US Department of Justice press conference yesterday announcing charges against four Russians, including two government officials, for the 2014 Yahoo breach. (BRENDAN SMIALOWSKI/AFP/Getty Images)
The US Justice Department yesterday unveiled the blockbuster charges that Russian government officials stood accused of collaborating with Russian criminal hackers in the 2014 Yahoo breach. To hear the Justice Department tell the story, this was a terrible breach of trust for a foreign government to hack into a US company to conduct espionage. Yet, in an era in which the shadowy world of spying has been illuminated by the harsh spotlight of Wikileaks, the Snowden disclosures and the more recent CIA hacking documents, is it hypocritical to charge the Russians with such activity?
Prior to 2013, most people in the technology sector understood that the US and other major governments conducted cyber espionage of some form, but the release of the Snowden documents that year crystallized just how extensive these activities were and that many of these espionage efforts involved the direct targeting and weakening of the cyber defenses of American companies and the products they sell. That American tax dollars, including the taxes paid by the companies themselves and their employees, would be turned against them to pay domestic and foreign companies and hackers to undermine American corporate security, going as far as to allegedly tap the fiber cables connecting their data centers and paying foreign hacking organizations to develop exploits for their products, was a wakeup call to the technology industry of the extent to which their own government would go to harm American companies.
Of course, this does not even count the use of National Security Letters and the United States Foreign Intelligence Surveillance Court (FISA Court) to compel American companies to hand over user data or unwillingly provide wiretaps and other services to the intelligence community – legal tools unavailable to the Russians or most other countries against US companies. Given that many of the largest Internet companies, including the major social media platforms, are physically based in the United States and therefore subject to US laws, the US Government occupies a unique position in the global surveillance state in its ability to subject those companies to a variety of legal processes or physical compromises.
The most recent Wikileaks release of “Vault 7” lends even more detail to the extent to which the US Government has stockpiled zero-day and other exploits (in some cases potentially incentivizing the creation of such exploits) and the investment it has made in targeting the products and services of American companies to mitigate their security efforts.
Combined with the Snowden disclosures, they also offer a vivid portrait of America’s own foreign hacking operations, allegedly penetrating countless foreign companies for its own espionage needs, either monitoring their networks, or using its access to insert malicious code into their products.
Thus, on the one hand it is somewhat hypocritical for the US Government to criminally charge a set of Russian hackers with penetrating Yahoo’s account and email services when the activities they stand accused of are precisely the same activities the US Government itself engages in every day.
As I wrote last month, the latest release of the iconic Tallinn Manual on the legal landscape of cyber action reflects precisely this shift from state-on-state cyberwarfare to state-on-private industry attacks in which the resources of entire nation states are leveraged to wage attacks on private corporations that must expend immense resources to secure themselves and sustain personnel, equipment and bandwidth costs to secure their systems and endure DDOS and other attacks.
Yet, perhaps most importantly, the Justice Department’s allegations underscore just how much private companies now hold of the lifeblood of our digital lives. Russia didn’t allegedly target Yahoo because it wanted to wreak economic damage against an American company – it targeted it because the company held a wealth of information on persons and organizations of interest to the Russian intelligence services via their private Yahoo mail accounts.
Whether we post to social media, check our personal email, search or browse the web, make a phone call or even hail a ride share, increasingly everything we do transits the networks and products of private companies. This makes those companies attractive targets to both cyber criminals and foreign and domestic intelligence services, shifting the digital battleground from government networks to the networks of private companies who must bear the economic burden of securing their systems even against their own governments.
Indeed, in an acknowledgement of just how much the evolving cyber landscape has placed private companies in the cross hairs, Microsoft last month proposed a Digital Geneva Convention that, much like its conventional military counterpart, would offer protections to non-state actors caught up in cyber action. However, given that cyber activities are increasingly a mix of state and private actors (as the Russian allegations demonstrate), it is unclear what impact such a law would offer and given the US’s reliance on cyber operations it is highly unlikely it would ever sign such a document.
Does this mean the Russian government should not be held accountable for hacking an American company? Absolutely not. Does this mean it is hypocritical of the US Government to charge the Russians for the same kind of hacking it itself engages in? That’s the question that isn’t being talked about. In the end, it is internet companies that are losing and bearing the brunt of today’s new digital battlegrounds.