The fact that it was revealed this week that the breach of over 500 million user accounts at Yahoo was to one degree or another state-sponsored shouldn’t come as much of a surprise to most IT security professionals. The line between cybercriminals and cyber espionage has been blurring for years. Unfortunately, intelligence agencies that already operate outside of the law have few qualms about hiring cybercriminals to achieve their primary goal. It’s apparently only when some of those spies attempt to use those cybercriminals to enrich themselves or intimidate other government officials that any official form of outrage manifests itself.
Of course, it’s hard to say with absolute certainty who did what to whom first in the case of the Yahoo breach. One of the alleged masterminds of the attack is already supposedly in a Russian prison for also using the cybercriminal techniques to hack into both Russian commercial businesses and government agencies and then allegedly sharing those secrets with foreign intelligence agencies.
Given a lack of transparency in the Russian legal system, the ultimate truth behind those allegations may never be known. Russia doesn’t have much of an incentive to showcase how its intelligence agencies might have been employing cybercriminals to hack into systems around the world. Whatever does become known is likely to come from a 22-year old Karim Baratov, who is said to possess the talent for phishing mischief that was relied on to trick users into logging into fake sites that resulted in them giving up their password credentials. Baratov is suspected of collaborating with Alexsy Belan, a well-known cybercriminal wanted in multiple countries that was allegedly recruited or forced by agents of the Federal Security Service (FSB) in Russia to hack into systems inside and out of Russia. Less clear is who else knew about the alleged plot in the Russian government, but the indictments single out Dmitri Dokuchaev as the cybersecurity mastermind behind a conspiracy directed by his boss, Igor Sushchin, at the FSB.
As a Canadian citizen Baratov is subject to extradition to the U.S. But whether anything Baratov says can be collaborated by anyone else remains to be seen. Defendants have an obvious incentive to shift as much responsibility for a crime on to the shoulders of anyone else. Baratov could easily wind up telling prosecutors anything they want to hear. At the same time, espionage agents are known for leaving many loose ends behind, so what Baratov knows may be little.
Of course, cybersecurity professionals are keenly aware that most countries give as good as they get when it comes to cyber espionage. In fact, an ethical and legal dilemma results when espionage agencies use tax dollars raised in their own country to create tools and hire people with criminal backgrounds break into systems owned by companies that pay taxes in that country. What may have started as an effort to break into systems in a foreign country before too long spins out of control when the cybercriminals start using tools provided by an intelligence agency to also steal money and intellectual property wherever they can.
All this skullduggery highlights how much more focus there needs to be on vetting IT staffers in general and cybersecurity professionals especially. Most of the people working in these roles are trustworthy. But there is a small cadre of cybersecurity professionals that engage in what might be viewed at best as situational ethics. They may not use their skills or tools they acquire while working on behalf of a company or organization to hack into systems belonging to those organizations. But once they no longer employed by that organization all bets can be off. Alas, given the shortage of cybersecurity professionals in the world not everyone runs a deep background check on either the people they hire or the people that work for a service they’ve contracted. It’s already been shown how some individuals treat working in a cybersecurity role as a major opportunity to engage in research and development for future nefarious purposes.
In fact, the cybersecurity industry has never been especially good at clarifying who wore a white, gray, or black hat exactly when over the course of their professional career. The fact that one of the leading conferences in the IT security industry sports a Black Hat moniker as a point of pride doesn’t do much to inspire trust outside the cybersecurity community. Obviously, cybercriminals possess knowledge that IT security organizations need and there are legitimate ways to gather it. But you don’t see organizations hiring known organized crime figures to “protect” their physical assets for a very good reason. The same rationale applies to digital assets.
The days when cybersecurity was primarily about defending organizations from kids that wanted to test their IT skills are long over. Cybersecurity today involves the theft of everything from the theft of trillions of dollars in intellectual property to compromising the identity of government agents. Ultimately, it does more harm than good to the IT industry as a whole when some of the people charged with protecting those assets are cybersecurity professionals that have backgrounds suggesting a willingness to engage in dubious behavior based on who happens to be paying them at any given moment in time.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.