re going to end the attacks anytime soon.

“That philosophy in the physical world has been in place for hundreds of years, about detection and prevention and adversary attribution. It’s the primary, fundamental tenant of law enforcement. How do you stop people from robbing banks? You identify who they are, and you mitigate them by arresting them and putting them in jail. If you can stop them in advance of them robbing banks then that’s being proactive. It’s the same in any other type of law enforcement action; it’s the same in terrorism, countering terrorism is about using intelligence and being proactive. If what we did in information security was purely reactionary, more and more companies would be breached. There’s been a change and a shift in that focus in information security.”

If anyone can, the US can

If any state can afford to throw cash at online defence then it’s surely the US, who, according to the National Priorities Project, spent $598.5bn on its military and defence in 2015, which is more than the next seven highest spending countries combined. But does the US Government have the talent at its disposal to make an impact in this area, or are talented hackers and cyber security experts being lost to the private sector, as Henry was?

“The government has capabilities because they have resources, and there are good people that work in government, but there are a lot of good people in the private sector and I’ve seen a lot of people leave government and move into the commercial space as the demand [for their talents] has increased because they [the private sector] can afford to pay.”

But whatever it does, the US needs to move fast, especially with a presidential election approaching and mounting worries that Russia has already crossed a line. Henry, for one, is calling for a philosophical change in tactics if the US is to defend itself against online attacks.

“The reason I left the government and came to CrowdStrike was because I recognised the real risk in information security, I recognised what adversaries’ capabilities were and how they were evolving, and I wanted to use the methodology that I’d used in the government for years and I wanted to apply it to the network, using intelligence to peer around the corner and see what’s coming and disrupt the adversaries before they have the opportunity to destroy a network. That is game-changing in information security. It’s moving from reactive defence in-depth to proactive disruption. That’s game-changing, and that’s where companies need to move, that’s where governments need to move and it’s a philosophical change.”