The Doorstep: Hacktivismo 2.0, con Joseph Marks

TATIANA SERAFIN: Welcome to this edition of The Doorstep podcast. I am your cohost Tatiana Serafin. Nikolas Gvosdev will join us next time.

Today we are speaking with Joseph Marks, cybersecurity expert from The Washington Post, who will be talking with us about cybersecurity, hacktivism, the Russia-Ukraine conflict, and the Olympics.

Before we start, though, I wanted to mention that next week, February 8, at 6:00pm is our next book talk with Peter S. Goodman, author of Davos Man: How the Billionaires Devoured the World. It is an excellent read. Join us. You can go to the Carnegie Council website for more information on how to register and also follow us on Twitter to join the conversation.

Thank you so much, Joe, for coming on to The Doorstep podcast. I have heard so much about what is hacktivism these days, and we are going to get into that, but before we do I want to start out with, because all around the Internet, all around being reported is the issue of cybersecurity. When we hear of a cybersecurity attack, we normally associate the perpetrator to be some sort of a bad actor who is trying to get money or who is trying to disrupt the system for personal gain. In a personal anecdote, my college was hacked in the fall with ransomware.

It's real. It's with us. The more I tell my story, the more I hear of an elementary school being hacked or a not-for-profit being hacked. There is this whole big topic of cybersecurity and hacking that is out there, and CEOs have mentioned it as the primary concern. The World Economic Forum said it is all about cybersecurity.

I know you have covered it for many, many years. Where are we today with the idea of it? Why has it become so big as a concept? Then I will take it to hacktivism, but I think we need to start with cybersecurity is having a moment. It is the number-one threat both by politicians and CEOs, and certainly by personal experience. What is going on? Why now? What is the moment right now? Can you give us the context?

JOSEPH MARKS: Cybersecurity and hacking is essentially having such a big moment right now because the Internet is having a huge moment right now. The Internet 20, 30, or 40 years ago wasn't designed with the idea of hacking in mind. It wasn't designed to be the World Wide Web that all of us basically live on for most of each day. Security wasn't built into it to begin with.

It's all sort of put together with sticky tape and string, and now we have reached a point where not only our daily lives, our work, our relationships, and the way we talk to our mothers, spouses, and everyone else is mediated through the Internet, but government and a lot of critical infrastructures in the world run through some kind of network system, and the security of those things has never really caught up with the networking of those things. When that happens you are going to find people who, either because it's a government that sees a national interest in disrupting these connections or because they are criminals who see a profit motive in disrupting these connections or—because as we are going to get to—hacktivists see a political reason to disrupt these connections, they are going to do it.

TATIANA SERAFIN: It's so interesting that you bring up this idea of governments looking at it to be disruptive. We have the Beijing Olympics coming up. The opening ceremonies are Friday. I have been reading that athletes might be protesting, but that is a physical kind of protest. But when we are talking about cyber, that is not really seen, and yet it touches so many people.

People are saying that there is this idea that China or perhaps Russia is really interested in having cyberattacks against the West, the United States in particular. At The Doorstep we talk about how it's going to impact our day-to-day lives because they don't like the fact that we are standing up in protest. Do you see that creating more awareness at my doorstep, and how can we at the doorstep, or day-to-day-Americans, protect ourselves?

JOSEPH MARKS: When you look at the Olympics, there are a couple of different things going on there. One is the question of big nation-state-backed attacks that are trying to disrupt it in some way. That happened in 2018, very nearly disrupting the opening Games. The United States indicted several Russian government-backed hackers for big hacks that disrupted the entry system, almost took down a whole bunch of computers, and almost disrupted the Games. It could have been a big, big media moment on the world stage if it hadn't been responded to very quickly.

The chances of that are somewhat less this year basically just because of geopolitics. It is taking place in Beijing. The worst offenders are Russia, which doesn't really want to offend China right now, China, which isn't going to disrupt its own Olympics, and Iran and North Korea, both of which don't really want to embarrass China on the world stage.

Is there going to be some kind of hacktivist activity? For example, you mentioned a lot of protests happening in China right now. You can certainly see hacktivists trying to embarrass companies that are sponsoring the Olympics—we have seen things like that in the past—and you will almost certainly see espionage-backed hacking by Beijing of pretty much anyone who shows up there—athletes, journalists, dignitaries. Anytime you have a big event like the Olympics, like the UN General Assembly, like Davos, a whole bunch of really important people getting together in one place, you can almost guarantee that someone is going to be listening in from someone's government.

TATIANA SERAFIN: That's two sides and different goals. The goal of a Russia or an Iran, which, as you mentioned, don't want to irritate China, but say they were going to get in, is their state interest, is a national interest versus hacktivists and their goals.

I am really curious. It's a term that has been around for a long time. The Washington Post last year called 2021 the "year of the hacktivist." In the United States especially there was a lot of activity around outing January 6 perpetrators and exposing some of the conservative platforms, and yet it seems to me that hacktivism in particular has been under the radar, even though it has been around for decades. Can you take us back to what is hacktivism, a simple definition, how it's done, and who is doing it?

JOSEPH MARKS: Hacktivism is essentially activism online. It is a way of protesting through the Internet. There was a real kind of 1.0 moment for hacktivism in the early 2010s. You had groups like Anonymous and LulzSec that would disrupt websites. They disrupted the U.S. Senate website. They disrupted some Sony systems at one point. That was a really big moment that kind of petered out eventually for a couple of reasons, partly because a lot of those guys got arrested. It turned out the Federal Bureau of Investigation (FBI) was very good at seeing what they were doing, perhaps better than they were. To a somewhat lesser extent companies started to protect their systems a little bit better. The awareness of cyberattacks got a little bit better in the private sector. There were not many opportunities for it.

There was a resurgence in 2021, which was really interesting. Some of that probably had to do with the political moment. Obviously you mentioned January 6. We have been in a very tumultuous political climate for quite a while. That resulted in a handful of pretty significant breaches at social media sites frequented by the far right, Gab and Parler on one of the major web-hosting platforms that is used by a lot of far-right websites. Whether that sticks around or not is unclear. It is going to be really interesting to see what happens this year.

TATIANA SERAFIN: Your point about hacktivists getting arrested—it's not legal. When we talk about protest and protest movements—and I am a big advocate of the First Amendment, freedom of speech, and freedom of protest—that is protected. You go out there, get your license to be on the street, and you can protest, in physical person, and we have seen a lot of those obviously in the last couple of years in the political context. But when you talk about hacktivism, that's not legal, correct?

JOSEPH MARKS: Correct. This gets to a larger thing about hacking in general. A lot of this happens in a very ethically dubious area. That is true certainly of what nation-states do to each other for their own national interest, but it is certainly true of hacktivists too. Something on the edge of hacktivism, like WikiLeaks, a lot of people are probably supportive of WikiLeaks when they were bringing transparency to a lot of U.S. government operations—the State Department cables, military operations in Afghanistan—probably less happy when they were posting information from the Democratic National Committee (DNC) that helped disrupt the [2016] election.

The same is true if you look at some of these international movements. We are going to talk in a little bit about what is happening with Russia and Ukraine. One of the bigger things that is happening is that this group in Belarus called Cyber Partisans (BCP)—Belarus is a very close Russian ally—which has been around for a while and has attempted to pester President Lukashenko there. It claims to have stolen a lot of information that could be embarrassing for him, for his government, and for the people with a lot of money there. More recently, as Russian troops have been building up on the Ukrainian border, they claim to have gotten into the computer systems running the Belarusian railways, disrupted them, and stated that they will be able to disrupt the movement of Russian troops as part of Ukrainian operations.

We in the West, who believe that a Russian invasion of Ukraine is a very bad thing, may be very supportive of that. What they do next, who knows? It might be something we are less supportive of. In this particular case it seems like they were somewhat sloppy and disrupted ticket sales and disrupted the lives of regular Belarusian citizens. That's not great. It is sort of in this ethically dubious area.

TATIANA SERAFIN: I think that's an important statement. There is a threat of hacktivism to the day-to-day citizens, both us here and if it happens abroad because personal information can be exposed, or in this case people were stranded on the railway because, as you said, the BCP hactivists took over the railways and disrupted the train lines, and it's illegal. So, it's illegal. It could potentially hurt people. Where does that fall in terms of how governments are responding or managing? Here in the United States how is the government responding to hacktivists?

JOSEPH MARKS: They responded pretty significantly to that 1.0 moment that I talked about. There was a fair number of arrests. In terms of what has happened more recently with the breaches of Gab and Parler and so forth, there haven't to my knowledge been any significant arrests yet. That could change. This is something that the government takes very seriously. The FBI has built up a very large cyber division to this point. Most of that is focused on more traditional cybercrime, which has been growing substantially over the last decade and has become one of the largest focuses the FBI has, but certainly that can be focused on hacktivism as well.

TATIANA SERAFIN: When we are looking at hacktivists, who are they typically? Is there a profile that you are finding? Are they younger? Who are they? How do they come about it? How do you even become a hacktivist?

JOSEPH MARKS: It's sort of everyone. They run the gamut. A lot of systems that they attack are just lowest-hanging fruits. You don't really even need a whole lot of technical knowledge. You need to be willing to kind of skirt the law a little bit, you need to be willing to do a little bit of web research to figure out what you can do, and you need to spend some time online and get involved in these collectives. There is a great Wired article that came out just earlier today about a recent outage in the North Korean Internet—for what it's worth given what the North Korean Internet is—that the Kim Jung-un regime had claimed seemed to be launched by a foreign nation-state. There is a guy who claims that he just sort of did it himself. He was piqued at North Korea. He did it in his pajamas.

TATIANA SERAFIN: What do you believe?

JOSEPH MARKS: I don't know. I have no great insights.

TATIANA SERAFIN: That is a great point. How can we tell if it is a state-sponsored attack, as in the case with Ukraine? On January 14 a lot of Ukrainian government websites in particular were hacked into with messages scrawled across the front saying, "Beware, be afraid," and Ukrainian and Polish people assumed it was Russia, but how can you tell if it was a state entity or hacktivism? Is there a line in the world of cybersecurity and how we follow things?

JOSEPH MARKS: That's one of the toughest things that the U.S. government and cybersecurity research firms have been trying to deal with over the last decade, this question of attribution, less so for hacktivism and more so for nation-state-backed attacks because it was pretty easy to say a decade or more ago: "Hey, no one knows who is doing what on the Internet. It could be anyone." It is really in the U.S. government's interest now, when large companies are being attacked by nation-state adversaries who have very significant skills and are creating real geopolitical fallout, it's important for them to be able to say, to take an example, "Yes, this was Russia who was behind the SolarWinds attack" that compromised lots and lots of information from multiple federal government agencies and large critical infrastructure firms; to say, "Yes, this was Russia that was behind the 2018 Olympics hacks." "Yes, this was Russia that hacked the DNC." And there have been other instances where they have blamed—for instance, North Korea for the attack on Sony Pictures in 2014, and China and Iran for various other things. You want to be able to both say that and prove that and be able to respond to it with indictments, sanctions, or various other things.

The U.S. government has gotten much better at that. There has, however, been some lag in them showing their work. One of the issues is that sometimes there are technical indicators that they can use that prove this pretty well. A lot of times they are relying on foreign intelligence gathered by the National Security Agency or perhaps by the Central Intelligence Agency that prove this, and they don't really want to show that because they don't want to show what they got or how they got it. That is one of the things that has been an issue for the past decade and is going to be one for the next decade, being able to "name and shame" and prove and have it believed on the world stage, again mostly for nation-state-backed attacks.

TATIANA SERAFIN: Nation-state-backed attacks seem to be a big playbook that Putin has in his pocket. I think as the Russia-Ukraine tensions escalate, a lot of people are expecting Putin to use that playbook and to do more cyberattacks in Western Europe or even in the United States.

Maybe there is no answer, but going back to my questions at the beginning, is there anything on a day-to-day level that we can do to protect ourselves against potential cyberattacks? Should we be expecting a cyberattack? Is this something that we need to start talking about and being more prepared about?

JOSEPH MARKS: Should we be expecting one? We should definitely be preparing for one. The greatest fear over the past decade or so was that there would be an attack on the United States from one of these highly capable nation-state adversaries, probably Russia, that would really disrupt critical infrastructure in some way. It would shut down the energy grid, it would stop the water from flowing, it would disrupt the water-treatment system so that we couldn't be sure that our water was safe to drink, it would tie up transportation in some way. That hasn't happened yet.

It kind of has happened with cybercriminals, most of whom are operating out of Russian territory, the biggest example of that being the Colonial Pipeline hack last year that disrupted gas supplies for a short period of time in the Southeastern United States. That wasn't the Russian state. It was cybercriminals mostly operating out of Russia with the tacit approval of the Russian state.

The Russian state could do a lot more than that. The question is, will they? The biggest concern is that, say Ukrainian tensions escalate, say Russia invades, and the West responds with increasingly severe sanctions that really disrupt the Russian economy, and Russia wants to do something short of military action that will hurt the United States and Western allies in order to pay them back for this. A cyberattack on critical infrastructure is a pretty easy way to do that. So all of these concerns have been rising up for the past decade. They could come to fruition if things escalate, and that is the thing that U.S. government officials are most worried about right now.

TATIANA SERAFIN: It seems to me that everyone is so focused on troop movements. I am more scared about the cyber potential and the cyberattacks.

JOSEPH MARKS: Cyber is really scary because you don't see it. It happens all of a sudden, and it is the kind of thing that can reach across an ocean and really disrupt our lives here, but to put it in perspective, there is no definitive instance yet in which a cyberattack has killed anyone. There are a couple of iffy instances where cybercrimes probably disrupted hospital services to a point that someone died, but there is no real clear incident where a cyberattack definitely killed someone. There has been a lot of economic fallout from a cyberattack, but this is not on the level of Russian troops rolling across the border and soldiers shooting at each other.

TATIANA SERAFIN: True, but the cyberattacks in the Belarus case—we will come back to that—could potentially prevent the soldiers from getting to where they need to be if they are kept up and they are not tamped down, which gets back to my point: How do you identify who these people are, whether they be hacktivists as in the Belarusian case or cybercriminals as you mentioned operating under the opportunities available in Russia? Because it's anonymous, it is so hard to put a name to it.

In usual protest movements or troop movement activities you can see the people. You can actually see where the troops are with all this satellite imagery. You can't see who these hackers are. This is going to be, I think, difficult to create any sort of movement around. Would you agree with that?

JOSEPH MARKS: Yes. One way to think about it is that cyber is less of a thing in itself these days than it is—just like the Internet has invaded all of our lives in every day—it's how we communicate, it's how we find recipes, it's how we find entertainment. It has invaded warfare too, and it has invaded most elements of diplomacy.

When you have a nation like Russia that is highly cybercapable, warfare is almost guaranteed to be what people call "hybrid" warfare. They won't just be rolling in in tanks if this happens. They will be rolling in in tanks, and they will be disrupting the communications networks of Ukrainian officials and government. They will be launching disinformation operations inside the Ukraine. There will be cyber elements of pretty much any military operation going forward.

Running parallel to that, there is going to be a cyber element of pretty much any resistance operation going forward. If the French Resistance were around today, they would be trying to attack Nazi websites and stuff. This is just an element of how war, protest, and everything else happens now.

TATIANA SERAFIN: I'm glad you gave the example of attacking a website because I wanted to talk about some of the forms that these kinds of cyberthreats or hacktivism take. One is, certainly, disrupting a website. For our audience, can you give some other examples of the—I know it's not "physical" because it's on the internet—physicality? What do we see when we see an attack?

JOSEPH MARKS: For hacktivism what you often see is disrupting websites. There is a thing called "distributed denial of service," where essentially—this goes back to what was happening in the early 2010s, early 2000s—you basically flood a site with as much web traffic as you can so that it can no longer operate. You also see people getting into and defacing websites. In the case of the attacks on Ukraine—I have it written down here somewhere—Ukrainian government computers and some industry computers were defaced to read "Be afraid. Expect the worst" in the operations we all read about a couple of weeks ago. You will see defacements like that.

You will certainly see "hack and leak" operations. This is what has been happening with Gab, Parler, and these far-right sites, where you hack in just like cybercriminals who are interested in gathering information from a company so that they can sell its data or sell people's personal information for identify theft, people going in, grabbing information, and leaking it to embarrass people.

You increasingly see—and this is a little bit of what we were seeing in Belarus—the tactics of ransomware gangs. With ransomware. essentially you gain access to the networks of an organization, but instead of stealing all their data and leaking it you lock it up, encrypt it, and then demand a ransom to unlock it. A lot of times what you are seeing with hacktivist groups or even nation-states is that it looks like ransomware—they go and they lock it up, but they aren't really interested in making money. They are interested in just disrupting the operations, shutting everything down, destroying data, and destroying the computer system so they can't operate it.

TATIANA SERAFIN: Have there been recently any super-successful hacktivist attacks, so that they took that data, and they actually made their point and somebody changed their behavior in a positive way, so not in something like the Belarus case, where normal citizens were affected, did it really affect the Russian activity? It is unclear. Yes, they threatened to do more, but we don't know what is going to happen. It seems like—I don't know. Was it a good thing? Did they achieve their goals? Are there any examples of hacktivism achieving the stated goals that you might know of?

JOSEPH MARKS: Honestly no, none that occur to me. It would be interesting to see some kind of hacktivist campaign that you could say was totally in the moral right and this was done, but that's not really how these things work. I can't think of an example offhand where there was a sort of Robin Hood hacktivist operation that really changed the world for the better.

TATIANA SERAFIN: I was reading about it, and somebody said it's "like having graffiti on a wall," which is interesting maybe to think about and discuss but might just be that. I am really curious about this Anonymous actor. Has anyone ever come out? Aside from WikiLeaks and Julian Assange, has anybody ever stood up and said, "This is what I'm doing," outed themselves, or does this typically tend to be anonymous?

JOSEPH MARKS: Groups tend to take credit for the things that they do but in an anonymous fashion. Even the Cyber Partisans, the group in Belarus, has given a couple of interviews, but they do it by Internet handles, not by actual names.

TATIANA SERAFIN: So it is kind of that masked face that we think about.

JOSEPH MARKS: Yes, the Guy Fawkes face.

TATIANA SERAFIN: Thank you so much for explaining something that I think we all need to be talking more about, whether it be protecting our own security or being aware of what's happening, the threat to us at a local level, a national level, and an international level. I will be really curious to see what happens at the Olympics and with the continuing Russia-Ukraine situation.

Is there anything you are looking forward to in 2022 in this field, something that we should be thinking more about that people aren't talking about?

JOSEPH MARKS: Oh, boy. That's a really good question.

The thing I'm mostly looking at—and this is what I spend a lot of my time covering—is the extent to which the federal government can get its act together to better protect the nation against these sorts of hacks. One of the problems we run into is that there is an awareness of the danger of attacks from nation-states and from criminals. There is an interest among companies in protecting themselves, but it doesn't really go up and down the chain either because organizations have cyberinsurance that is going to cover certain losses or because they don't have the wherewithal to protect themselves. Many, many more organizations remain far less protected than they ought to be, and a lot of what cybercriminals in particular are getting is just low-hanging fruit.

The federal government has been trying to change this in a sort of collaborative way, especially with a lot of the critical infrastructure sectors—the energy companies, the dams, the agricultural firms. That hasn't worked so far. In a lot of ways the government's hands are kind of tied because they don't really have authorities to this point to force these changes, and Congress has not been great about getting its act together to give them those authorities. Whether, either through cooperation or if we can get something through Congress to grant more authorities to federal agencies to require certain changes, can we better protect ourselves this year, that's the thing I'm probably thinking about most.

TATIANA SERAFIN: We will be looking at it too and hope to have you back to comment on it. Thank you so much for joining us today.

JOSEPH MARKS: Thank you.