How The U.S. And Russia Compare In Cybercapabilities
SCOTT SIMON, HOST:
And earlier this week, the U.S. Justice Department charged two Russian spies and two hackers with stealing data and half-a-billion Yahoo accounts in 2014. This is the first time federal prosecutors have brought cybercrime charges against Russian officials. Susan Hennessey is in our studios - managing editor of The Brookings Institution's Lawfare blog. And you previously worked on cybersecurity at the NSA, I gather.
SUSAN HENNESSEY: I did indeed.
SIMON: Well, thanks very much for being with us. Let me put it bluntly - are they better than us?
HENNESSEY: No. I will put it blunt right back. They are not better than us. Certainly, Russia is a highly sophisticated and capable actor in sort of the cyber adversary space, but vis-a-vis the United States, no, I think that it's safe to say that we remain sort of the dominant power in this space.
SIMON: What can they do?
HENNESSEY: So what we see again and again - and I think the Yahoo hack here is a pretty good example - that there may be incredibly sophisticated capabilities - the kinds of things that you would only expect to see in the - in the intelligence community space - but they actually don't need to be that good, right? So the NSA has confirmed that of these significant intrusions over the past two years, none relied on zero day vulnerabilities - these unknown flaws in software or hardware. They were all sort of ordinary spearfishing and unpatched systems. So while the Russians are certainly a capable and sophisticated actor, these hacks are not demonstrating really, really sophisticated tradecraft because they don't have to use it.
SIMON: What do you infer about America's countercyberstrategy based on, for example, the Yahoo case and the Justice Department indictment?
HENNESSEY: Right. So this is the third indictment for state-sponsored hacking that we've seen. There's been previous indictments against state sponsors - hacks for - in China and also in Iran for attacks against the U.S. financial industry. So this is part of what's known as the name-and-shame strategy. So sort of saying, we can see you. We can provide lots of evidence to the public. Now, are those individuals ever actually going to be arrested and serve time in the United States? No. It prevents them from traveling, but mostly it's sort of - it's an embarrassment. It's a public statement. I mean, it's meant to deter that conduct in the future.
SIMON: How difficult is it to trace attacks back to somebody who can be held responsible for it? The whole idea is is not to do that, right?
HENNESSEY: Right. So there's a little bit of a myth that sort of attribution is this incredibly difficult problem. It is, to a certain extent. An attribution can be difficult sort of, especially whenever you need rapid response. That said, the U.S. government is in a pretty different position than the private sector. So while the private sector can do a lot in terms of technical attribution - understanding what computers, you know, who did what, what actors are involved.
And the United States government also has things like signals intelligence, like human intelligence. So they aren't just able to say this is the computer that did it, or this is the individual. They're able to say here's who directed it. Here's the operational security measures they used. So they really are able to say with a great deal of certainty - high confidence, as they say - that they know who this is. These indictments really speak to that confidence because, of course, a criminal indictment says the government is saying, we think we can prove beyond a reasonable doubt that this is true.
SIMON: While we have you here, I'm moved to ask you a question about American cybersecurity capabilities. Could American cybersecurity, for example, prevent North Korea from developing a nuclear weapon?
HENNESSEY: Well, so certainly we see...
SIMON: Can it - can it do what weapons cannot?
HENNESSEY: So we've seen recent reports in The New York Times. David Sanger sort of reports about potential cyberoperations against North Korean missile systems. Certainly, Stuxnet is a famous example. So I think that there's an increasing awareness that cyber is going to be one tool that's going to be a part of that sort of traditional deterrence model.
That said, it's not - sometimes sort of cyber is looked at as, you know, the panacea, the thing that's going to solve everything. No. This is one tool, but soft power - all sorts of those other really, really important ways in which the United States helps set norms and deter conduct - those are those are going to continue to be incredibly important.
SIMON: Susan Hennessy is a fellow at The Brookings Institution. Thanks so much for being with us.
HENNESSEY: Thanks for having me. Transcript provided by NPR, Copyright NPR.