Earlier this week I conducted a follow-up discussion with an industry colleague about global cyber attack activity, specifically related to Russia and the situation in Syria. It was a valuable conversation so I want to share my thoughts on the topics we debated.

Our dialog began with a simple query: will Russia escalate its cyber attacks against the United States in retaliation for the military response the U.S. took against Syria after Assad’s chemical weapons attack against its very own citizens?

This is an interesting question for a few reasons. The chief issue with this specific question, and with discussions surrounding this topic in general, is there is no agreed upon, clear definition of what exactly constitutes a cyber attack. There is no way to answer the question before defining the term cyber attack. So lets start there.

Is a cyber attack defined as the mere exploitation of a vulnerability, and subsequent acquisition of access to a target network? Does an actor need to perform some malicious activity after obtaining access before the compromise is considered an attack?

In the context of attacking the electric power industry, is attacking the power grid and causing an outage, like what transpired in Ukraine in December’s 2015 and 2016, the demarcation line between what is and is not a cyber attack? Is sending phishing emails with malicious attachments, ultimately leading to establishing a foothold into a network for potential use later, a cyber attack?

This is where the media, the security industry, governments, and certain professionals tend to disagree on terminology. I feel it is important to dissect the words to better understand the original question. In the above, I would argue the latter – a phishing campaign resulting in mere command-and-control capabilities on a network – is not a cyber attack. Is most definitely is a network breach. I argue it is considered network exploitation or offensive cyber operations, but not necessarily a cyber attack. Generally it is part of a much larger, potentially multi-faceted campaign, but just breaching a network is not a cyber attack.

Just like breaking into a vehicle does not assume intent to steal the car, remotely accessing a network is likely equivalent to breaking and entering or trespassing. There may be intent to steal intellectual properly, disrupt network operations, surveil, participate in a botnet, or a host of other activities potentially rising to the level of a cyber attack. But mere access to a network cannot assume the actors intent.

Now back to the original question about the possibility of Russia increasing cyber attacks against the United States in retaliation for the airstrikes in Syria.

I do not believe Russian cyber attacks will increase as a direct result of the U.S. military actions in Syria. While Russia is likely not pleased with the airstrikes, there is no specific strategic reason for a cyber response from Russia. United States critical infrastructure is already purported to have been attacked on multiple recent occasions by Russia, most recently by leveraging a major Cisco router vulnerability.

Russia has already demonstrated sophisticated cyber operations capability, with the potential to own deliberate targets in the United States. However, they have yet to establish malicious intent. For the moment they have simply conducted a show of force, signifying their strength. This is the military equivalent of sending an aircraft carrier with an airwing aboard, accompanied by a battle group, off the coast of Russia. It suggests power and superiority.

It is unlikely Russia will currently attempt any cyber attack leading to major damage or disruption. In the short term they will continue to pursue network access, especially strategic targets within critical infrastructure, but doubtful anything beyond.

On the one hand, Russia has a high degree of cyber sophistication. Hypothetically, the Putin regime may explore false flag operations against the United States, but if the attack were ever unequivocally attributed to Russia then it may not end well. Although in this era of crying fake news left and right, even indisputable evidence of a Russian plot may not be convincing.

On the other hand, Russia could directly attack the United States. The problem with this approach is the U.S. policy on response. A cyber attack does not necessitate an in-kind response. Just because an adversary uses the cyber domain to attack, the United States does not limit its response to the same domain.

Put another way, if the U.S. is the victim of a major nation state backed cyber attack, it will likely respond kinetically. The U.S. government has stated on multiple occasions it has the option to respond via military force if it determines a cyber attack is above an as-yet publicly defined damage threshold. Expect bombs to be dropped, missiles to be launched, or troops to be engaged if the U.S. feels its sovereignty has been attacked.

Putin is most certainly cognizant of this, and is leveraging the ambiguity cyberspace offers to continue conducting operations and demonstrating Russian nation state capability. These minor operations will continue in the short term, but I find it hard to believe an actual attack will occur in the near future. Russia most assuredly does not want a traditional conflict with the United States. Russia will continue to pick at the proverbial scab since there are no repercussions.

Expect to see Russian cyber exploitation remain in the news cycle for the foreseeable future. Awareness of this threat is an important factor in ensuring U.S. government agencies, critical infrastructure, and businesses are prepared for the possibility of an attack. Resilient, proactive defensive measures and situational awareness will go a long way in limiting risk and potential exposure for the inevitable attack that will unquestionably materialize at some strategic time in the future.

The New York Post reports on the Obama Administration using the cyber hotline to Russia to warn Putin against interfering in the 2016 US Presidential election:

Michael Daniel, Obama’s cyber czar, said administration officials used the channel — added to the nuclear hotline in 2013 so the countries could communicate about hacking and cyberattacks — to tell the Kremlin to “knock it off.”

“We know that you are carrying out these kinds of activities. And stop. Knock it off,” Daniel told CBS’ “60 Minutes” about the call on Oct. 7, 2016.

Asked if Russia got the message, Daniel said he thinks so.

“The fact that this was the first time we had ever exercised this channel, which was supposed to be, you know, for very serious cyber incidents and cyber issues — I think that, in and of itself — sent a message,” he said.

The Obama administration resorted to using the hotline after earlier the same day, it released its first public statement about how Russia was behind the hacking of the Democratic National Committee.

I do not get the impression the average US citizen truly comprehends the problems the country faced in 2016 with the Russian interference. Too many people see this as a US-only political issue, meaning US politicians are using the interference to discredit President Trump, discredit Hillary Clinton, and even discredit and blame former FBI Director James Comey.

That is far too short-sighted and completely misses the point. It is time to look at the Russian interference from a wide-ranging, multi-faceted strategic level. This is objectively an attack on US sovereignty and its democracy.

The country needs to put aside its like or dislike for a particular political candidate, and focus on how a foreign country – in this case, the one foreign country who was the primary US adversary during the Cold War – interfered with a sovereign states election process to sow doubt and discord, effectively using propaganda to confuse citizens from understanding the true issues. Ostensibly the goal was to make sure Clinton was not elected given her relationship with Putin and position on Russia, not necessarily to get Trump elected.

It is time for the country to take a step back, take a deep breath, and take a look at this issue with renewed vigor, unshackled from the constraints of political affiliation and focus on it objectively. This attack unquestionably took place, unquestionably interfered with the election, and unequivocally played a pivotal role in the outcome of who was ultimately elected as the 45th President of the United States.

The time for playing partisan politics ended long ago. It is time to protect the future of the American democratic process. Enough with the games.

ZDNet discusses how Iranian hackers are breaching Singapore universities to access research data:

At least 52 accounts were affected across the Nanyang Technological University (NTU), National University of Singapore (NUS), Singapore Management University, and Singapore University of Technology and Design, according to a joint statement Tuesday by Cyber Security Agency of Singapore (CSA) and Ministry of Education (MOE).

Hackers had used phishing attacks to harvest credentials from affected staff members and used these to gain access to the institutes’ online libraries and research articles published by the academic staff.

Based on their investigations, CSA and MOE said no sensitive data had been stolen and the attacks did not appear to be linked to the APT attacks against NUS and NTU last year.

They were, however, believed to be part of last month’s attacks against education institutions worldwide including 144 universities in the US, after which the US Deputy Attorney General unveiled a series of indictments and financial sanctions against Iranians. The US government had identified nine Iranians thought to be part of the cyberattacks.

Iran is stepping up their cyber attack profile, hitting more locations outside their immediate vicinity. It is interesting to witness Iran maturing from a strong localized actor to a more globalized one. Likely the success of Chinese, Russian, and North Korean nation state backed actors is likely motivation enough for Iran, who wants to be recognized as a world cyber power.

In addition, Iran is well behind the rest of the globe in research. Much like how China primarily leverages cyber attacks for economic gain, to forego the need to spend a lot of time and money on research and development, Iran possibly sees the benefit of such an approach. By stealing intellectual property from research institutions like major Universities, Iran could potentially gain an economic advantage, or even a military one, depending on the application of the data they are focusing on collecting.

Bloomberg is reporting the United Kingdom publicly announced its first major government-backed cyber attack, conducted in 2017, targeted Islamic State:

Jeremy Fleming, the director of GCHQ, which is better known for its communications interception work, said his agency had worked with the Ministry of Defence to make “a significant contribution to coalition efforts” against the al-Qaeda splinter group. He said that as well as making it “almost impossible” for the group to spread its message, the attack had protected forces on the battlefield.

“This is the first time the U.K. has systematically and persistently degraded an
adversary’s online efforts as part of a wider military campaign,” Fleming told a cybersecurity conference in Manchester, England, “Did it work? I think it did.”

He said other operations might “look to deny service, disrupt a specific online activity, deter an individual or a group, or perhaps destroy equipment and networks.”

Notice the qualifying “as part of a wider military campaign” added to the statement? What this likely means is this attack against Islamic State is not the first time the UK has conducted cyber attacks, but one in which a cyber attack was only one aspect of a multi-faceted, multi-domain operation.

There is no doubt the UK has conducted previous cyber attacks. Although the nation has never publicly proclaimed so, the country is one of the stronger purveyors of cyber capabilities, and absolutely leverages them when necessary. Since the inception of the UK NCSC, which is part of the GCHQ, this operation was likely the first time the organization worked in tandem with the Ministry of Defence for this strategic opportunity.

ZDNET explores nation state actors not just breaching critical network assets, but their attempt to undermine trust in the entire system:

“We’ve really got to think about the fact our adversaries are attacking more than just our technology. Our adversaries are now starting to critically undermine the trust that our stakeholders have,” said Cooper.

There are many in the cybersecurity industry who would argue that technology alone can solve this problem — protect systems with the relevant tools to keep them safe from attacks. But this is perhaps ignoring the wider issue: there isn’t an antivirus product to protect against declining faith in big institutions, or to defend against fake news.

“The bigger system, that’s the thing we have to defend, not just the technology. While we’re focusing on protecting the technology, our adversaries are focused on attacking the system. And by attacking the system, they’re critically undermining the trust in that system,” said Cooper.

In order to achieve that, it can’t just be about “looking for our technology comfort blanket,” he said, adding: “we’re going to find it lacking”.

The idea nation state actors are eroding trust in the entire system is an insightful distinction many people overlook. It is the difference between viewing an attack through a tactical lens versus a strategic one.

All too often nation state backed breaches are part of a much larger, multi-faceted operation rather than a singular goal. We need to always consider attacks from this perspective so we can better understand a potential end state. Merely focusing on the obvious goal will not allow us this insight and will ultimately cement failure to adequately defend the crown jewels.

This is where solely employing technological cyber defense is inadequate. Leveraging threat intelligence will be far better at allowing an organization to craft the right strategy to defend against a variety of attacks, actors, and vectors. There is no one-size-fits-all solution to cyber defense. There are some basic tactics, but using a combination of technology and strategy will almost always be the correct mix.

Dark Reading enumerates the escalating potential for destructive cyber attacks and false flag operations to take place as tensions rise on the global geopolitical stage:

Geopolitical tensions typically map with an uptick in nation-state cyberattacks, and security experts are gearing up for more aggressive and damaging attacks to ensue against the US and its allies in the near-term, including crafted false flag operations that follow the strategy of the recent Olympic Destroyer attack on the 2018 Winter Olympics network.

As US political discord escalates with Russia, Iran, North Korea, and even China, there will be expected cyberattack responses, but those attacks may not all entail the traditional, stealthy cyber espionage. Experts say the Trump administration’s recent sanctions and deportation of Russian diplomats residing in the US will likely precipitate more aggressive responses in the form of Russian hacking operations. And some of those could be crafted to appear as the handiwork of other nation-state actors.

The idea of false flag operations are rather easy to pull off in cyber space compared to traditional kinetic attacks. It takes a huge amount of sophistication to properly execute this type of operation and ensure the fingers are pointed at the framed nation state. But it can be done, and there are strong players with this capability.

Consider how well Russia, China, North Korea, and Iran approach cyber. Western countries like US, UK, Australia, Netherlands, and other allies are extremely capable. Even a smaller yet highly advanced country like Israel could pull off a false flag operation. It is well within all these nations capacities to successfully misdirect cyber attack attribution.

As a quick aside, I suspect Russia was behind WannaCry even though the US, UK, and other government have unequivocally attributed it to North Korea. This specific attack does not pass the smell test, and was just far too sloppy for a country like North Korea to execute so poorly, especially when ransomware is their prime expertise. There was motivation for Russia to false flag WannaCry, and I discussed this with Japanese media at length early last year after the outbreak occurred.

There are many political reason to both publicly shame or to hide Russia as the culprit. The former would fit in with exposing Russia for all their malicious global cyber activity, while the latter is exactly the modus operandi for the Trump Administration. Furthermore, if Russia did false flag WannaCry, there is also a strong possibility the US intelligence community and its partners would rather keep their knowledge of such hidden from the public. This would allow Russia to conduct further similar operations, with the various intelligence agencies collecting additional data on their tactics and strategy.

While I obviously could be wrong, I still feel as if something does not sit right.

Security experts worry that Russia will continue to ratchet up more aggressive cyberattacks against the US – likely posing as other nations and attack groups for plausible deniability – especially given the success of recent destructive attack campaigns like NotPetya. Not to mention the successful chaos caused by Russia’s election-meddling operation during the 2016 US presidential election.

That doesn’t mean Russia or any other nation-state could or would cause a massive power grid outage in the US, however. Instead, US financial services and transportation networks could be next in line for disruption via nation-state actors, experts say.

Russia definitely has demonstrated sophistication far beyond what the US had expected. Their ability to have penetrated so far and wide is a testament to their strong focus on leveraging cyber for geopolitical activity. It is a fundamental shift in their national intelligence and military strategy, but one that is generally inline with what they have done throughout history.

The likelihood Russia actually attacks US critical infrastructure is extremely low, with the exception of potential isolated incidents against smaller players in the industry. As the above quote rightly states, Russia will likely focus on financial services more than any other area. The US needs to be prepared, and I am concerned the maturity of these operators is not at the level it needs to be to properly withstand a sophisticated nation state attack.

The Daily Beast dissects a recent leak of a classified National Security Agency document outlining how Russian intelligence interfered with the 2016 Presidential election through its highly comprehensive information warfare campaign:

The dumped intelligence report offered some of the best confirmation of Russian meddling in the U.S. election, providing more evidence to tamp down the claims of President Trump and his legions that it was China or a guy in a basement that hacked the Democratic National Committee and many other current and former American officials.

The techniques targeting election officials—spam that redirects recipients to false email login pages yielding passwords to Russian hackers—appear eerily familiar to those used by the GRU against many other U.S. targets in 2015 and 2016.

To the disappointment of Trump’s biggest haters, the NSA leak provides no evidence that Russia changed any votes. And that makes sense, as Russian altering of the tally in favor of their preferred candidate Donald Trump would be sufficient justification for war—one Russia would lose against the U.S.

The Kremlin sought instead to create the perception among Americans that the election may not be authentic in order to push their secondary election effort: Undermine the mandate of Hillary Clinton to govern, should she win.

The idea that Russia hacked actual electronic voting machines is a non-story. That is not how Russian intelligence interfered with the election. Russia did not use the traditional concept of computer hacking to effectively undermine the Clinton campaign. Instead, their comprehensive strategy was old fashioned information warfare, something Russia is extremely capable at executing.

Through the skilled use of video manipulation, meme creation, small cells targeting specific conversations on various social networks, and a wide array of automated bots, Russia effectively mounted one of the most dynamic and well executed information warfare campaigns in history. The only outstanding question at this juncture is whether or not there was any collusion, quid pro quo or otherwise, between the Trump campaign and Moscow. This remains to be seen based on whatever Special Council Mueller and his team is capable of finding.

In America, it sought not to alter the tally, but to create the perception that it’s possible—and instill doubt among Americans in the process. Hacking of voter rolls rather than machines creates an impression in the voters’ psyches without provoking the U.S. into open conflict.

This is likely going to be one of the longest lasting affects of Russian interference in the US election: sowing doubt and discord among the American populace, so much so it begins to break down the trust in governmental institutions, potentially leading towards a collapse of the Republic itself.

That may sound over the top, but it is exactly the outcome Putin desires. He would like America and Russia on a level playing field once again. Since the decline of the Soviet Union, America has constantly been atop Russia, overshadowing it in every aspect of political and military capability. That is, until Putin came into power and changed the game once again.

At this point one has to wonder exactly how capable the United States is with offensive cyber operations. Is the US capable of pulling off a similar campaign in a major country like what Russia did in 2016?

TechCrunch reports the Cambridge Analytica story may have just taken a turn for the worse with Chris Wylie, the whistle-blower responsible for these powerful allegations, stating the 50M number was merely a safe number to share with the media:

Giving evidence today, to a UK parliamentary select committee that’s investigating the use of disinformation in political campaigning, Wylie said: “The 50 million number is what the media has felt safest to report — because of the documentation that they can rely on — but my recollection is that it was substantially higher than that. So my own view is it was much more than 50M.

Somehow I am unsurprised the number will ultimately turn out to be much larger than Facebook is willing to admit. The company is in damage control, especially after having lost $60B in value since the shocking revelations were unveiled almost ten days ago.

Facebook has previously confirmed 270,000 people downloaded Kogan’s app — a data harvesting route which, thanks to the lax structure of Facebook’s APIs at the time, enabled the foreign political consultancy firm to acquire information on more than 50 million Facebook users, according to the Observer, the vast majority of whom would have had no idea their data had been passed to CA because they were never personally asked to consent to it.

Instead, their friends were ‘consenting’ on their behalf — likely also without realizing.

In my own anecdotal testing, I have while most people are conscious that Facebook is not necessarily to be trusted, they never thought these applications operated the way they do. That is to say, nobody I have spoken with understood their friends, or their friends-of-friends data would be shared with third-party applications they interacted with on Facebook. That these applications knowingly surveilling Facebook accounts is complete news to most of the people I talked to.

This whole story keeps getting worse as the days pass. I wonder how long it will take, and what else will be revealed, before it his rock bottom.

ZDNet reports the Internet Engineering Task Force (IETF) has finally approved version 1.3 of Transport Layer Security (TLS), the key protocol that enables HTTPS on the web:

TLS is the successor to SSL and version 1.3 was designed to prevent attacks that undermined client and server communications secured with TLS 1.2 and earlier versions.

The main benefit of TLS 1.3 is that it supports stronger encryption and drops a host of legacy encryption algorithms.

It also introduces 0-RTT or zero round trip time resumption, which is designed to speed up connections on sites that users frequently visit and is expected to deliver lower latency on mobile networks.

Major internet players have been gradually upgrading to TLS 1.3 over the past few years, though there have been hiccups and obstacles to its deployment.

While Chrome, Firefox and Opera and Edge already support TLS 1.3, they don’t by default. A study by Cloudflare, which enabled TLS 1.3 by default on the server side last year, found that in December that just 0.6 percent of traffic was secured with TLS 1.3. The cause was in part due to how network appliance vendors had implemented TLS 1.2.

Best I can tell is TLS 1.3 does not change SSL decryption when security devices sit inline and essentially act as a man-in-the-middle attack. If your employer is, say, using an intrusion prevent system or web gateway to inspect traffic on the network, and is performing SSL decryption on HTTPS connections, TLS 1.3 does not offer any privacy increase since the decryption capability is still completely possible.

The Hill has a report stating General James “Maddog” Mattis, the Secretary of Defense, has told colleagues he is unsure if he can work with John Bolton, the most recent selection for the US national security adviser:

Defense Secretary Jim Mattis, the retired general who has argued for keeping the Iran deal intact and warned that military confrontation with North Korea would result in “the worst kind of fighting in most people’s lifetimes,” told colleagues on Friday that he did not know if he could work with Mr. Bolton. The White House chief of staff, John F. Kelly, another retired four-star general, was also unenthusiastic about Mr. Bolton’s hiring.

Mr. Bolton’s harshest critics — mostly Democrats, but their ranks include some members of the Bush administration — argue that the odds of taking military action will rise dramatically when he becomes the last person a volatile American president consults.

“John Bolton is not some gray bureaucrat whose views are unknown to us,” said Michael McFaul, the American ambassador to Moscow under President Barack Obama, and now a Stanford professor and the director of the Freeman Spogli Institute for International Studies.

What a horrible selection for aguably one of the important positions within an administration.

CNET reports on the CLOUD Act being signed into law by President Trump, and how this legislation increases the US governments access to online data stored by US companies regardless of where the servers are located:

Lawmakers added the CLOUD Act (PDF), which stands for Clarifying Lawful Overseas Use of Data Act, to the spending bill before the final House and Senate votes Thursday. It updates the rules for criminal investigators who want to see emails, documents and other communications stored on the internet. Now law enforcement won’t be blocked from accessing someone’s Outlook account, for example, just because Microsoft happens to store the user’s email on servers in Ireland.

The law also lets the US enter into agreements to send information from US servers to criminal investigators in other countries with limited case-by-case review of requests.

The CLOUD Act offers an alternative to the current process for sharing internet user information between countries, called MLAT, or a mutual legal assistance treaty. Both law enforcement agencies and tech companies say using such a treaty to request data is cumbersome and slow. The fix has the technology sector divided though. Tech companies, such as Microsoft, favor the change. But privacy advocates say it could help foreign governments that abuse human rights by aiding their access to online data about their citizens.

This sounds all fine and dandy, but how effective will it really be? How will this law not be abused to collect data on individuals not necessarily accused of a crime?

Sen. Ron Wyden, a privacy-oriented Democrat from Oregon, said in a letter last week (PDF) that while the MLAT process needs to be updated, the CLOUD Act has a big problem in the way it lets the executive branch hash out individual agreements with foreign companies on data sharing. That “places far too much power in the President’s hands and denies Congress its critical oversight role,” Wyden wrote.

Neema Singh Guliani, legislative counsel at the ACLU, said the bill doesn’t account for the fact that a foreign country’s government might have a good human rights record one day, but start eroding those rights after coming to a data sharing agreement with the US. “Human rights are not static,” she said.

These are valid concerns that are more worrisome than not. How, and who, will prevent the global governments from abusing this capability?

Foreign Policy has an opinion piece about John Bolton being a US national security threat I am finding hard to disagree with:

Fifteen years ago, Bolton championed the Iraq War, and, to this day, he continues to believe the most disastrous foreign-policy decision in a generation was a good idea. Bolton’s position on Iraq was no anomaly. Shortly before the 2003 invasion, he reportedly told Israeli officials that once Saddam Hussein was deposed, it would be necessary to deal with Syria, Iran, and North Korea. He has essentially maintained this position ever since. Put plainly: For Bolton, there are few international problems where war is not the answer.

As the nuclear crisis with North Korea enters a critical period, Trump’s choice of Bolton as national security advisor dims the prospect of reaching a peaceful solution. Bolton, like McMaster, sees Kim Jong Un as fundamentally irrational and undeterrable — a view that seems to justify launching a preventive war if North Korea refuses to denuclearize. But McMaster supported diplomacy and, as a military man with extensive combat experience, understood the costs of war. Bolton, on the other hand, has spent his entire career sabotaging diplomacy with Pyongyang and seems downright giddy about a possible military confrontation.

Basically, for John Bolton, there is no answer other than some form of military action. Diplomacy may not even be a word he is capable of uttering, much less actively pursuing with American interests at heart.

A little history is helpful here. Bolton was undersecretary of state for arms control and international security when President George W. Bush’s administration made the fateful decision in 2002 to kill the 1994 Agreed Framework with North Korea. The Bill Clinton-era accord froze North Korea’s plutonium program under effective verification. But when it was discovered that Pyongyang was pursuing a separate uranium enrichment program with the help of Pakistan, a key decision had to be made: re-engage in diplomacy to expand the agreement to prohibit uranium enrichment or tear it up, isolate a member of the “Axis of Evil,” and push for regime change. Bush, guided in part by Bolton, chose the latter approach. And once the Agreed Framework collapsed, North Korea took the secured plutonium under its control and built about half a dozen additional nuclear weapons, testing its first in 2006. For many arms control and nonproliferation experts, this case represents a cautionary tale about the risks of foreclosing diplomatic engagement. In Bolton’s mind, however, North Korea’s actions simply prove that diplomacy doesn’t work with rogue states and that the only solution is to end these regimes all together, through U.S. military might if necessary.

Is this really the guy America needs as its National Security Advisor?

I cannot help but suspect there is going to be an attempt to misdirect Americans from the scandal-plagued Trump administration. The Special Council probe into potential Russian activity in the 2016 US presidential election appears not to be heading in the direction Trump desires. He is running out of options, and being a reality TV star and showman more than businessman, it just feels as if the Bolton hire has everything to do with Mueller and nothing to do with actual national security.

The next week or two are going to set the tone in America for the foreseeable future. Something unprecedented, huge is about to drop.

The Washington Post reports the Trump administration announced sanctions and criminal indictments against an Iranian hacker network allegedly involved in “one of the largest state-sponsored hacking campaigns”:

Nine of 10 named individuals were connected to the Mabna Institute, a Shiraz-based tech firm that the Justice Department alleged hacks on behalf of Iranian universities and the IRGC. The institute conducted “massive, coordinated intrusions” into the computer systems of at least 144 U.S. universities and 176 foreign universities in 21 countries, including Britain and Canada, officials said.

The hackers stole more than 31 terabytes of data and intellectual property — the rough equivalent of three Libraries of Congress — from their victims, prosecutors alleged. Much of it ended up in the hands of the IRGC, which has frequently been accused of stealing information to further its own research and development of weaponry. The Guard Corps is the division of Iran’s security forces charged with overseeing Iranian proxy forces abroad and is under the direct control of the country’s religious leaders.

“Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code,” said Geoffrey S. Berman, U.S. attorney for the Southern District of New York.

“Iran is engaged in an ongoing campaign of malicious cyberactivity against the United States and our allies,” said Sigal Mandelker, the Treasury Department’s undersecretary for terrorism and financial intelligence. “We will not tolerate the theft of U.S. intellectual property or intrusion into our research institutions and universities.”

Although lately there is a lot of news about Russian state sponsored cyber attacks, make no mistake, Russia is not the only country engaged in malicious cyberspace activity. Alongside Russia are China, North Korea, and Iran. These countries are responsible for the majority of the hacking activity around the globe. There are various reasons why these nations engage in cyber-based operations, not the least of which is surveillance against their enemies.

Here is an extremely simplified view of the landscape as it stands today.

China is primarily interested in stealing intellectual property. The Chinese would prefer to forego research and development costs, and would rather take the hard work already completed by others to use as the basis for their own technologies. China is mostly looking to increase their economic and military capabilities through these operations, with a strong emphasis on the former more than anything.

North Korea is completely cut off from the world banking system, so they have had to look to creative means of getting finances into the country. What North Korea has opted to do is conduct financially motived cyber attacks. They leverage ransomware to be paid in bitcoin by the victims, thus allowing the country to bypass global banking and siphon money back into Pyongyang.

Finally, Iran ultimately wants to protect itself from neighboring countries but would like to demonstrate its cyber-might. Consider it a mock revenge scenario. Stuxnet caused a lot of harm to the country and setback its nuclear program decades. Iran not only acquired firsthand knowledge of the destructive capabilities cyber weapons may cause, but also how easy it is to leverage cyber operations compared to traditional kinetic weaponry.

So again, although Russia has been the primary culprit in the news these days, there are other sophisticated nation state actors engaging in cyber operations for various reasons. It should come as no surprise to see Iran accused of a vast global cyber conspiracy.

One thing to consider, especially in light of Bolton being named Trump’s new National Security Advisor, is the administrations desire for war. This announcement may very well be a precurser to additional comments about Iran from the Trump administration. While I do not claim to have any specific knowledge of what is to come, the timing seems all too convenient.

POLITICO discusses the diametric views the soon-to-be former and incoming National Security Advisors have on Russian hacking, propaganda, and influence on the 2016 presidential election:

In their public comments, McMaster and Bolton have presented a stark contrast in their views on Moscow’s involvement in the hacks and online trolling that roiled the 2016 presidential election. While McMaster has taken a hard-line stance in blaming Moscow for orchestrating the digital disruption campaign, Bolton has made headlines by casting doubt on Russia’s role.

In fact, it was McMaster’s remarks on the subject that caused his strained relationship with the president to spill into public view.

Speaking at a February conference in Munich, McMaster proclaimed that evidence of Russian meddling in the 2016 elections was “incontrovertible.”

Trump lashed out on Twitter in response: “General McMaster forgot to say that the results of the 2016 election were not impacted or changed by the Russians and that the only Collusion was between Russia and Crooked H, the DNC and the Dems. Remember the Dirty Dossier, Uranium, Speeches, Emails and the Podesta Company!”

Conversely, Bolton — a former U.S. ambassador to the United Nations during the George W. Bush administration — has cast doubt on the evidence linking Russia to the Democratic National Committee hack, suggesting that the Obama administration was blaming the Kremlin for political purposes.

In December 2016, when Bolton was being floated as the possible deputy secretary of state, the former diplomat suggested that the digital footprints left behind at the DNC may have been a “false flag.”

“If you think the Russians did this, why did they leave fingerprints?” he asked during a Fox News interview.

Bolton is either being completely intellectually dishonest or he is obtuse and incapable of understanding how cyber attacks are executed. Seeing as he will be the next National Security Advisor, this should be a warning to the type of illogical thought processes that will go into future US national security decisions.

Every cyber attack leaves some form of a so-called fingerprint. Whether it is an IP address accidentally exposed and attributed to a specific organization, a set of attack tools used and left behind in haste because the actors had to get out before being caught, or a complete series of tactics, techniques, and procedures specific actors use on a reoccurring basis – there are always going to be some form of a fingerprint. These are just some of the many data points used when attributing attacks to specific groups performing operations across the globe.

What Bolton should already know seeing as he is a former US Ambassador, but is so obviously playing politics with, is the US intelligence community is embedded in networks all over the globe. The National Security Agency regularly watches Russian, North Korean, Chinese, and Iranian actors while in the act of breaching networks. This has allowed the NSA to fingerprint the techniques the different actors leverage, which is often how attacks are attributed to groups like Fancy Bear, Lazarus, and the countless others.

If the NSA is not watching an attack, it is likely one of the various US allies are collecting data. Take for example, the case of the Netherlands intelligence agency witnessing in real-time as Russia’s Cozy Bear conducted cyber attacks. So even if the US IC is not collecting data and learning how actors perform operations, its allies are and will share both the raw intelligence and the analysis conducted. This is what allows the US IC to be so successful.

The US is on a dangerous path. If Bolton opts to ignore strong evidence of Russian meddling in US election and sovereign affairs, the US should be prepared for what is likely the outcome or goal of his being hired as the National Security Advisor: to legitimize and sell a war against either North Korea or Iran to the American people.

Time has an in-depth article discussing how a Russian KGB Chief once asked the US for peace in cyberspace:

“From the very beginning it was clear,” he tells TIME by phone from Moscow, where he now works mostly in the private sector. “We told our people, ‘Look, the public may not realize yet what’s going on. But we need to raise the alarm on a political level, because this stuff is a danger to our vital infrastructure.’”

The tables appear to have turned since then. The vital infrastructure now at risk is in the U.S., according to a March 15 report from the FBI and the Department of Homeland Security, which found that Russian hackers had penetrated deep into the control rooms of U.S. power stations, putting a finger on the light switch of American homes. “Since at least March 2016,” the report states, “Russian government cyber actors…targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

These were precisely the sorts of attacks that Rubanov had feared from the Americans. He wouldn’t comment on whether Russia was in fact responsible this time; his old habits of discretion die hard, and he still serves as an occasional adviser to the Russian government. But he did note, with a tone of regret rather than self-satisfaction, that the Americans should have listened to his warnings two decades ago.

After the KGB was dissolved in 1991 along with the rest of the Soviet Union, Rubanov went to serve on the Kremlin’s Security Council, where he was also in charge of information security. He soon got to work, along with some colleagues at the Foreign Ministry and other agencies, on drafting rules of engagement for cyber space—a “code of conduct” of the type that governs the use of nuclear and chemical weapons.

“The point was to have a kind of non-aggression pact in the cyber sphere, one that would prohibit such attacks against sovereign nations,” he says. Their hope was that these rules would eventually be adopted by the United Nations and become international law. But the effort stalled, says Rubanov, in large part because the world’s last remaining superpower wasn’t interested. “Each country wants to have guarantees of security, but it does not want to extend those guarantees to others. So this is where we ended up. In a place where no one is safe.”

Global governments still continue to disagree on cyber norms. Until there are firm agreements in place, governments like Russia will continue to exploit the legal vulnerabilities and engage is malicious activities across the planet.

You do have to give Rubanov credit for his poignant observation about the importance of some type of cyber-based non-aggression pact. Imagine where the world would be today had something been agreed upon when Rubanov first brought it up.

A reputed technophobe, Putin had always been mistrustful of the Internet, which he has called a “CIA project.” And like many of Russia’s spy chiefs, he feared that microchips and operating systems imported from the U.S. were designed to function as secret tools of American sabotage, surveillance or both. But there was little he could do about it. In the field of cyber weaponry, “Russian generals felt they were losing the global arms race,” Andrei Soldatov and Irina Borogan wrote in their recent book, The Red Web, a history of Russian cyber policy. So instead of trying to match American technology, Russia tried using diplomacy “to put some limits on the United States’ offensive capabilities.”

These limits would have amounted to cyber disarmament. As outlined in 2009 by one of Rubanov’s successor at the Security Council, Vladislav Sherstyuk, Russia wanted a ban on cyber implants, which can act as remote-controlled bombs inside an enemy’s computer networks; a ban on the use of deception to hide the source of an attack; and, a rule that would extend humanitarian law into cyber space, effectively banning attacks on civilian targets like banks, hospitals or power stations.

One has to wonder just how genuine Putin was being when he and Sherstyuk discussed a form of cyber disarmament. It sounds more like a ploy to try and outmaneuver the United States rather than an actual desire to disarm cyberspace.

The entire article is well worth reading. It paints a very interesting picture of where the US-Russia relationship was, and where it has come since that time.